Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cirby0J3LP.exe

Overview

General Information

Sample name:cirby0J3LP.exe
renamed because original name is a hash value
Original sample name:7C66BDD58347B8176EC473F10FD836E6.exe
Analysis ID:1414595
MD5:7c66bdd58347b8176ec473f10fd836e6
SHA1:9393eb297eb8504cf8b0c0dbcdbd78e04736da47
SHA256:0a512b81dde0ab50e6bda9738413acc10fb55c16d798ab21fe49603178a5f86b
Tags:AsyncRATexeRAT
Infos:

Detection

AsyncRAT, PureLog Stealer, XWorm, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Yara detected AsyncRAT
Yara detected PureLog Stealer
Yara detected XWorm
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: AspNetCompiler Execution
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cirby0J3LP.exe (PID: 4444 cmdline: "C:\Users\user\Desktop\cirby0J3LP.exe" MD5: 7C66BDD58347B8176EC473F10FD836E6)
    • Craxs-updater.exe (PID: 2972 cmdline: "C:\Users\user\AppData\Roaming\Craxs-updater.exe" MD5: AF9F6A3FD994A9A9C8C94C90875AFA47)
      • cmd.exe (PID: 2124 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 2228 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)
      • cmd.exe (PID: 6692 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD79C.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 6848 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
        • Taskhostm.exe (PID: 5260 cmdline: "C:\Users\user\AppData\Roaming\Taskhostm.exe" MD5: AF9F6A3FD994A9A9C8C94C90875AFA47)
    • cmd.exe (PID: 5776 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\craxstcp.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Taskhostm.exe (PID: 6188 cmdline: C:\Users\user\AppData\Roaming\Taskhostm.exe MD5: AF9F6A3FD994A9A9C8C94C90875AFA47)
    • aspnet_compiler.exe (PID: 4676 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
  • mDNSRespond.exe (PID: 4440 cmdline: "C:\Users\user\AppData\Roaming\mDNSRespond.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
    • conhost.exe (PID: 1896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • mDNSRespond.exe (PID: 6508 cmdline: "C:\Users\user\AppData\Roaming\mDNSRespond.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
    • conhost.exe (PID: 2848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Xworm

{"C2 url": ["google-updater.duckdns.org"], "Port": "2220", "Aes key": "<123456789>", "Install file": "DumpStack.exe"}

Threatname: AsyncRAT

{"Server": "google-updater.duckdns.org", "Port": "2222", "Version": "0.5.8", "MutexName": "C7Giw5bN2YBa", "Autorun": "true", "Group": "null"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0x5c8:$x1: AsyncRAT
  • 0x606:$x1: AsyncRAT

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Craxs-updater.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    C:\Users\user\AppData\Roaming\Taskhostm.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000B.00000002.3215968004.0000000000FE7000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x2153:$x1: AsyncRAT
      • 0x2191:$x1: AsyncRAT
      • 0x2b972:$s8: Win32_ComputerSystem
      0000000B.00000002.3226207689.00000000053E0000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x1463f:$x1: AsyncRAT
      • 0x1467d:$x1: AsyncRAT
      0000000F.00000002.3218633928.0000000002F91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        0000000B.00000002.3218533849.0000000002C51000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x68b9b:$x1: AsyncRAT
        • 0x68bd9:$x1: AsyncRAT
        0000000B.00000002.3218533849.0000000002DAC000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x5a53:$x1: AsyncRAT
        • 0x5a91:$x1: AsyncRAT
        • 0x5f57:$x1: AsyncRAT
        • 0x5f95:$x1: AsyncRAT
        Click to see the 17 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.0.Craxs-updater.exe.870000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          0.2.cirby0J3LP.exe.32c2618.2.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            11.2.Taskhostm.exe.7090000.2.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
              11.2.Taskhostm.exe.7090000.2.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                11.2.Taskhostm.exe.7090000.2.raw.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                • 0x53956:$s1: file:///
                • 0x5385e:$s2: {11111-22222-10009-11112}
                • 0x538e6:$s3: {11111-22222-50001-00000}
                • 0x4e005:$s4: get_Module
                • 0x4e4ab:$s5: Reverse
                • 0x5323a:$s6: BlockCopy
                • 0x532b2:$s7: ReadByte
                • 0x53968:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
                Click to see the 11 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Craxs-updater.exe" , ParentImage: C:\Users\user\AppData\Roaming\Craxs-updater.exe, ParentProcessId: 2972, ParentProcessName: Craxs-updater.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' & exit, ProcessId: 2124, ProcessName: cmd.exe
                Sigma detected: Invoke-Obfuscation VAR+ Launcher
                Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Craxs-updater.exe" , ParentImage: C:\Users\user\AppData\Roaming\Craxs-updater.exe, ParentProcessId: 2972, ParentProcessName: Craxs-updater.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' & exit, ProcessId: 2124, ProcessName: cmd.exe
                Sigma detected: AspNetCompiler Execution
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\Taskhostm.exe, ParentImage: C:\Users\user\AppData\Roaming\Taskhostm.exe, ParentProcessId: 6188, ParentProcessName: Taskhostm.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 4676, ProcessName: aspnet_compiler.exe
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\mDNSRespond.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 4676, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mDNSRespond
                Sigma detected: Startup Folder File Write
                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 4676, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mDNSRespond.lnk
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2124, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' , ProcessId: 2228, ProcessName: schtasks.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Schedule system process
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Craxs-updater.exe" , ParentImage: C:\Users\user\AppData\Roaming\Craxs-updater.exe, ParentProcessId: 2972, ParentProcessName: Craxs-updater.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' & exit, ProcessId: 2124, ProcessName: cmd.exe

                Snort Signatures

                Timestamp:03/24/24-01:52:59.368147
                SID:2855924
                Source Port:49715
                Destination Port:2220
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:03/24/24-01:53:55.022330
                SID:2852923
                Source Port:49715
                Destination Port:2220
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:03/24/24-01:52:01.399838
                SID:2035595
                Source Port:2222
                Destination Port:49704
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:03/24/24-01:52:01.399838
                SID:2030673
                Source Port:2222
                Destination Port:49704
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:03/24/24-01:53:46.294572
                SID:2852874
                Source Port:2220
                Destination Port:49715
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:03/24/24-01:53:55.021358
                SID:2852870
                Source Port:2220
                Destination Port:49715
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: cirby0J3LP.exeAvira: detected
                Found malware configuration
                Source: 0000000F.00000002.3218633928.0000000002F91000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["google-updater.duckdns.org"], "Port": "2220", "Aes key": "<123456789>", "Install file": "DumpStack.exe"}
                Source: 00000002.00000002.2026024507.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "google-updater.duckdns.org", "Port": "2222", "Version": "0.5.8", "MutexName": "C7Giw5bN2YBa", "Autorun": "true", "Group": "null"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeReversingLabs: Detection: 87%
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeVirustotal: Detection: 69%Perma Link
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeReversingLabs: Detection: 87%
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeVirustotal: Detection: 69%Perma Link
                Multi AV Scanner detection for submitted file
                Source: cirby0J3LP.exeReversingLabs: Detection: 71%
                Source: cirby0J3LP.exeVirustotal: Detection: 70%Perma Link
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: cirby0J3LP.exeJoe Sandbox ML: detected
                Source: cirby0J3LP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: cirby0J3LP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: aspnet_compiler.pdb source: mDNSRespond.exe, 00000010.00000000.2631695137.0000000000652000.00000002.00000001.01000000.0000000B.sdmp, mDNSRespond.exe.15.dr

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 172.94.105.163:2222 -> 192.168.2.5:49704
                Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 172.94.105.163:2222 -> 192.168.2.5:49704
                Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.5:49715 -> 172.94.105.163:2220
                Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 172.94.105.163:2220 -> 192.168.2.5:49715
                Source: TrafficSnort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.5:49715 -> 172.94.105.163:2220
                Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 172.94.105.163:2220 -> 192.168.2.5:49715
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: google-updater.duckdns.org
                Source: Malware configuration extractorURLs: google-updater.duckdns.org
                Uses dynamic DNS services
                Source: unknownDNS query: name: google-updater.duckdns.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 2.0.Craxs-updater.exe.870000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.cirby0J3LP.exe.32c2618.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.cirby0J3LP.exe.32b0fd8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Craxs-updater.exe.2d6d960.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Craxs-updater.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Taskhostm.exe, type: DROPPED
                Source: Joe Sandbox ViewASN Name: AS45671-NET-AUWholesaleServicesProviderAU AS45671-NET-AUWholesaleServicesProviderAU
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownDNS traffic detected: queries for: google-updater.duckdns.org
                Source: Taskhostm.exe, 0000000B.00000002.3215968004.0000000000FE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                Source: 77EC63BDA74BD0D0E0426DC8F80085060.11.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: Taskhostm.exe, 0000000B.00000002.3226207689.00000000053E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab0;
                Source: Craxs-updater.exe, 00000002.00000002.2026024507.0000000002D68000.00000004.00000800.00020000.00000000.sdmp, Taskhostm.exe, 0000000B.00000002.3218533849.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000F.00000002.3218633928.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 00000002.00000002.2026024507.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Craxs-updater.exe PID: 2972, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Taskhostm.exe PID: 6188, type: MEMORYSTR

                Operating System Destruction

                barindex
                Protects its processes via BreakOnTermination flag
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: 00 00 00 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: 01 00 00 00 Jump to behavior

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: dump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 11.2.Taskhostm.exe.7090000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 11.2.Taskhostm.exe.3cded50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 11.2.Taskhostm.exe.7090000.2.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 11.2.Taskhostm.exe.3cded50.1.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0000000B.00000002.3215968004.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000B.00000002.3226207689.00000000053E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000B.00000002.3218533849.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000B.00000002.3218533849.0000000002DAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000C.00000002.2091062669.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000002.00000002.2025313085.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000B.00000002.3215968004.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000B.00000002.3229153406.0000000007090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0000000C.00000002.2090243643.000000000130A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000002.00000002.2026024507.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000B.00000002.3218533849.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: Process Memory Space: Craxs-updater.exe PID: 2972, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: Process Memory Space: Taskhostm.exe PID: 6188, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: Process Memory Space: Taskhostm.exe PID: 5260, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeCode function: 2_2_010778582_2_01077858
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeCode function: 2_2_01075BE02_2_01075BE0
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeCode function: 2_2_010764B02_2_010764B0
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeCode function: 2_2_010758982_2_01075898
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_02AC64B011_2_02AC64B0
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_02AC5BE011_2_02AC5BE0
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_02ACE88011_2_02ACE880
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_02AC785811_2_02AC7858
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_02AC589811_2_02AC5898
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_06E7658711_2_06E76587
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_06E730F811_2_06E730F8
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_06E7385811_2_06E73858
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_06E730E911_2_06E730E9
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_06E7308911_2_06E73089
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_06E7383711_2_06E73837
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_071EBF0011_2_071EBF00
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_071ED77811_2_071ED778
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_071EAEF811_2_071EAEF8
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_071E8DA811_2_071E8DA8
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_071EA3E011_2_071EA3E0
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_071E79D811_2_071E79D8
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_072407A011_2_072407A0
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_0724004011_2_07240040
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_072414C011_2_072414C0
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_073A705111_2_073A7051
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_073A70C011_2_073A70C0
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_0771D52811_2_0771D528
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 15_2_012BA04815_2_012BA048
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 15_2_012B144815_2_012B1448
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 15_2_012B46EF15_2_012B46EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 15_2_012BA91815_2_012BA918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 15_2_012B4CE815_2_012B4CE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 15_2_012BEE5015_2_012BEE50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 15_2_012B13E715_2_012B13E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 15_2_012BCA7815_2_012BCA78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 15_2_012B9D0015_2_012B9D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 15_2_012B1DE015_2_012B1DE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 15_2_06AE004015_2_06AE0040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 15_2_06AE537015_2_06AE5370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 15_2_06AE389C15_2_06AE389C
                Source: cirby0J3LP.exe, 00000000.00000000.1971589336.0000000000F78000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOutput.exe4 vs cirby0J3LP.exe
                Source: cirby0J3LP.exe, 00000000.00000002.1980240684.0000000003291000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWidsServicep( vs cirby0J3LP.exe
                Source: cirby0J3LP.exeBinary or memory string: OriginalFilenameOutput.exe4 vs cirby0J3LP.exe
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: ndfapi.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: wdi.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: duser.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: atlthunk.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: avicap32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeSection loaded: ucrtbase_clr0400.dll
                Source: cirby0J3LP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: dump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 11.2.Taskhostm.exe.7090000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 11.2.Taskhostm.exe.3cded50.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 11.2.Taskhostm.exe.7090000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 11.2.Taskhostm.exe.3cded50.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0000000B.00000002.3215968004.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000B.00000002.3226207689.00000000053E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000B.00000002.3218533849.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000B.00000002.3218533849.0000000002DAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000C.00000002.2091062669.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000002.00000002.2025313085.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000B.00000002.3215968004.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000B.00000002.3229153406.0000000007090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0000000C.00000002.2090243643.000000000130A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000002.00000002.2026024507.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000B.00000002.3218533849.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: Process Memory Space: Craxs-updater.exe PID: 2972, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: Process Memory Space: Taskhostm.exe PID: 6188, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: Process Memory Space: Taskhostm.exe PID: 5260, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: cirby0J3LP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: cirby0J3LP.exe, -4-.csCryptographic APIs: 'TransformFinalBlock'
                Source: 11.2.Taskhostm.exe.3cded50.1.raw.unpack, fbsATUu2zWf92F5al6qE.csCryptographic APIs: 'CreateDecryptor'
                Source: 11.2.Taskhostm.exe.3cded50.1.raw.unpack, fbsATUu2zWf92F5al6qE.csCryptographic APIs: 'CreateDecryptor'
                Source: 11.2.Taskhostm.exe.7090000.2.raw.unpack, fbsATUu2zWf92F5al6qE.csCryptographic APIs: 'CreateDecryptor'
                Source: 11.2.Taskhostm.exe.7090000.2.raw.unpack, fbsATUu2zWf92F5al6qE.csCryptographic APIs: 'CreateDecryptor'
                Source: 11.2.Taskhostm.exe.2e1a388.0.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                Source: 11.2.Taskhostm.exe.2e1a388.0.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                Source: 11.2.Taskhostm.exe.2e1a388.0.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                Source: 11.2.Taskhostm.exe.2e1a388.0.raw.unpack, -.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 11.2.Taskhostm.exe.2e1a388.0.raw.unpack, -.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.cirby0J3LP.exe.32c2618.2.raw.unpack, -8-.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.cirby0J3LP.exe.32c2618.2.raw.unpack, -8-.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.cirby0J3LP.exe.32b0fd8.1.raw.unpack, -8-.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.cirby0J3LP.exe.32b0fd8.1.raw.unpack, -8-.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: Craxs-updater.exe.0.dr, -8-.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: Craxs-updater.exe.0.dr, -8-.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: Taskhostm.exe.2.dr, -8-.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: Taskhostm.exe.2.dr, -8-.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 2.2.Craxs-updater.exe.2d6d960.0.raw.unpack, -8-.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 2.2.Craxs-updater.exe.2d6d960.0.raw.unpack, -8-.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.evad.winEXE@27/15@1/1
                Source: C:\Users\user\Desktop\cirby0J3LP.exeFile created: C:\Users\user\AppData\Roaming\Craxs-updater.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeMutant created: NULL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: \Sessions\1\BaseNamedObjects\Izm0TmDP2lfMAqRt
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5240:120:WilError_03
                Source: C:\Users\user\Desktop\cirby0J3LP.exeMutant created: \Sessions\1\BaseNamedObjects\iMS4HHd50R0KRsCV2
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1896:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3172:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeMutant created: \Sessions\1\BaseNamedObjects\C7Giw5bN2YBa
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD79C.tmpJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\craxstcp.bat" "
                Source: cirby0J3LP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: cirby0J3LP.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\cirby0J3LP.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: cirby0J3LP.exeReversingLabs: Detection: 71%
                Source: cirby0J3LP.exeVirustotal: Detection: 70%
                Source: unknownProcess created: C:\Users\user\Desktop\cirby0J3LP.exe "C:\Users\user\Desktop\cirby0J3LP.exe"
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess created: C:\Users\user\AppData\Roaming\Craxs-updater.exe "C:\Users\user\AppData\Roaming\Craxs-updater.exe"
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\craxstcp.bat" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' & exit
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD79C.tmp.bat""
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"'
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Taskhostm.exe C:\Users\user\AppData\Roaming\Taskhostm.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Taskhostm.exe "C:\Users\user\AppData\Roaming\Taskhostm.exe"
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\mDNSRespond.exe "C:\Users\user\AppData\Roaming\mDNSRespond.exe"
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\mDNSRespond.exe "C:\Users\user\AppData\Roaming\mDNSRespond.exe"
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess created: C:\Users\user\AppData\Roaming\Craxs-updater.exe "C:\Users\user\AppData\Roaming\Craxs-updater.exe" Jump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\craxstcp.bat" "Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' & exitJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD79C.tmp.bat""Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Taskhostm.exe "C:\Users\user\AppData\Roaming\Taskhostm.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\cirby0J3LP.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: cirby0J3LP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: cirby0J3LP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: aspnet_compiler.pdb source: mDNSRespond.exe, 00000010.00000000.2631695137.0000000000652000.00000002.00000001.01000000.0000000B.sdmp, mDNSRespond.exe.15.dr

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 11.2.Taskhostm.exe.3cded50.1.raw.unpack, fbsATUu2zWf92F5al6qE.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 11.2.Taskhostm.exe.7090000.2.raw.unpack, fbsATUu2zWf92F5al6qE.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                .NET source code contains potential unpacker
                Source: Craxs-updater.exe.0.dr, -14-.cs.Net Code: _003F0_003F
                Source: Craxs-updater.exe.0.dr, -28-.cs.Net Code: _003F0_003F System.Reflection.Assembly.Load(byte[])
                Source: 0.2.cirby0J3LP.exe.32c2618.2.raw.unpack, -14-.cs.Net Code: _003F0_003F
                Source: 0.2.cirby0J3LP.exe.32c2618.2.raw.unpack, -28-.cs.Net Code: _003F0_003F System.Reflection.Assembly.Load(byte[])
                Source: 0.2.cirby0J3LP.exe.32b0fd8.1.raw.unpack, -14-.cs.Net Code: _003F0_003F
                Source: 0.2.cirby0J3LP.exe.32b0fd8.1.raw.unpack, -28-.cs.Net Code: _003F0_003F System.Reflection.Assembly.Load(byte[])
                Source: Taskhostm.exe.2.dr, -14-.cs.Net Code: _003F0_003F
                Source: Taskhostm.exe.2.dr, -28-.cs.Net Code: _003F0_003F System.Reflection.Assembly.Load(byte[])
                Source: 2.2.Craxs-updater.exe.2d6d960.0.raw.unpack, -14-.cs.Net Code: _003F0_003F
                Source: 2.2.Craxs-updater.exe.2d6d960.0.raw.unpack, -28-.cs.Net Code: _003F0_003F System.Reflection.Assembly.Load(byte[])
                Source: 11.2.Taskhostm.exe.2e1a388.0.raw.unpack, -.cs.Net Code: _FDD1 System.AppDomain.Load(byte[])
                Source: 11.2.Taskhostm.exe.2e1a388.0.raw.unpack, -.cs.Net Code: _FDD2 System.AppDomain.Load(byte[])
                Source: 11.2.Taskhostm.exe.2e1a388.0.raw.unpack, -.cs.Net Code: _FDD2
                Source: C:\Users\user\Desktop\cirby0J3LP.exeCode function: 0_2_00007FF848F300BD pushad ; iretd 0_2_00007FF848F300C1
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeCode function: 2_2_01077CA8 pushad ; retf 2_2_01077CA9
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_02AC8202 push esi; retf 11_2_02AC8203
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_02AC7CA8 pushad ; retf 11_2_02AC7CA9
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_06E79901 push es; ret 11_2_06E79930
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_071E4F71 pushfd ; retf 11_2_071E4F72
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_071E4D62 pushfd ; retf 11_2_071E4D63
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_071E4C9A pushfd ; retf 11_2_071E4C9B
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_071E4CFD pushfd ; retf 11_2_071E4CFE
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_071E5107 pushfd ; retf 11_2_071E5108
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_071E503A pushfd ; retf 11_2_071E503B
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_071E50A1 pushfd ; retf 11_2_071E50A2
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_073A561D push ebx; retf 11_2_073A5632
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeCode function: 11_2_077068E9 pushad ; retf 11_2_077068FD
                Source: cirby0J3LP.exeStatic PE information: section name: .text entropy: 7.8967761803159915
                Source: 11.2.Taskhostm.exe.3cded50.1.raw.unpack, fbsATUu2zWf92F5al6qE.csHigh entropy of concatenated method names: 'gnhPSVuruoPuYmm0fOVQ', 'yjkmHOurY12fyAT0VYfQ', 'eftug7vKN06', 'kTTQVmur8DoWJE9dbd60', 't5ougnurf1Vjj2AWmKOL', 'kEoJnaurtHMf8dmTmK72', 'NAVU4vurlVM5CCcrXM1I', 'Xo6vbOureef2lNqts5iH', 'ThfCGgurjHxF3AddCWLD', 'R31Xduurmp0d9SMhvjxk'
                Source: 11.2.Taskhostm.exe.3cded50.1.raw.unpack, ilOxjauXj28cJ4aOQiTT.csHigh entropy of concatenated method names: 'vaXuyNDNSFX', 'E9xuyCOdmm4', 'NWAuysFLdKh', 'gTpuyEjO3OX', 'vOYuyUtX2al', 'WAkuypuuE1Y', 'OHXuyn4oCBs', 'akIuXC8272y', 'SgjuyaTQNsl', 'ofLuy96FVQM'
                Source: 11.2.Taskhostm.exe.3cded50.1.raw.unpack, dM9atrugh9vHptjVLkhf.csHigh entropy of concatenated method names: 'EBmuXuiqVmy', 'CHmuXYUJvXG', 'kCmuXbk1l4d', 'uE4uXWic1Hh', 'RQquXyaypBO', 'mssuX8f09PQ', 'KSYuXfs582Z', 'nQ2uXtL1kSo', 'LEPuXlN6oB8', 'kWEuXeJpltD'
                Source: 11.2.Taskhostm.exe.3cded50.1.raw.unpack, SendToMemory.csHigh entropy of concatenated method names: 'OhwuZMOHeO9', 'rk1uZ63bPto', 'zOIuZPjiPKe', 'Execute', 'QnnJ3kuDRRy4uK2sRUug', 'UtsVNGuDzsbbfKH7N5KO', 'mDjRfauiZ9LCWHQGhpuw', 'GjUDedui2ioVrZE49eEA', 'DcwupPuiIO3tYXDpf61M', 'FQkcZ2uigZNVbyj8qmob'
                Source: 11.2.Taskhostm.exe.7090000.2.raw.unpack, fbsATUu2zWf92F5al6qE.csHigh entropy of concatenated method names: 'gnhPSVuruoPuYmm0fOVQ', 'yjkmHOurY12fyAT0VYfQ', 'eftug7vKN06', 'kTTQVmur8DoWJE9dbd60', 't5ougnurf1Vjj2AWmKOL', 'kEoJnaurtHMf8dmTmK72', 'NAVU4vurlVM5CCcrXM1I', 'Xo6vbOureef2lNqts5iH', 'ThfCGgurjHxF3AddCWLD', 'R31Xduurmp0d9SMhvjxk'
                Source: 11.2.Taskhostm.exe.7090000.2.raw.unpack, ilOxjauXj28cJ4aOQiTT.csHigh entropy of concatenated method names: 'vaXuyNDNSFX', 'E9xuyCOdmm4', 'NWAuysFLdKh', 'gTpuyEjO3OX', 'vOYuyUtX2al', 'WAkuypuuE1Y', 'OHXuyn4oCBs', 'akIuXC8272y', 'SgjuyaTQNsl', 'ofLuy96FVQM'
                Source: 11.2.Taskhostm.exe.7090000.2.raw.unpack, dM9atrugh9vHptjVLkhf.csHigh entropy of concatenated method names: 'EBmuXuiqVmy', 'CHmuXYUJvXG', 'kCmuXbk1l4d', 'uE4uXWic1Hh', 'RQquXyaypBO', 'mssuX8f09PQ', 'KSYuXfs582Z', 'nQ2uXtL1kSo', 'LEPuXlN6oB8', 'kWEuXeJpltD'
                Source: 11.2.Taskhostm.exe.7090000.2.raw.unpack, SendToMemory.csHigh entropy of concatenated method names: 'OhwuZMOHeO9', 'rk1uZ63bPto', 'zOIuZPjiPKe', 'Execute', 'QnnJ3kuDRRy4uK2sRUug', 'UtsVNGuDzsbbfKH7N5KO', 'mDjRfauiZ9LCWHQGhpuw', 'GjUDedui2ioVrZE49eEA', 'DcwupPuiIO3tYXDpf61M', 'FQkcZ2uigZNVbyj8qmob'
                Source: C:\Users\user\Desktop\cirby0J3LP.exeFile created: C:\Users\user\AppData\Roaming\Craxs-updater.exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeFile created: C:\Users\user\AppData\Roaming\Taskhostm.exeJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile created: C:\Users\user\AppData\Roaming\mDNSRespond.exeJump to dropped file

                Boot Survival

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 00000002.00000002.2026024507.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Craxs-updater.exe PID: 2972, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Taskhostm.exe PID: 6188, type: MEMORYSTR
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mDNSRespond.lnkJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mDNSRespond.lnkJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mDNSRespondJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mDNSRespondJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\A8505FC3A9CED55A2467 B0B5DDA6CAC5D1E91958379DC1FDA602DD1566127F21E30196382743A350A4D8Jump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 00000002.00000002.2026024507.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Craxs-updater.exe PID: 2972, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Taskhostm.exe PID: 6188, type: MEMORYSTR
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: Craxs-updater.exe, 00000002.00000002.2026024507.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\cirby0J3LP.exeMemory allocated: 17B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeMemory allocated: 1B290000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeMemory allocated: 1070000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeMemory allocated: 2BE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeMemory allocated: 2A10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeMemory allocated: 2A80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeMemory allocated: 2C10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeMemory allocated: 4C10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeMemory allocated: 2F10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeMemory allocated: 31C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeMemory allocated: 2F10000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 12B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 4F90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeMemory allocated: F80000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeMemory allocated: 2960000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeMemory allocated: 4960000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeMemory allocated: C00000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeMemory allocated: 25A0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeMemory allocated: 45A0000 memory reserve | memory write watch
                Source: C:\Users\user\Desktop\cirby0J3LP.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeWindow / User API: threadDelayed 4917Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeWindow / User API: threadDelayed 4905Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 3928Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 5913Jump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exe TID: 3304Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exe TID: 2504Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exe TID: 5520Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exe TID: 4028Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exe TID: 5068Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2604Thread sleep count: 35 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2604Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2504Thread sleep count: 3928 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2504Thread sleep count: 5913 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exe TID: 2992Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exe TID: 4688Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeThread delayed: delay time: 922337203685477
                Source: aspnet_compiler.exe, 0000000F.00000002.3217568014.00000000014F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll="
                Source: Craxs-updater.exe, 00000002.00000002.2026024507.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: Taskhostm.exe, 0000000B.00000002.3226207689.00000000053E0000.00000004.00000020.00020000.00000000.sdmp, Taskhostm.exe, 0000000B.00000002.3226207689.00000000054B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Craxs-updater.exe, 00000002.00000002.2026024507.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware`,]q
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeCode function: 2_2_01073768 CheckRemoteDebuggerPresent,2_2_01073768
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 40C000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 40E000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: E74008Jump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess created: C:\Users\user\AppData\Roaming\Craxs-updater.exe "C:\Users\user\AppData\Roaming\Craxs-updater.exe" Jump to behavior
                Source: C:\Users\user\Desktop\cirby0J3LP.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\craxstcp.bat" "Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' & exitJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD79C.tmp.bat""Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Taskhostm.exe "C:\Users\user\AppData\Roaming\Taskhostm.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                Source: Taskhostm.exe, 0000000B.00000002.3218533849.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, Taskhostm.exe, 0000000B.00000002.3218533849.0000000002D40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\]q
                Source: Taskhostm.exe, 0000000B.00000002.3218533849.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, Taskhostm.exe, 0000000B.00000002.3218533849.0000000002D40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: Taskhostm.exe, 0000000B.00000002.3218533849.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, Taskhostm.exe, 0000000B.00000002.3218533849.0000000002D40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\]q%
                Source: Taskhostm.exe, 0000000B.00000002.3218533849.0000000002D27000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe]qx
                Source: Taskhostm.exe, 0000000B.00000002.3218533849.0000000002D40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe]qp
                Source: Taskhostm.exe, 0000000B.00000002.3218533849.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, Taskhostm.exe, 0000000B.00000002.3218533849.0000000002D40000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe]q
                Source: C:\Users\user\Desktop\cirby0J3LP.exeQueries volume information: C:\Users\user\Desktop\cirby0J3LP.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeQueries volume information: C:\Users\user\AppData\Roaming\Craxs-updater.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Craxs-updater.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeQueries volume information: C:\Users\user\AppData\Roaming\Taskhostm.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeQueries volume information: C:\Users\user\AppData\Roaming\Taskhostm.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeQueries volume information: C:\Users\user\AppData\Roaming\mDNSRespond.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeQueries volume information: C:\Users\user\AppData\Roaming\mDNSRespond.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\mDNSRespond.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                Source: C:\Users\user\Desktop\cirby0J3LP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 00000002.00000002.2026024507.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Craxs-updater.exe PID: 2972, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Taskhostm.exe PID: 6188, type: MEMORYSTR
                Source: aspnet_compiler.exe, 0000000F.00000002.3217568014.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\AppData\Roaming\Taskhostm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 11.2.Taskhostm.exe.7090000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.Taskhostm.exe.3cded50.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.Taskhostm.exe.7090000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.Taskhostm.exe.3cded50.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3229153406.0000000007090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3224658217.0000000003C17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected XWorm
                Source: Yara matchFile source: 0000000F.00000002.3218633928.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 4676, type: MEMORYSTR
                Yara detected zgRAT
                Source: Yara matchFile source: 11.2.Taskhostm.exe.7090000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.Taskhostm.exe.3cded50.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.Taskhostm.exe.7090000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.Taskhostm.exe.3cded50.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3229153406.0000000007090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 11.2.Taskhostm.exe.7090000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.Taskhostm.exe.3cded50.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.Taskhostm.exe.7090000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.Taskhostm.exe.3cded50.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3229153406.0000000007090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3224658217.0000000003C17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected XWorm
                Source: Yara matchFile source: 0000000F.00000002.3218633928.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 4676, type: MEMORYSTR
                Yara detected zgRAT
                Source: Yara matchFile source: 11.2.Taskhostm.exe.7090000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.Taskhostm.exe.3cded50.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.Taskhostm.exe.7090000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.Taskhostm.exe.3cded50.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3229153406.0000000007090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting                		Valid Accounts12
                Windows Management Instrumentation                		2
                Scheduled Task/Job                		212
                Process Injection                		1
                Masquerading                		OS Credential Dumping1
                Query Registry                		Remote Services11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Scheduled Task/Job                		1
                Scripting                		2
                Scheduled Task/Job                		1
                Modify Registry                		LSASS Memory441
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Application Layer Protocol                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt21
                Registry Run Keys / Startup Folder                		21
                Registry Run Keys / Startup Folder                		1
                Disable or Modify Tools                		Security Account Manager2
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared Drive21
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron1
                DLL Side-Loading                		1
                DLL Side-Loading                		151
                Virtualization/Sandbox Evasion                		NTDS151
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script212
                Process Injection                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Deobfuscate/Decode Files or Information                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Obfuscated Files or Information                		DCSync23
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1414595 Sample: cirby0J3LP.exe Startdate: 24/03/2024 Architecture: WINDOWS Score: 100 55 google-updater.duckdns.org 2->55 61 Snort IDS alert for network traffic 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 69 14 other signatures 2->69 9 cirby0J3LP.exe 4 2->9         started        12 Taskhostm.exe 1 2 2->12         started        16 mDNSRespond.exe 2->16         started        18 mDNSRespond.exe 2->18         started        signatures3 67 Uses dynamic DNS services 55->67 process4 dnsIp5 53 C:\Users\user\AppData\...\Craxs-updater.exe, PE32 9->53 dropped 20 Craxs-updater.exe 7 9->20         started        24 cmd.exe 1 1 9->24         started        57 google-updater.duckdns.org 172.94.105.163, 2220, 2222, 49704 AS45671-NET-AUWholesaleServicesProviderAU United States 12->57 81 Multi AV Scanner detection for dropped file 12->81 83 Protects its processes via BreakOnTermination flag 12->83 85 Machine Learning detection for dropped file 12->85 87 2 other signatures 12->87 26 aspnet_compiler.exe 1 5 12->26         started        28 conhost.exe 16->28         started        30 conhost.exe 18->30         started        file6 signatures7 process8 file9 49 C:\Users\user\AppData\Roaming\Taskhostm.exe, PE32 20->49 dropped 71 Multi AV Scanner detection for dropped file 20->71 73 Protects its processes via BreakOnTermination flag 20->73 75 Machine Learning detection for dropped file 20->75 79 2 other signatures 20->79 32 cmd.exe 1 20->32         started        35 cmd.exe 1 20->35         started        37 conhost.exe 24->37         started        51 C:\Users\user\AppData\...\mDNSRespond.exe, PE32 26->51 dropped 77 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->77 signatures10 process11 signatures12 59 Uses schtasks.exe or at.exe to add and modify task schedules 32->59 39 conhost.exe 32->39         started        41 schtasks.exe 1 32->41         started        43 Taskhostm.exe 3 35->43         started        45 conhost.exe 35->45         started        47 timeout.exe 1 35->47         started        process13

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                cirby0J3LP.exe71%ReversingLabsWin32.Backdoor.AsyncRAT
                cirby0J3LP.exe71%VirustotalBrowse
                cirby0J3LP.exe100%AviraTR/Dropper.Gen
                cirby0J3LP.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\Taskhostm.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Craxs-updater.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Craxs-updater.exe88%ReversingLabsWin32.Backdoor.AsyncRAT
                C:\Users\user\AppData\Roaming\Craxs-updater.exe69%VirustotalBrowse
                C:\Users\user\AppData\Roaming\Taskhostm.exe88%ReversingLabsWin32.Backdoor.AsyncRAT
                C:\Users\user\AppData\Roaming\Taskhostm.exe69%VirustotalBrowse
                C:\Users\user\AppData\Roaming\mDNSRespond.exe0%ReversingLabs
                C:\Users\user\AppData\Roaming\mDNSRespond.exe0%VirustotalBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                google-updater.duckdns.org1%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                google-updater.duckdns.org0%Avira URL Cloudsafe
                google-updater.duckdns.org1%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                google-updater.duckdns.org
                		172.94.105.163
                		truetrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                google-updater.duckdns.orgtrue
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCraxs-updater.exe, 00000002.00000002.2026024507.0000000002D68000.00000004.00000800.00020000.00000000.sdmp, Taskhostm.exe, 0000000B.00000002.3218533849.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000F.00000002.3218633928.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  172.94.105.163
                  		google-updater.duckdns.orgUnited States
                  		45671AS45671-NET-AUWholesaleServicesProviderAUtrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1414595
                  Start date and time:2024-03-24 01:51:04 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 27s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:20
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:cirby0J3LP.exe
                  renamed because original name is a hash value
                  Original Sample Name:7C66BDD58347B8176EC473F10FD836E6.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@27/15@1/1
                  EGA Information:
                  • Successful, ratio: 42.9%
                  HCA Information:
                  • Successful, ratio: 93%
                  • Number of executed functions: 242
                  • Number of non-executed functions: 3
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                  • Excluded IPs from analysis (whitelisted): 72.21.81.240
                  • Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target Taskhostm.exe, PID 5260 because it is empty
                  • Execution Graph export aborted for target cirby0J3LP.exe, PID 4444 because it is empty
                  • Execution Graph export aborted for target mDNSRespond.exe, PID 4440 because it is empty
                  • Execution Graph export aborted for target mDNSRespond.exe, PID 6508 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  01:51:54Task SchedulerRun new task: Taskhostm path: "C:\Users\user\AppData\Roaming\Taskhostm.exe"
                  01:52:01API Interceptor2x Sleep call for process: Taskhostm.exe modified
                  01:52:45API Interceptor112875x Sleep call for process: aspnet_compiler.exe modified
                  01:52:45AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run mDNSRespond C:\Users\user\AppData\Roaming\mDNSRespond.exe
                  01:52:53AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run mDNSRespond C:\Users\user\AppData\Roaming\mDNSRespond.exe
                  01:53:01AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mDNSRespond.lnk

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  AS45671-NET-AUWholesaleServicesProviderAUuPG4ESUjG9.elfGet hashmaliciousMiraiBrowse
                  • 114.141.199.237
                  nnEmvA5q3W.elfGet hashmaliciousUnknownBrowse
                  • 202.60.94.25
                  skid.mips.elfGet hashmaliciousMirai, MoobotBrowse
                  • 180.92.205.186
                  6G66kSe2A4.elfGet hashmaliciousMiraiBrowse
                  • 203.132.12.192
                  b3astmode.arm.elfGet hashmaliciousMiraiBrowse
                  • 223.254.96.122
                  SeEtB1mz3s.elfGet hashmaliciousMiraiBrowse
                  • 202.60.94.31
                  http://rockdenelawyers.com.auGet hashmaliciousUnknownBrowse
                  • 221.121.143.249
                  nRw8920u06.elfGet hashmaliciousMiraiBrowse
                  • 202.60.69.26
                  fjM0TNqIVG.elfGet hashmaliciousMiraiBrowse
                  • 202.60.70.19
                  MPpEzDMyRn.elfGet hashmaliciousMiraiBrowse
                  • 117.20.6.89

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  C:\Users\user\AppData\Roaming\mDNSRespond.exeSecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                    SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                      3vj5tYFb6a.exeGet hashmaliciousSnake Keylogger, zgRATBrowse
                        50000PCSPIC12F1501-ESN.exeGet hashmaliciousAgentTeslaBrowse
                          SecuriteInfo.com.Win32.KeyloggerX-gen.6339.24340.exeGet hashmaliciousXWormBrowse
                            Jdxvyx.exeGet hashmaliciousAgentTeslaBrowse
                              SecuriteInfo.com.Win32.TrojanX-gen.11530.1442.exeGet hashmaliciousAgentTeslaBrowse
                                shipping_doc_62085317440.exeGet hashmaliciousAgentTeslaBrowse
                                  PRE-ALERT_IOF23-24JPR1298.exeGet hashmaliciousAgentTeslaBrowse
                                    TRANSF.exeGet hashmaliciousGuLoader AgentTeslaBrowse

                                      Created / dropped Files

                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\Taskhostm.exe
                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69211 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                      Category:dropped
                                      Size (bytes):69211
                                      Entropy (8bit):7.995787876711886
                                      Encrypted:true
                                      SSDEEP:1536:4vHkVfDISE//aDY0WAXTF+0daIpyFQaqPZkatNjgkFOE4/JZZWnEn6:4vHKfMSeKFXdBcmnXkksE40E6
                                      MD5:753DF6889FD7410A2E9FE333DA83A429
                                      SHA1:3C425F16E8267186061DD48AC1C77C122962456E
                                      SHA-256:B42DC237E44CBC9A43400E7D3F9CBD406DBDEFD62BFE87328F8663897D69DF78
                                      SHA-512:9D56F79410AD0CF852C74C3EF9454E7AE86E80BDD6FF67773994B48CCAC71142BCF5C90635DA6A056E1406E81E64674DB9584928E867C55B77B59E2851CF6444
                                      Malicious:false
                                      Preview:MSCF....[.......,...................I..................WR. .authroot.stl..L...5..CK..<Tk...p.k:.]...k..-.o.d.}.N.F....!.....$t)K."..DE.....v..gr...}?>.<.s..<...{.t..\F.e.F...8&.<..>...t8....`dqM4.y..t8..t..3..1.`\.:+.<].F...3.~.M.B...*..J....PR.+..UUUV.GY...8...._vl.....H}.s.Pq..r.<.0.lG.C..e(..oe........9..'8..m.......G8T......sR..&=.*J....s.U......#...).j...x.....gq.+.N:.Wj...V.t...(J.;^..Mr~e..}.q....q....eo..O.....@.B.S.....66.|!.(.........D!k..&.. /.....H~.....}.(..|.S..~8..A..(.#..w.*Y.....'.F...y&.8......f..49r..N...(zX.0;.....000.3c)Z.v.5N'.z...rNFw,E.NY..#ua.o.$..Y?.-.=....}d.*..]......x_<.W....ya.3.a..SQT.U..|!.pyCA..-h..Y..>n......^.U.....H...EY.\.......}.-(....h..=xiV.O.W@p.=.r.i..c...c....S.x.;..GWf...=.:.....S.c/..v..3.iG<.&..%...8..=}.....+.n\?0"A.Y%<......+..O. .9..#..>.....5.2.j.1<.Z.>v..j...wr.i.:....!...;.N[.q..z9j..l.R.&,....$.V...k.j..Tc..m..D!%....".Y.#V."w.|....L| ..p........w.=..ck...<........{s..w..};../.=...k....YH.

                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\Taskhostm.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):330
                                      Entropy (8bit):3.132041233520707
                                      Encrypted:false
                                      SSDEEP:6:kKoglTN+SkQlPlEGYRMY9z+4KlDA3RUe1HEbpo:n8kPlE99SNxAhUe1HEVo
                                      MD5:C62BC741E665CF80134B84C4325006BA
                                      SHA1:02B5DBA2E58F0F1EDF2B06EA8C9257E3EB256330
                                      SHA-256:5E95D62ED5439FEA962005FBAFCD1E10932B05EE472BE2033538CD25EC16C762
                                      SHA-512:A3C98978EBEE7FF549676D12EBDD5C463984DDACA6A2131A3751D4A40B596DC6491A396D1BE3DA5BD5B941D96E54074962E88FD6356ADBA88025F4EABCD75983
                                      Malicious:false
                                      Preview:p...... ..........1{.}..(....................................................... .........;.i......(...........[...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".2.c.8.3.b.1.3.b.a.f.6.9.d.a.1.:.0."...

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cirby0J3LP.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\cirby0J3LP.exe
                                      File Type:CSV text
                                      Category:dropped
                                      Size (bytes):654
                                      Entropy (8bit):5.380476433908377
                                      Encrypted:false
                                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                      MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                      SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                      SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                      SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Craxs-updater.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\Craxs-updater.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):739
                                      Entropy (8bit):5.348505694476449
                                      Encrypted:false
                                      SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaWzAbDLI4MNldKZat92n4M6:ML9E4KlKDE4KhKiKhBsXE4qdK284j
                                      MD5:A65F13C4355387C4645D260206AE915F
                                      SHA1:F8857636BB3B50E634E96E7B0ECE6AD77656BA5F
                                      SHA-256:DB8CA2E253F03395ABECD812505666B3BD5CE699B798E3F624D22EE605FB290E
                                      SHA-512:0584E8911FD08CC0BB833C6373AE5D161D00CF40FB4533B5DD0D31F38CF1783BB25E34084995A2D116AFB01ABAD14005D62EE51A1D9B79E262EF28775B878AB6
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Taskhostm.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\Taskhostm.exe
                                      File Type:CSV text
                                      Category:dropped
                                      Size (bytes):425
                                      Entropy (8bit):5.353683843266035
                                      Encrypted:false
                                      SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                                      MD5:859802284B12C59DDBB85B0AC64C08F0
                                      SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                                      SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                                      SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mDNSRespond.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\mDNSRespond.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):311
                                      Entropy (8bit):5.347482639021185
                                      Encrypted:false
                                      SSDEEP:6:Q3La/xwchA2DLIP12MUAvvr3tDLIP12MUAvvR+uTL2ql2ABgTv:Q3La/hhpDLI4M9tDLI4MWuPTAv
                                      MD5:1AC8524D3800CDD5A91A864BCD4C3AB5
                                      SHA1:D003AEE44AC954938CE83E4A80412E04F726EA83
                                      SHA-256:8652A0399D65C2D111841F66EF2E930CDB8291CC8203252D59FD4921FF336C02
                                      SHA-512:9F28B59B99D0BC1EB60D29BE54CE2DAAC7D9B5D895311169578383C19A46CCF7CDE498EB6D7F172CF7D1D11E5B16665DF989CD8EEC527282BE3B796CD08C7DAC
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                      C:\Users\user\AppData\Local\Temp\tmpD79C.tmp.bat

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\Craxs-updater.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):155
                                      Entropy (8bit):5.006558498622976
                                      Encrypted:false
                                      SSDEEP:3:mKDDCMNqTtvL5oUkh4EaKC5ki0dASmqRDUkh4E2J5xAInTRIL+S7ZPy:hWKqTtT69aZ5kikASmq1923fT1S7k
                                      MD5:28CD7831618FC60436D02C005ADA98E7
                                      SHA1:38EE83A9FD339D0868BE9A65E394204BD2E8B2F4
                                      SHA-256:B87E21582F98B9147C3C74FFF575CC374B6DFEBC1E992B9DC520017AD0B745CD
                                      SHA-512:A5901EC06A87088502416BEE061F0317A68FF4BEFE16CD0D431D7F0AAD187A4D8880D47682E013725373037CF0C90EB013E106239AAC78569A0EDDF8D02AC9EA
                                      Malicious:false
                                      Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\Taskhostm.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpD79C.tmp.bat" /f /q..

                                      C:\Users\user\AppData\Roaming\Craxs-updater.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\cirby0J3LP.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):71168
                                      Entropy (8bit):6.028338002815239
                                      Encrypted:false
                                      SSDEEP:1536:HJFqdmDhfvPBMFARO/Dy7PHgjqf3Su0jVYw8ZXQ/5:l5MORO/CAjaSRhYwie5
                                      MD5:AF9F6A3FD994A9A9C8C94C90875AFA47
                                      SHA1:57F1F8E31E19E955091DC260DC3B3B719DC8ACB1
                                      SHA-256:ED65C3098036711E6465145283C98B111779E118A45DBD66C62B8498063CC707
                                      SHA-512:4D955B1B0EFC78074BBC6EDFB7DF0F20171B055FA11121C020ADC6FE3882E38706D6A52B03C4EB92EFDED659EAE5CD232335626BB622DF15984ED97CE969D520
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Craxs-updater.exe, Author: Joe Security
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      • Antivirus: Virustotal, Detection: 69%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.............................&... ........@.. ....................................@..................................&..K....@..0....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H........... o..........................................................0..........(....*...0..V................8....8....8.....E........:...`...............8....8....8...... xQ@..c K..a ..$Y(......8....8....8...... O[..f.b ..(.X(......8....8....8......#..}..9.?(......8....8g...8....(.....(....8....8....9.....8....8....8.....8....8....:....s....z...8....8....8....8....8#...8.... ....(.....8....8....8......X..~....(....8....8....?....(....8....8....:.....(.....(7...8....8..

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mDNSRespond.lnk

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Mar 23 23:52:44 2024, mtime=Sat Mar 23 23:52:44 2024, atime=Sat Mar 23 23:52:44 2024, length=56368, window=hide
                                      Category:dropped
                                      Size (bytes):787
                                      Entropy (8bit):5.068845241835809
                                      Encrypted:false
                                      SSDEEP:12:8qp5Ch64fhNsk88C+MlsY//0qz0Lu4gljgJz2sjAOmHtIz2wmdqmV:8qp8fk8sZBWu4Vz2oAfIz2wmdqm
                                      MD5:4823C101449EE980EA37C8A70A96D8A9
                                      SHA1:AC51EA7F56285E234CD18CCFB8FE7F32BA94DF40
                                      SHA-256:CD13096E15F8B4ED93495ECFF4643F7F78F2AFD9968DDB998EA86CA8BC012497
                                      SHA-512:95A9D06961FE8902BBD0326102824D6B54862B77C040DD258C18ECBA072885EC125C1E230CD01CAE4FC591B0D7510D5E70B584AC3DA45DE940D51E0067CB404D
                                      Malicious:false
                                      Preview:L..................F.... .....<..}....<..}....<..}..0.........................:..DG..Yr?.D..U..k0.&...&...... M.....v.-o.}...C..}......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlxXw.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....xX{...Roaming.@......DWSlxX|.....C......................?..R.o.a.m.i.n.g.....l.2.0...xX.. .MDNSRE~1.EXE..P......xX..xX............................F...m.D.N.S.R.e.s.p.o.n.d...e.x.e.......^...............-.......].............<.....C:\Users\user\AppData\Roaming\mDNSRespond.exe........\.....\.....\.....\.....\.m.D.N.S.R.e.s.p.o.n.d...e.x.e.`.......X.......992547...........hT..CrF.f4... ...2=.b...,...W..hT..CrF.f4... ...2=.b...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                      C:\Users\user\AppData\Roaming\Taskhostm.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\Craxs-updater.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):71168
                                      Entropy (8bit):6.028338002815239
                                      Encrypted:false
                                      SSDEEP:1536:HJFqdmDhfvPBMFARO/Dy7PHgjqf3Su0jVYw8ZXQ/5:l5MORO/CAjaSRhYwie5
                                      MD5:AF9F6A3FD994A9A9C8C94C90875AFA47
                                      SHA1:57F1F8E31E19E955091DC260DC3B3B719DC8ACB1
                                      SHA-256:ED65C3098036711E6465145283C98B111779E118A45DBD66C62B8498063CC707
                                      SHA-512:4D955B1B0EFC78074BBC6EDFB7DF0F20171B055FA11121C020ADC6FE3882E38706D6A52B03C4EB92EFDED659EAE5CD232335626BB622DF15984ED97CE969D520
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Taskhostm.exe, Author: Joe Security
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      • Antivirus: Virustotal, Detection: 69%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.............................&... ........@.. ....................................@..................................&..K....@..0....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H........... o..........................................................0..........(....*...0..V................8....8....8.....E........:...`...............8....8....8...... xQ@..c K..a ..$Y(......8....8....8...... O[..f.b ..(.X(......8....8....8......#..}..9.?(......8....8g...8....(.....(....8....8....9.....8....8....8.....8....8....:....s....z...8....8....8....8....8#...8.... ....(.....8....8....8......X..~....(....8....8....?....(....8....8....:.....(.....(7...8....8..

                                      C:\Users\user\AppData\Roaming\craxstcp.bat

                                      Download File
                                      Process:C:\Users\user\Desktop\cirby0J3LP.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):25
                                      Entropy (8bit):3.9434651896016466
                                      Encrypted:false
                                      SSDEEP:3:mKDDFRKCAC:hz
                                      MD5:84E07EF966513496088909E3F5AB14C6
                                      SHA1:CBB27A18E7DFE6C599F4498F023BA6B604A693BC
                                      SHA-256:C83270C72CA57E9D29CFFCAADE1A9963E55F50332538D9E39BC33558E883D4B7
                                      SHA-512:9EB5E97A62EB53C8C52135917AC74F85D8D0D17866766B9AE5C9E3F5A4B4F5CA076EC4B0B76D7310133B900472F8AED8A83F73A5195BBDD8007046A7185258FD
                                      Malicious:false
                                      Preview:@echo off..start aptd.exe

                                      C:\Users\user\AppData\Roaming\mDNSRespond.exe

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):56368
                                      Entropy (8bit):6.120994357619221
                                      Encrypted:false
                                      SSDEEP:768:fF9E8FLLs2Zokf85d9PTV6Iq8Fnqf7P+WxqWKnz8DH:ffE6EkfOd9PT86dWvKgb
                                      MD5:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                      SHA1:19DFD86294C4A525BA21C6AF77681B2A9BBECB55
                                      SHA-256:99A2C778C9A6486639D0AFF1A7D2D494C2B0DC4C7913EBCB7BFEA50A2F1D0B09
                                      SHA-512:94F0ACE37CAE77BE9935CF4FC8AAA94691343D3B38DE5E16C663B902C220BFF513CD02256C7AF2D815A23DD30439582DDBB0880009C76BBF36FF8FBC1A6DDC18
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Joe Sandbox View:
                                      • Filename: SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe, Detection: malicious, Browse
                                      • Filename: SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe, Detection: malicious, Browse
                                      • Filename: 3vj5tYFb6a.exe, Detection: malicious, Browse
                                      • Filename: 50000PCSPIC12F1501-ESN.exe, Detection: malicious, Browse
                                      • Filename: SecuriteInfo.com.Win32.KeyloggerX-gen.6339.24340.exe, Detection: malicious, Browse
                                      • Filename: Jdxvyx.exe, Detection: malicious, Browse
                                      • Filename: SecuriteInfo.com.Win32.TrojanX-gen.11530.1442.exe, Detection: malicious, Browse
                                      • Filename: shipping_doc_62085317440.exe, Detection: malicious, Browse
                                      • Filename: PRE-ALERT_IOF23-24JPR1298.exe, Detection: malicious, Browse
                                      • Filename: TRANSF.exe, Detection: malicious, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A>.]..............0................. ........@.. ....................................`.................................t...O.......................0B..........<................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......t3..pc.............X...<........................................0..........s.....Y.....(.....Z.....&..(......+....(....o......r...p(....-..r...p(....,.....X....i2..-;(....(..........%.r!..p.(....(....((...(....(....(....( .....-.(7...(.....*.(....-..*.~S...-.~R....S...s!.....~W...o"....~U...o#....~V...o$....o%...~Y...o&...~S...~Q...~T....s'....P...~P...sE...o(............~W....@_,s.....()...r7..p.$(*........o+..........o,....2....... ....37(....(8.........%...o-....

                                      \Device\ConDrv

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\mDNSRespond.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):221
                                      Entropy (8bit):4.801526423190794
                                      Encrypted:false
                                      SSDEEP:6:zx3Me21f1LRJIQtAMw/VgRZBXVN+1GFJqozrCib:zKpj1JIUwqBFN+1Q3b
                                      MD5:A3DCA41A950A7DF7ECE76A867A17400E
                                      SHA1:AA9EFDBCF37BEE2C7FD0986F1A4308A73EC3F7BB
                                      SHA-256:6B2BE177016DF867316A0C432DAB0B71B6E51B35D169B0ACB1ABB47A4C03D7C0
                                      SHA-512:F80207B5B78C7AE867AAB139196BBBEDE0437961DD03E790AEF3B877A228D7A90B9178B3342324B0EEA1C270E2A232A769B2F2D9E5DB4C065EB95140FA12239D
                                      Malicious:false
                                      Preview:Microsoft (R) ASP.NET Compilation Tool version 4.8.4084.0..Utility to precompile an ASP.NET application..Copyright (C) Microsoft Corporation. All rights reserved.....Run 'aspnet_compiler -?' for a list of valid options...

                                      \Device\Null

                                      Download File
                                      Process:C:\Windows\SysWOW64\timeout.exe
                                      File Type:ASCII text, with CRLF line terminators, with overstriking
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.41440934524794
                                      Encrypted:false
                                      SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                      MD5:3DD7DD37C304E70A7316FE43B69F421F
                                      SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                      SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                      SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                      Malicious:false
                                      Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.827081806777221
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      • DOS Executable Generic (2002/1) 0.01%
                                      File name:cirby0J3LP.exe
                                      File size:84'992 bytes
                                      MD5:7c66bdd58347b8176ec473f10fd836e6
                                      SHA1:9393eb297eb8504cf8b0c0dbcdbd78e04736da47
                                      SHA256:0a512b81dde0ab50e6bda9738413acc10fb55c16d798ab21fe49603178a5f86b
                                      SHA512:f2958ba94a168ba92d8f06d2dd643d3ea635c645996dd73d784bfcb2446359e750717d55e87d83422406f886a2fa0b9b6eb5c3a37e9cb98b2af476ab0c6821ba
                                      SSDEEP:1536:AOSzBCrc5Iv4jBsYEJNbcYszAwh4lc68h2f+IuI05bhGJLd5UIq08RzWwxika:FOBCI5Iv4jBYPSAwMHHfBAVsO90Aqr
                                      TLSH:3E83F131ABECC013D2160B315D6AEAE00A635777AD53EB2FACCA5F82D7673790761121
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M.e.................D...........`... ........@.. ....................................@................................

                                      File Icon

                                      Icon Hash:00928e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x41600e
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x65F84D8C [Mon Mar 18 14:19:56 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x15fc00x4b.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x180000x4ce.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x140140x14200483ec805892a894ff8e94866226976e1False0.9244589479813664SysEx File -7.8967761803159915IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0x180000x6000x6005463e06ff81b265648a74345f1b47ec5False0.3736979166666667data3.718109816353965IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x1a0000xc0x2000053b411f8382d31dbabc0fc81ae488aFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_VERSION0x180a00x244data0.4706896551724138
                                      RT_MANIFEST0x182e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      03/24/24-01:52:59.368147TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497152220192.168.2.5172.94.105.163
                                      03/24/24-01:53:55.022330TCP2852923ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)497152220192.168.2.5172.94.105.163
                                      03/24/24-01:52:01.399838TCP2035595ET TROJAN Generic AsyncRAT Style SSL Cert222249704172.94.105.163192.168.2.5
                                      03/24/24-01:52:01.399838TCP2030673ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)222249704172.94.105.163192.168.2.5
                                      03/24/24-01:53:46.294572TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2222049715172.94.105.163192.168.2.5
                                      03/24/24-01:53:55.021358TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes222049715172.94.105.163192.168.2.5

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Mar 24, 2024 01:52:00.050831079 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:00.706840992 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:00.706931114 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:00.733982086 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:01.399837971 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:01.399950981 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:01.400049925 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:01.405924082 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:02.039201021 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:02.083420992 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:02.641887903 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:03.328814983 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:03.328901052 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:04.029134035 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:15.973615885 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:16.671286106 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:16.671436071 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:17.307163954 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:17.363039017 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:18.024666071 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:18.037910938 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:18.790674925 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:18.790739059 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:19.455002069 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:23.305381060 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:23.347417116 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:23.979639053 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:24.034944057 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:29.316776037 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:30.109198093 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:30.109291077 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:30.801597118 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:30.869791985 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:30.909805059 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:31.539766073 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:31.542582989 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:32.245740891 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:32.245870113 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:32.978070021 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:33.565421104 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:33.565471888 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:33.565623045 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:33.566601992 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:33.566735029 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:33.566787004 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:33.566804886 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:33.567065001 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:33.567107916 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:33.568408012 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:33.568490028 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:33.568533897 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:33.568572044 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:33.568602085 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:33.568634033 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:33.568672895 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:33.570467949 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:33.570524931 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:34.202064037 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:34.202198982 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:34.202280045 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:34.202378988 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:34.215866089 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:34.215884924 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:34.215924978 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:34.216068029 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:34.216068029 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:34.219861031 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:34.883264065 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:34.883393049 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:35.569551945 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.877470970 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.899611950 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.899687052 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:35.899689913 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.900346041 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.900389910 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:35.900407076 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.900468111 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.900517941 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:35.901374102 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.901441097 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.901473045 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.901480913 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:35.902201891 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.902256012 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:35.902277946 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.902328014 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.902365923 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:35.903486967 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.903501034 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.903541088 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:35.903577089 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.903628111 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.903666019 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:35.903686047 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.905420065 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.905461073 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:35.905525923 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.906549931 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.906588078 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:35.906656981 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.912396908 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.912441015 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:35.912585020 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.912723064 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.912760973 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:35.912813902 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.916531086 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.916569948 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:35.916604996 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.916656971 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.916693926 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:35.917337894 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.917398930 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:35.917434931 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.554768085 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.554907084 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.554995060 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.555912971 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.556055069 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.556101084 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.556327105 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.556739092 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.556756973 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.556770086 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.556785107 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.556804895 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.557003975 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.557132959 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.557187080 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.559093952 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.559108019 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.559119940 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.559143066 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.559845924 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.559860945 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.559906006 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.560261965 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.560305119 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.561110973 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.561248064 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.561260939 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.561290979 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.572809935 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.572892904 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.573630095 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.574744940 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.574758053 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.574769974 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.574781895 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.574796915 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.574803114 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.574803114 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.574846983 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.574868917 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.581159115 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.581217051 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.581238985 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.581301928 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.581336975 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.581341982 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.584855080 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.584908009 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.584908962 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.584923983 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.584958076 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.584995031 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.585046053 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.585089922 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.585124969 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.585228920 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.585241079 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:36.585273027 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:36.628536940 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.191926003 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.192162037 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.192235947 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.205486059 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.205791950 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.205806971 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.205944061 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.206006050 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.206058979 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.206800938 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.206866026 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.206911087 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.206958055 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.207551003 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.207595110 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.207631111 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.207700014 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.207739115 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.208436012 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.208470106 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.208513975 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.208522081 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.208580971 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.208631992 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.210374117 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.210479975 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.210531950 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.210556030 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.217717886 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.217783928 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.217819929 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.218611002 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.218660116 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.218679905 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.219508886 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.219554901 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.219578981 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.220499992 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.220545053 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.220570087 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.221345901 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.221393108 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.221477032 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.221528053 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.221571922 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.230113029 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.230304003 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.230348110 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.230349064 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.230413914 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.230458975 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.230561018 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.230617046 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.230655909 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.230694056 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.230782986 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.230828047 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.230885029 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.261945963 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.262018919 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.833631992 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.833689928 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.833744049 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.855645895 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.855683088 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.855782032 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.855822086 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.855849981 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.855906963 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.856431961 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.856523991 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.856566906 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.856575966 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.857301950 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.857348919 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.857353926 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.857462883 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.857506037 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.857567072 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.858520985 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.858567953 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.858652115 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.858762980 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.858808994 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.859337091 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.859415054 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.859456062 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:37.859563112 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:37.909796953 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:38.278628111 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:38.281404018 CET497142222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:39.005297899 CET222249714172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:39.005361080 CET497142222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:39.006661892 CET497142222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:39.025414944 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:39.025458097 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:39.771389008 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:39.771405935 CET222249714172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:39.799990892 CET497142222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:40.480889082 CET222249714172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:41.915298939 CET497142222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:42.589164019 CET222249714172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:42.594964027 CET222249714172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:42.595065117 CET497142222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:42.660942078 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:43.335680008 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:43.335742950 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:43.963598013 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:44.019169092 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:44.649369955 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:44.651345968 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:45.341250896 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:45.341447115 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:46.018933058 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:46.530925989 CET497152220192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:47.168817997 CET222049715172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:47.168926001 CET497152220192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:47.259412050 CET497152220192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:47.950032949 CET222049715172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:53.299302101 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:53.347287893 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:53.976414919 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:54.019174099 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:56.004578114 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:56.723473072 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:56.723648071 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:57.361383915 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:57.409795046 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:58.061059952 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:52:58.112909079 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:59.368146896 CET497152220192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:59.370250940 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:52:59.996061087 CET222049715172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:00.045217991 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:00.045378923 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:00.050396919 CET497152220192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:00.086458921 CET497152220192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:00.725809097 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:00.766534090 CET222049715172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:09.347949028 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:10.031708002 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:10.031816959 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:10.269582033 CET497152220192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:10.663178921 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:10.706650972 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:10.912276983 CET222049715172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:10.916311979 CET497152220192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:11.373081923 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:11.375053883 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:11.622014999 CET222049715172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:12.079325914 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:12.079483986 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:12.757380962 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:16.300425053 CET222049715172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:16.347240925 CET497152220192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:21.187609911 CET497152220192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:21.826226950 CET222049715172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:21.828105927 CET497152220192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:22.526314020 CET222049715172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:22.691899061 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:23.295109034 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:23.295387983 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:23.352725029 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:23.394100904 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:23.970124960 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:24.035221100 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:24.037358999 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:24.727042913 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:24.727144003 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:25.413332939 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:32.066247940 CET497152220192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:32.720458031 CET222049715172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:32.769185066 CET497152220192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:32.823208094 CET497152220192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:33.514141083 CET222049715172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:36.035310984 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:36.721955061 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:36.722095013 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:37.372879028 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:37.425462961 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:38.098922968 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:38.100826979 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:38.807111979 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:38.807171106 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:39.516693115 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:42.972616911 CET497152220192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:43.630395889 CET222049715172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:43.631993055 CET497152220192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:44.302903891 CET222049715172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:46.294572115 CET222049715172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:46.347207069 CET497152220192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:49.408584118 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:50.092879057 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:50.092999935 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:50.725575924 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:50.769125938 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:51.401171923 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:51.402997017 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:52.075134993 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:52.076646090 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:52.748608112 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:53.298192978 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:53.347188950 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:53.982065916 CET222249704172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:54.034672976 CET497042222192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:54.394334078 CET497152220192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:55.021358013 CET222049715172.94.105.163192.168.2.5
                                      Mar 24, 2024 01:53:55.022330046 CET497152220192.168.2.5172.94.105.163
                                      Mar 24, 2024 01:53:55.694528103 CET222049715172.94.105.163192.168.2.5

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Mar 24, 2024 01:51:59.937432051 CET6005453192.168.2.51.1.1.1
                                      Mar 24, 2024 01:52:00.047564983 CET53600541.1.1.1192.168.2.5

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Mar 24, 2024 01:51:59.937432051 CET192.168.2.51.1.1.10x5a6aStandard query (0)google-updater.duckdns.orgA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Mar 24, 2024 01:52:00.047564983 CET1.1.1.1192.168.2.50x5a6aNo error (0)google-updater.duckdns.org172.94.105.163A (IP address)IN (0x0001)false

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:01:51:47
                                      Start date:24/03/2024
                                      Path:C:\Users\user\Desktop\cirby0J3LP.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\cirby0J3LP.exe"
                                      Imagebase:0xf60000
                                      File size:84'992 bytes
                                      MD5 hash:7C66BDD58347B8176EC473F10FD836E6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:01:51:48
                                      Start date:24/03/2024
                                      Path:C:\Users\user\AppData\Roaming\Craxs-updater.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\Craxs-updater.exe"
                                      Imagebase:0x870000
                                      File size:71'168 bytes
                                      MD5 hash:AF9F6A3FD994A9A9C8C94C90875AFA47
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.2025313085.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000002.2026024507.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.2026024507.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Craxs-updater.exe, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 88%, ReversingLabs
                                      • Detection: 69%, Virustotal, Browse
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:01:51:48
                                      Start date:24/03/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\craxstcp.bat" "
                                      Imagebase:0x7ff7cb910000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:01:51:48
                                      Start date:24/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:01:51:52
                                      Start date:24/03/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"' & exit
                                      Imagebase:0x790000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:01:51:52
                                      Start date:24/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:01:51:52
                                      Start date:24/03/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD79C.tmp.bat""
                                      Imagebase:0x790000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:01:51:52
                                      Start date:24/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:01:51:52
                                      Start date:24/03/2024
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:schtasks /create /f /sc onlogon /rl highest /tn "Taskhostm" /tr '"C:\Users\user\AppData\Roaming\Taskhostm.exe"'
                                      Imagebase:0xd60000
                                      File size:187'904 bytes
                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:01:51:52
                                      Start date:24/03/2024
                                      Path:C:\Windows\SysWOW64\timeout.exe
                                      Wow64 process (32bit):true
                                      Commandline:timeout 3
                                      Imagebase:0x410000
                                      File size:25'088 bytes
                                      MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:01:51:54
                                      Start date:24/03/2024
                                      Path:C:\Users\user\AppData\Roaming\Taskhostm.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\Taskhostm.exe
                                      Imagebase:0x950000
                                      File size:71'168 bytes
                                      MD5 hash:AF9F6A3FD994A9A9C8C94C90875AFA47
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.3215968004.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.3226207689.00000000053E0000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.3218533849.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.3218533849.0000000002DAC000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.3215968004.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 0000000B.00000002.3229153406.0000000007090000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.3229153406.0000000007090000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 0000000B.00000002.3229153406.0000000007090000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.3224658217.0000000003C17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.3218533849.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Taskhostm.exe, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 88%, ReversingLabs
                                      • Detection: 69%, Virustotal, Browse
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:12
                                      Start time:01:51:55
                                      Start date:24/03/2024
                                      Path:C:\Users\user\AppData\Roaming\Taskhostm.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\Taskhostm.exe"
                                      Imagebase:0xdc0000
                                      File size:71'168 bytes
                                      MD5 hash:AF9F6A3FD994A9A9C8C94C90875AFA47
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000C.00000002.2091062669.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000C.00000002.2090243643.000000000130A000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:15
                                      Start time:01:52:38
                                      Start date:24/03/2024
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                      Imagebase:0xc90000
                                      File size:56'368 bytes
                                      MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000F.00000002.3218633928.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:moderate
                                      Has exited:false

                                      General

                                      Target ID:16
                                      Start time:01:52:53
                                      Start date:24/03/2024
                                      Path:C:\Users\user\AppData\Roaming\mDNSRespond.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\mDNSRespond.exe"
                                      Imagebase:0x650000
                                      File size:56'368 bytes
                                      MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      • Detection: 0%, Virustotal, Browse
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:01:52:53
                                      Start date:24/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:01:53:01
                                      Start date:24/03/2024
                                      Path:C:\Users\user\AppData\Roaming\mDNSRespond.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\mDNSRespond.exe"
                                      Imagebase:0x2d0000
                                      File size:56'368 bytes
                                      MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:19
                                      Start time:01:53:01
                                      Start date:24/03/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Executed Functions

                                        Function 00007FF848F305A8 Relevance: .5, Instructions: 453COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1980870440.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_cirby0J3LP.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c754d5e4a2906bc89a7f7b8e10344ab5558cc8e7a55e3d49da9982ba5c67228b
                                        • Instruction ID: 33382eb62b9c427c6a140ef7176ff1bbd587f17159d4027a699021df342e004f
                                        • Opcode Fuzzy Hash: c754d5e4a2906bc89a7f7b8e10344ab5558cc8e7a55e3d49da9982ba5c67228b
                                        • Instruction Fuzzy Hash: C8318031E2EA599FE788FB6888656BDBBB1FF88340F904077D409D32C6DE286804C755
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF848F31268 Relevance: .4, Instructions: 397COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1980870440.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_cirby0J3LP.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 35cac0f7bdab201469d4952bac6e5f10953a0e80d4311f1db60da940be1f4f02
                                        • Instruction ID: 1880967b0c0cb51e94f425a30173cb3acfd9306541f1b1408417890a9fba8dde
                                        • Opcode Fuzzy Hash: 35cac0f7bdab201469d4952bac6e5f10953a0e80d4311f1db60da940be1f4f02
                                        • Instruction Fuzzy Hash: 82216D21E199895FEB84FB6898A96BD7BD2EF99341F0404BAE40DC3292DE2898458741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF848F30AD7 Relevance: .2, Instructions: 220COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1980870440.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_cirby0J3LP.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b90e68734992760e643d16b7ac54fa4c4589967abfc40b25df240222d69769a3
                                        • Instruction ID: d8beb962b736b5e14c541bb9d0a14eef60a48e07a8b4db1e26c0cbac30fe128d
                                        • Opcode Fuzzy Hash: b90e68734992760e643d16b7ac54fa4c4589967abfc40b25df240222d69769a3
                                        • Instruction Fuzzy Hash: 19715130A199198FEB98FB68C458BAD77E2FF94350F50417AE81AD72D6CF38AC418744
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF848F30E80 Relevance: .1, Instructions: 110COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1980870440.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_cirby0J3LP.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 739048ddfd051e3d832af672a3c3db265bd20c11fc1bd4fe21ce74a246121ed9
                                        • Instruction ID: 158f54ab18d57f2a6b344cef80dbd9fb3520283936906f33b9a70cd8efa47fc3
                                        • Opcode Fuzzy Hash: 739048ddfd051e3d832af672a3c3db265bd20c11fc1bd4fe21ce74a246121ed9
                                        • Instruction Fuzzy Hash: E431446288E3D24FD30767B4586A4A1BFF09E8722071E05DBD4D5CB0E3D90D598BC362
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF848F30498 Relevance: .1, Instructions: 90COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1980870440.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_cirby0J3LP.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e4e9c1729ca944d6910311f752d8cb84e5768dbd5f92b232e68428ad8039c6f4
                                        • Instruction ID: 306985e331c9ec87de95a4a4bdef996caadef76597c2388b7a089ae56b778064
                                        • Opcode Fuzzy Hash: e4e9c1729ca944d6910311f752d8cb84e5768dbd5f92b232e68428ad8039c6f4
                                        • Instruction Fuzzy Hash: A521BE31F19D4D5FEB84FB2898996BDB7D2EF99345F04007AE40EC3292DE28A8418740
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF848F30F71 Relevance: .1, Instructions: 65COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1980870440.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_cirby0J3LP.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7e94a8f94cf833619b82ffd5c80a7adef98795080a093dcb39a672bfd959f3df
                                        • Instruction ID: 3e4c449f0bb3b0ed313067c4c539eefbb606bfe64f36e178224b8af2d7b7a67a
                                        • Opcode Fuzzy Hash: 7e94a8f94cf833619b82ffd5c80a7adef98795080a093dcb39a672bfd959f3df
                                        • Instruction Fuzzy Hash: A111A130A2D65A4FE298B73888656B973D1FFC8684F54057BD84AC33C6DF2CA8418385
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF848F304A5 Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1980870440.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_cirby0J3LP.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f924c86e42868b214b9b8a77b51075b0de0fb95cec21b742b521c19fe4209fb9
                                        • Instruction ID: 1a746d0905fa5b5c77e7ac7082fea8c651b1d230813590ea84414ccd52bc39cc
                                        • Opcode Fuzzy Hash: f924c86e42868b214b9b8a77b51075b0de0fb95cec21b742b521c19fe4209fb9
                                        • Instruction Fuzzy Hash: 3B01A130A2D5164FE268B73998559BA63C1EFC8790F14057BE94AC22C5DE2CA8018784
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF848F31015 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1980870440.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_cirby0J3LP.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7f6bbba5e20e6a7e99a6812d2ce16e586bc5eda4df546e7b25688b98443e9298
                                        • Instruction ID: d4a9a500796025679d05db2a8e8ff2841ba5594baf6ce5efa1a08e7487d191c3
                                        • Opcode Fuzzy Hash: 7f6bbba5e20e6a7e99a6812d2ce16e586bc5eda4df546e7b25688b98443e9298
                                        • Instruction Fuzzy Hash: E201D461E2E9D90FE399F73808796B46BD2EBD5680B0500BBE04DC32D3EE1C9C468311
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF848F304B0 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1980870440.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_cirby0J3LP.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 195469002ba5045edd79bff40ac02462739deea88ef12a90eb2c7443a1f7016d
                                        • Instruction ID: 09598d6e3e5451e6030c05afe75f218a80b03f39eb9a4ea62a159f2a37607556
                                        • Opcode Fuzzy Hash: 195469002ba5045edd79bff40ac02462739deea88ef12a90eb2c7443a1f7016d
                                        • Instruction Fuzzy Hash: 07019230A2D51A4FE6A8B738986567D62D1FFC8784F50053BE84EC23C9DF2CA8418788
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF848F304A0 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1980870440.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_cirby0J3LP.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8c93ba023bc71c9a8e7704da75dacf239cfc908d513c970ad4966234765c7572
                                        • Instruction ID: a1fa8de6a588292fd26c99f77902aa5bfa9310cc32c474f166fc0b42378648fe
                                        • Opcode Fuzzy Hash: 8c93ba023bc71c9a8e7704da75dacf239cfc908d513c970ad4966234765c7572
                                        • Instruction Fuzzy Hash: 33F05461F3DC590BF2A8B77C04696B556C2EBD8B91F40007AE41DC32D6EE18AC418245
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF848F31092 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1980870440.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_cirby0J3LP.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 34b02e77ce5b248cccbf45cff6edbcecbe42a118f2b6c053a9e7d0a3567812de
                                        • Instruction ID: 48e89d4007830ab9a676da5ae0fe039a414c31364edc7a024a90f21a7fe784c0
                                        • Opcode Fuzzy Hash: 34b02e77ce5b248cccbf45cff6edbcecbe42a118f2b6c053a9e7d0a3567812de
                                        • Instruction Fuzzy Hash: BBB01223B4D9190BE99431EDB8411ECF380CBC40F1B901377D508C11C9D84F09D203C4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Execution Graph

                                        Execution Coverage:13.9%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:16.7%
                                        Total number of Nodes:18
                                        Total number of Limit Nodes:1
                                        execution_graph 5464 10717d2 5466 107162f 5464->5466 5465 10717ef 5466->5465 5468 1072fa1 5466->5468 5469 1072fb5 5468->5469 5470 1072fbd 5469->5470 5473 10769b0 5469->5473 5477 10769a0 5469->5477 5470->5466 5474 10769ce 5473->5474 5481 1073768 5474->5481 5478 10769b0 5477->5478 5479 1073768 CheckRemoteDebuggerPresent 5478->5479 5480 10769e1 5479->5480 5480->5470 5482 1076e40 CheckRemoteDebuggerPresent 5481->5482 5484 10769e1 5482->5484 5484->5470 5485 1078bb0 5486 1078bf3 RtlSetProcessIsCritical 5485->5486 5487 1078c24 5486->5487

                                        Executed Functions

                                        Function 01077858 Relevance: 2.8, Strings: 2, Instructions: 333COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 1077858-107786a 1 10778ce-10778d5 0->1 2 107786c-10778ab call 10774f0 call 10707f4 0->2 11 10778d6-107793d 2->11 12 10778ad-10778bf 2->12 22 1077946-1077956 11->22 23 107793f-1077941 11->23 17 10778c6 12->17 17->1 25 107795d-107796d 22->25 26 1077958 22->26 24 1077be5-1077bec 23->24 28 1077973-1077981 25->28 29 1077bcc-1077bda 25->29 26->24 32 1077987 28->32 33 1077bed-1077c66 28->33 29->33 34 1077bdc-1077be0 call 1070140 29->34 32->33 35 1077b26-1077b4c 32->35 36 10779a5-10779c6 32->36 37 1077a64-1077a85 32->37 38 1077ae4-1077b21 32->38 39 1077bc0-1077bca 32->39 40 107798e-10779a0 32->40 41 10779cb-10779ed 32->41 42 1077a8a-1077ab2 32->42 43 1077ab7-1077adf 32->43 44 10779f2-1077a13 32->44 45 1077b51-1077b7d 32->45 46 1077b7f-1077b9a call 1070398 32->46 47 1077a3e-1077a5f 32->47 48 1077b9c-1077bbe 32->48 49 1077a18-1077a39 32->49 34->24 35->24 36->24 37->24 38->24 39->24 40->24 41->24 42->24 43->24 44->24 45->24 46->24 47->24 48->24 49->24
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2025772456.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_1070000_Craxs-updater.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Xaq$$]q
                                        • API String ID: 0-1280934391
                                        • Opcode ID: 3ad0537e848968d3bf00521f2cde1ab79686dc18dc6ee549364a9718c2fbf4f5
                                        • Instruction ID: d1181b30fd089cdbc20030368d8570ec8510aeaed020503a282243b6b979f05c
                                        • Opcode Fuzzy Hash: 3ad0537e848968d3bf00521f2cde1ab79686dc18dc6ee549364a9718c2fbf4f5
                                        • Instruction Fuzzy Hash: 65B1B234B042188BCB19AB7998942BE7BB7BFC8750F14846DE586D7388CE39CC028795
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01073768 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 147 1073768-1076ec4 CheckRemoteDebuggerPresent 150 1076ec6-1076ecc 147->150 151 1076ecd-1076f08 147->151 150->151
                                        APIs
                                        • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 01076EB7
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2025772456.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_1070000_Craxs-updater.jbxd
                                        Similarity
                                        • API ID: CheckDebuggerPresentRemote
                                        • String ID:
                                        • API String ID: 3662101638-0
                                        • Opcode ID: 66f321582dee65d0131c2517ca78f3681d0d75a7551d258fc56e35dbb0f8637f
                                        • Instruction ID: b5ebcc5c81c0bd9edcb33fd361553f955f160116f42254fd6b28c5d93c232d09
                                        • Opcode Fuzzy Hash: 66f321582dee65d0131c2517ca78f3681d0d75a7551d258fc56e35dbb0f8637f
                                        • Instruction Fuzzy Hash: E42164B18002598FDB10CF9AD484BEEBBF4EF49320F14846AE459A3240C738A944CFA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01075BE0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 171 1075be0-1075c46 173 1075c90-1075c92 171->173 174 1075c48-1075c53 171->174 175 1075c94-1075cad 173->175 174->173 176 1075c55-1075c61 174->176 183 1075caf-1075cbb 175->183 184 1075cf9-1075cfb 175->184 177 1075c84-1075c8e 176->177 178 1075c63-1075c6d 176->178 177->175 179 1075c71-1075c80 178->179 180 1075c6f 178->180 179->179 182 1075c82 179->182 180->179 182->177 183->184 186 1075cbd-1075cc9 183->186 185 1075cfd-1075d55 184->185 195 1075d57-1075d62 185->195 196 1075d9f-1075da1 185->196 187 1075cec-1075cf7 186->187 188 1075ccb-1075cd5 186->188 187->185 190 1075cd7 188->190 191 1075cd9-1075ce8 188->191 190->191 191->191 192 1075cea 191->192 192->187 195->196 197 1075d64-1075d70 195->197 198 1075da3-1075dbb 196->198 199 1075d93-1075d9d 197->199 200 1075d72-1075d7c 197->200 204 1075e05-1075e07 198->204 205 1075dbd-1075dc8 198->205 199->198 201 1075d80-1075d8f 200->201 202 1075d7e 200->202 201->201 206 1075d91 201->206 202->201 208 1075e09-1075e5a 204->208 205->204 207 1075dca-1075dd6 205->207 206->199 209 1075df9-1075e03 207->209 210 1075dd8-1075de2 207->210 216 1075e60-1075e6e 208->216 209->208 211 1075de6-1075df5 210->211 212 1075de4 210->212 211->211 214 1075df7 211->214 212->211 214->209 217 1075e77-1075ed7 216->217 218 1075e70-1075e76 216->218 225 1075ee7-1075eeb 217->225 226 1075ed9-1075edd 217->226 218->217 228 1075eed-1075ef1 225->228 229 1075efb-1075eff 225->229 226->225 227 1075edf 226->227 227->225 228->229 230 1075ef3 228->230 231 1075f01-1075f05 229->231 232 1075f0f-1075f13 229->232 230->229 231->232 233 1075f07-1075f0a call 1072598 231->233 234 1075f15-1075f19 232->234 235 1075f23-1075f27 232->235 233->232 234->235 237 1075f1b-1075f1e call 1072598 234->237 238 1075f37-1075f3b 235->238 239 1075f29-1075f2d 235->239 237->235 242 1075f3d-1075f41 238->242 243 1075f4b-1075f4f 238->243 239->238 241 1075f2f-1075f32 call 1072598 239->241 241->238 242->243 244 1075f43 242->244 245 1075f51-1075f55 243->245 246 1075f5f 243->246 244->243 245->246 248 1075f57 245->248 249 1075f60 246->249 248->246 249->249
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2025772456.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_1070000_Craxs-updater.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: \Vl
                                        • API String ID: 0-682378881
                                        • Opcode ID: 548d4ad88551791c6b2477db291fd86fbc488e25ca8cb58beb3ff40777be9941
                                        • Instruction ID: d3cea79554466eed189138fe92fae6289f1adbd193ba726901d2f8e58cb8e61d
                                        • Opcode Fuzzy Hash: 548d4ad88551791c6b2477db291fd86fbc488e25ca8cb58beb3ff40777be9941
                                        • Instruction Fuzzy Hash: E2B15D70E00209CFDF54CFA9CD857DEBBF2AF88304F148529D459AB294EB749846CB89
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010764B0 Relevance: .3, Instructions: 266COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 459 10764b0-1076516 461 1076560-1076562 459->461 462 1076518-1076523 459->462 464 1076564-107657d 461->464 462->461 463 1076525-1076531 462->463 465 1076554-107655e 463->465 466 1076533-107653d 463->466 471 107657f-107658b 464->471 472 10765c9-10765cb 464->472 465->464 467 1076541-1076550 466->467 468 107653f 466->468 467->467 470 1076552 467->470 468->467 470->465 471->472 474 107658d-1076599 471->474 473 10765cd-10765e5 472->473 481 10765e7-10765f2 473->481 482 107662f-1076631 473->482 475 10765bc-10765c7 474->475 476 107659b-10765a5 474->476 475->473 477 10765a7 476->477 478 10765a9-10765b8 476->478 477->478 478->478 480 10765ba 478->480 480->475 481->482 483 10765f4-1076600 481->483 484 1076633-107664b 482->484 485 1076623-107662d 483->485 486 1076602-107660c 483->486 490 1076695-1076697 484->490 491 107664d-1076658 484->491 485->484 488 1076610-107661f 486->488 489 107660e 486->489 488->488 492 1076621 488->492 489->488 493 1076699-107670c 490->493 491->490 494 107665a-1076666 491->494 492->485 503 1076712-1076720 493->503 495 1076689-1076693 494->495 496 1076668-1076672 494->496 495->493 497 1076676-1076685 496->497 498 1076674 496->498 497->497 500 1076687 497->500 498->497 500->495 504 1076722-1076728 503->504 505 1076729-1076789 503->505 504->505 512 107678b-107678f 505->512 513 1076799-107679d 505->513 512->513 514 1076791 512->514 515 107679f-10767a3 513->515 516 10767ad-10767b1 513->516 514->513 515->516 517 10767a5 515->517 518 10767b3-10767b7 516->518 519 10767c1-10767c5 516->519 517->516 518->519 520 10767b9 518->520 521 10767c7-10767cb 519->521 522 10767d5-10767d9 519->522 520->519 521->522 523 10767cd 521->523 524 10767db-10767df 522->524 525 10767e9-10767ed 522->525 523->522 524->525 526 10767e1-10767e4 call 1072598 524->526 527 10767ef-10767f3 525->527 528 10767fd 525->528 526->525 527->528 530 10767f5-10767f8 call 1072598 527->530 532 10767fe 528->532 530->528 532->532
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2025772456.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_1070000_Craxs-updater.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5dd4648cec301c045091c6db85f4a983d55d35abc8e8eb8d1893a78b5000a60b
                                        • Instruction ID: a0ffe973618bbf495b1262db46ca712117806ebfc66f5c14f1d43fa246ecc70c
                                        • Opcode Fuzzy Hash: 5dd4648cec301c045091c6db85f4a983d55d35abc8e8eb8d1893a78b5000a60b
                                        • Instruction Fuzzy Hash: CBB19B70E00609CFEF50CFA9C9817EDBBF2BF88314F148529D456AB294EB759885CB85
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01076E39 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 154 1076e39-1076ec4 CheckRemoteDebuggerPresent 157 1076ec6-1076ecc 154->157 158 1076ecd-1076f08 154->158 157->158
                                        APIs
                                        • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 01076EB7
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2025772456.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_1070000_Craxs-updater.jbxd
                                        Similarity
                                        • API ID: CheckDebuggerPresentRemote
                                        • String ID:
                                        • API String ID: 3662101638-0
                                        • Opcode ID: 1acaa08a83b3b030ec694b096a5e90f99b5006ebe63d0f299cce291ad4542b3b
                                        • Instruction ID: 86c2ed3da5e7f39971c527467e8e7926b75ad605db2fd8e5fbe0e1dbaf97ae7a
                                        • Opcode Fuzzy Hash: 1acaa08a83b3b030ec694b096a5e90f99b5006ebe63d0f299cce291ad4542b3b
                                        • Instruction Fuzzy Hash: 112145B18002598FDB10CF9AD884BEEFBF4AF49310F14846AE559A7251C738A984CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01078BA8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 161 1078ba8-1078beb 162 1078bf3-1078c22 RtlSetProcessIsCritical 161->162 163 1078c24 162->163 164 1078c29-1078c42 162->164 163->164
                                        APIs
                                        • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 01078C15
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2025772456.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_1070000_Craxs-updater.jbxd
                                        Similarity
                                        • API ID: CriticalProcess
                                        • String ID:
                                        • API String ID: 2695349919-0
                                        • Opcode ID: acdae99038859d85945a4798cd34d26d1576d0cfecf2b0e4dbc8208b319ce232
                                        • Instruction ID: b11c1f8539622c33ffcd2d99c57e92295f0b125b2f513816d4ea70d56e4f9002
                                        • Opcode Fuzzy Hash: acdae99038859d85945a4798cd34d26d1576d0cfecf2b0e4dbc8208b319ce232
                                        • Instruction Fuzzy Hash: 0A1102B18002498FDB20DF9AC484ADEBFF4EF89320F10856AD558A7251C335A944CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01078BB0 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 166 1078bb0-1078c22 RtlSetProcessIsCritical 168 1078c24 166->168 169 1078c29-1078c42 166->169 168->169
                                        APIs
                                        • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 01078C15
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2025772456.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_1070000_Craxs-updater.jbxd
                                        Similarity
                                        • API ID: CriticalProcess
                                        • String ID:
                                        • API String ID: 2695349919-0
                                        • Opcode ID: 9d57ca26b65f148f35aade44ca28e179a77cda826d630f1c0045ba628718e518
                                        • Instruction ID: 2bab6ed10120ed19ba6548262e45442e51eb06aa675381a1f738d4d0bc79526a
                                        • Opcode Fuzzy Hash: 9d57ca26b65f148f35aade44ca28e179a77cda826d630f1c0045ba628718e518
                                        • Instruction Fuzzy Hash: 381103B58002488FDB20DF9AC488BDEBFF4FF89310F108459D558A7250C779A944CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 01075898 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2025772456.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_1070000_Craxs-updater.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: \Vl
                                        • API String ID: 0-682378881
                                        • Opcode ID: 73040d25c6a9c8dcd2d968855dd005e0276f80066202a4028964995fa4fbeb99
                                        • Instruction ID: 4bb325e1dd603793a776abcbbcc8f12580fa7ab3a1f208684d6d2c8a18e99519
                                        • Opcode Fuzzy Hash: 73040d25c6a9c8dcd2d968855dd005e0276f80066202a4028964995fa4fbeb99
                                        • Instruction Fuzzy Hash: 6C917D70E00209DFDF54CFA9C9817EDBBF2AF88314F148129E485A7254EB349886CF99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Execution Graph

                                        Execution Coverage:9.2%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:202
                                        Total number of Limit Nodes:25
                                        execution_graph 49448 2ac8748 49449 2ac878b RtlSetProcessIsCritical 49448->49449 49450 2ac87bc 49449->49450 49208 73a8bf3 49236 73aa874 49208->49236 49243 73aa7b7 49208->49243 49247 73aaa31 49208->49247 49252 73aabb1 49208->49252 49257 73aaaf0 49208->49257 49262 73aa4b0 49208->49262 49267 73aa97d 49208->49267 49272 73aa300 49208->49272 49277 73abb40 49208->49277 49281 73abcc3 49208->49281 49289 73aac42 49208->49289 49297 73aa84a 49208->49297 49302 73aa9d5 49208->49302 49307 73aa914 49208->49307 49312 73aa8d6 49208->49312 49317 73aa310 49208->49317 49322 73aa49d 49208->49322 49327 73aa798 49208->49327 49332 73abce0 49208->49332 49337 73aac23 49208->49337 49342 73aa7e3 49208->49342 49349 73aace2 49208->49349 49354 73aa8ad 49208->49354 49362 73aa668 49208->49362 49369 73aaab5 49208->49369 49374 73aaa74 49208->49374 49209 73a8c11 49387 73a9c68 49236->49387 49391 73a9c70 49236->49391 49237 73aa404 49237->49209 49238 73aa33f 49238->49237 49379 73a9f60 49238->49379 49383 73a9f54 49238->49383 49395 73abb5f 49243->49395 49401 73abb70 49243->49401 49244 73aa7d6 49249 73aa33f 49247->49249 49248 73aa404 49248->49209 49249->49248 49250 73a9f60 CreateProcessA 49249->49250 49251 73a9f54 CreateProcessA 49249->49251 49250->49249 49251->49249 49254 73aa33f 49252->49254 49253 73aa404 49253->49209 49254->49252 49254->49253 49255 73a9f60 CreateProcessA 49254->49255 49256 73a9f54 CreateProcessA 49254->49256 49255->49254 49256->49254 49259 73aa33f 49257->49259 49258 73aa404 49258->49209 49259->49258 49260 73a9f60 CreateProcessA 49259->49260 49261 73a9f54 CreateProcessA 49259->49261 49260->49259 49261->49259 49264 73aa33f 49262->49264 49263 73aa404 49263->49209 49264->49263 49265 73a9f60 CreateProcessA 49264->49265 49266 73a9f54 CreateProcessA 49264->49266 49265->49264 49266->49264 49269 73aa33f 49267->49269 49268 73aa404 49268->49209 49269->49268 49270 73a9f60 CreateProcessA 49269->49270 49271 73a9f54 CreateProcessA 49269->49271 49270->49269 49271->49269 49274 73aa310 49272->49274 49273 73aa404 49273->49209 49274->49273 49275 73a9f60 CreateProcessA 49274->49275 49276 73a9f54 CreateProcessA 49274->49276 49275->49274 49276->49274 49419 73a9a30 49277->49419 49423 73a9a2b 49277->49423 49278 73abb5c 49278->49209 49282 73abcca 49281->49282 49283 73abcf8 49281->49283 49284 73abcdc 49282->49284 49287 73a9a2b Wow64SetThreadContext 49282->49287 49288 73a9a30 Wow64SetThreadContext 49282->49288 49283->49209 49284->49209 49427 2ac37bb 49284->49427 49431 2ac37c0 49284->49431 49287->49284 49288->49284 49435 73a9d80 49289->49435 49439 73a9d53 49289->49439 49444 73a9d7b 49289->49444 49290 73aa404 49290->49209 49291 73aa33f 49291->49290 49295 73a9f60 CreateProcessA 49291->49295 49296 73a9f54 CreateProcessA 49291->49296 49295->49291 49296->49291 49299 73aa33f 49297->49299 49298 73aa404 49298->49209 49299->49298 49300 73a9f60 CreateProcessA 49299->49300 49301 73a9f54 CreateProcessA 49299->49301 49300->49299 49301->49299 49304 73aa33f 49302->49304 49303 73aa404 49303->49209 49304->49303 49305 73a9f60 CreateProcessA 49304->49305 49306 73a9f54 CreateProcessA 49304->49306 49305->49304 49306->49304 49309 73aa33f 49307->49309 49308 73aa404 49308->49209 49309->49308 49310 73a9f60 CreateProcessA 49309->49310 49311 73a9f54 CreateProcessA 49309->49311 49310->49309 49311->49309 49313 73aa33f 49312->49313 49314 73aa404 49313->49314 49315 73a9f60 CreateProcessA 49313->49315 49316 73a9f54 CreateProcessA 49313->49316 49314->49209 49315->49313 49316->49313 49319 73aa33f 49317->49319 49318 73aa404 49318->49209 49319->49318 49320 73a9f60 CreateProcessA 49319->49320 49321 73a9f54 CreateProcessA 49319->49321 49320->49319 49321->49319 49323 73aa33f 49322->49323 49324 73aa404 49323->49324 49325 73a9f60 CreateProcessA 49323->49325 49326 73a9f54 CreateProcessA 49323->49326 49324->49209 49325->49323 49326->49323 49329 73aa33f 49327->49329 49328 73aa404 49328->49209 49329->49327 49329->49328 49330 73a9f60 CreateProcessA 49329->49330 49331 73a9f54 CreateProcessA 49329->49331 49330->49329 49331->49329 49333 73abced 49332->49333 49335 2ac37bb ResumeThread 49333->49335 49336 2ac37c0 ResumeThread 49333->49336 49334 73abcf8 49334->49209 49335->49334 49336->49334 49338 73aa33f 49337->49338 49339 73aa404 49338->49339 49340 73a9f60 CreateProcessA 49338->49340 49341 73a9f54 CreateProcessA 49338->49341 49339->49209 49340->49338 49341->49338 49347 73a9c68 WriteProcessMemory 49342->49347 49348 73a9c70 WriteProcessMemory 49342->49348 49343 73aa404 49343->49209 49344 73aa33f 49344->49343 49345 73a9f60 CreateProcessA 49344->49345 49346 73a9f54 CreateProcessA 49344->49346 49345->49344 49346->49344 49347->49344 49348->49344 49351 73aa33f 49349->49351 49350 73aa404 49350->49209 49351->49349 49351->49350 49352 73a9f60 CreateProcessA 49351->49352 49353 73a9f54 CreateProcessA 49351->49353 49352->49351 49353->49351 49355 73aa7e3 49354->49355 49357 73aa33f 49354->49357 49360 73a9c68 WriteProcessMemory 49355->49360 49361 73a9c70 WriteProcessMemory 49355->49361 49356 73aa404 49356->49209 49357->49356 49358 73a9f60 CreateProcessA 49357->49358 49359 73a9f54 CreateProcessA 49357->49359 49358->49357 49359->49357 49360->49357 49361->49357 49367 73a9c68 WriteProcessMemory 49362->49367 49368 73a9c70 WriteProcessMemory 49362->49368 49363 73aa404 49363->49209 49364 73aa33f 49364->49363 49365 73a9f60 CreateProcessA 49364->49365 49366 73a9f54 CreateProcessA 49364->49366 49365->49364 49366->49364 49367->49364 49368->49364 49371 73aa33f 49369->49371 49370 73aa404 49370->49209 49371->49370 49372 73a9f60 CreateProcessA 49371->49372 49373 73a9f54 CreateProcessA 49371->49373 49372->49371 49373->49371 49376 73aa33f 49374->49376 49375 73aa404 49375->49209 49376->49375 49377 73a9f60 CreateProcessA 49376->49377 49378 73a9f54 CreateProcessA 49376->49378 49377->49376 49378->49376 49380 73a9fe9 CreateProcessA 49379->49380 49382 73aa1ab 49380->49382 49382->49382 49384 73a9f60 CreateProcessA 49383->49384 49386 73aa1ab 49384->49386 49386->49386 49388 73a9c70 WriteProcessMemory 49387->49388 49390 73a9d0f 49388->49390 49390->49238 49392 73a9cb8 WriteProcessMemory 49391->49392 49394 73a9d0f 49392->49394 49394->49238 49396 73abb70 49395->49396 49406 73a9b88 49396->49406 49410 73a9b90 49396->49410 49414 73a9b63 49396->49414 49397 73abb87 49397->49244 49403 73a9b88 VirtualAllocEx 49401->49403 49404 73a9b63 VirtualAllocEx 49401->49404 49405 73a9b90 VirtualAllocEx 49401->49405 49402 73abb87 49402->49244 49403->49402 49404->49402 49405->49402 49407 73a9b8e VirtualAllocEx 49406->49407 49409 73a9c0d 49407->49409 49409->49397 49411 73a9bc1 VirtualAllocEx 49410->49411 49413 73a9c0d 49411->49413 49413->49397 49415 73a9b98 VirtualAllocEx 49414->49415 49416 73a9b6e 49414->49416 49418 73a9c0d 49415->49418 49416->49397 49418->49397 49420 73a9a75 Wow64SetThreadContext 49419->49420 49422 73a9abd 49420->49422 49422->49278 49424 73a9a30 Wow64SetThreadContext 49423->49424 49426 73a9abd 49424->49426 49426->49278 49428 2ac37c0 ResumeThread 49427->49428 49430 2ac3831 49428->49430 49430->49283 49432 2ac3800 ResumeThread 49431->49432 49434 2ac3831 49432->49434 49434->49283 49436 73a9dcb ReadProcessMemory 49435->49436 49438 73a9e0f 49436->49438 49438->49291 49440 73a9d5a 49439->49440 49441 73a9d73 ReadProcessMemory 49439->49441 49440->49291 49443 73a9e0f 49441->49443 49443->49291 49445 73a9d80 ReadProcessMemory 49444->49445 49447 73a9e0f 49445->49447 49447->49291 49451 2ac17d2 49452 2ac162f 49451->49452 49453 2ac17ef 49452->49453 49455 2ac2fa1 49452->49455 49456 2ac2fb5 49455->49456 49457 2ac2fbd 49456->49457 49460 2ac69a0 49456->49460 49464 2ac69b0 49456->49464 49457->49452 49461 2ac69b0 49460->49461 49468 2ac3768 49461->49468 49465 2ac69ce 49464->49465 49466 2ac3768 CheckRemoteDebuggerPresent 49465->49466 49467 2ac69e1 49466->49467 49467->49457 49469 2ac6e40 CheckRemoteDebuggerPresent 49468->49469 49471 2ac69e1 49469->49471 49471->49457

                                        Executed Functions

                                        Function 06E73858 Relevance: 8.2, Strings: 6, Instructions: 714COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 6e73858-6e7388a 2 6e73d27-6e73d45 0->2 3 6e73890-6e738a4 0->3 7 6e74152-6e7415e 2->7 4 6e738a6 3->4 5 6e738ab-6e73962 3->5 4->5 49 6e73ce6-6e73d0a 5->49 50 6e73968-6e73971 5->50 9 6e74164-6e74178 7->9 10 6e73d53-6e73d5f 7->10 11 6e73d65-6e73de5 10->11 12 6e7413f-6e74144 10->12 31 6e73de7-6e73ded 11->31 32 6e73dfd-6e73e16 11->32 19 6e7414f 12->19 19->7 33 6e73df1-6e73df3 31->33 34 6e73def 31->34 37 6e73e46-6e73e84 32->37 38 6e73e18-6e73e41 32->38 33->32 34->32 57 6e73e86-6e73ea7 37->57 58 6e73ea9-6e73eb6 37->58 38->19 59 6e73d11-6e73d17 49->59 51 6e73973-6e73977 50->51 52 6e73978-6e7397d 50->52 51->52 54 6e73982-6e739a2 52->54 55 6e7397f 52->55 65 6e739a7-6e739b0 54->65 66 6e739a4 54->66 55->54 67 6e73ebd-6e73ec3 57->67 58->67 62 6e73d24 59->62 63 6e73d19 59->63 62->2 63->62 68 6e739b6-6e739d4 65->68 69 6e73c6a-6e73c75 65->69 66->65 73 6e73ec5-6e73ee0 67->73 74 6e73ee2-6e73f34 67->74 75 6e739d6-6e739d8 68->75 76 6e73a14-6e73a1d 68->76 71 6e73c77 69->71 72 6e73c7a-6e73ca3 69->72 71->72 104 6e73cab-6e73cb1 72->104 73->74 107 6e7404f-6e7408e 74->107 108 6e73f3a-6e73f3f 74->108 75->76 79 6e739da-6e739e3 75->79 77 6e73a23-6e73a33 76->77 78 6e73d0c 76->78 77->78 82 6e73a39-6e73a4a 77->82 78->59 85 6e73a70-6e73ab3 79->85 86 6e739e9 79->86 82->78 87 6e73a50-6e73a60 82->87 97 6e73ab5-6e73ac8 85->97 98 6e73ace-6e73af0 85->98 88 6e739ec-6e739ee 86->88 87->78 90 6e73a66-6e73a6d 87->90 94 6e739f4-6e739ff 88->94 95 6e739f0 88->95 90->85 94->78 96 6e73a05-6e73a10 94->96 95->94 96->88 100 6e73a12 96->100 97->98 105 6e73af2-6e73af9 98->105 106 6e73aff-6e73b7b 98->106 100->85 109 6e73cb3-6e73cdb 104->109 110 6e73cdd 104->110 105->106 112 6e73bd6-6e73be8 106->112 113 6e73b7d-6e73b7f 106->113 132 6e74090-6e740a8 107->132 133 6e740aa-6e740b9 107->133 114 6e73f49-6e73f4c 108->114 109->110 110->49 112->78 120 6e73bee-6e73c0b 112->120 113->112 117 6e73b81-6e73b8e 113->117 118 6e74017-6e7403f 114->118 119 6e73f52 114->119 122 6e73b94 117->122 123 6e73c5b-6e73c64 117->123 130 6e74045-6e74049 118->130 124 6e73fbb-6e73fe7 119->124 125 6e73f8a-6e73fb6 119->125 126 6e73f59-6e73f85 119->126 127 6e73fe9-6e74015 119->127 120->78 129 6e73c11-6e73c2d 120->129 131 6e73b9a-6e73b9c 122->131 123->68 123->69 124->130 125->130 126->130 127->130 129->78 134 6e73c33-6e73c51 129->134 130->107 130->114 137 6e73ba6-6e73bc2 131->137 138 6e73b9e-6e73ba2 131->138 141 6e740c2-6e74124 132->141 133->141 134->78 143 6e73c57 134->143 137->78 144 6e73bc8-6e73bcf 137->144 138->137 148 6e7412f-6e7413d 141->148 143->123 144->131 145 6e73bd1 144->145 145->123 148->19
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q$LIZh$TJbq$Te]q$paq$xb`q
                                        • API String ID: 0-2814510443
                                        • Opcode ID: 97d927df349dd5d00f1e36401e85b40fe8415c0bcd93ed6a9d2406b8a3987f27
                                        • Instruction ID: 24b327a03974426afa87ec0ddf1d3f0c15302c44feb7d469321c2f327a3d2e83
                                        • Opcode Fuzzy Hash: 97d927df349dd5d00f1e36401e85b40fe8415c0bcd93ed6a9d2406b8a3987f27
                                        • Instruction Fuzzy Hash: 70522875A00224DFDB99DF68C984E99BBF2FF88304F1581A8E5099B266DB31EC51DF40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E73837 Relevance: 5.3, Strings: 4, Instructions: 321COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 150 6e73837-6e7388a 152 6e73d27-6e73d45 150->152 153 6e73890-6e738a4 150->153 157 6e74152-6e7415e 152->157 154 6e738a6 153->154 155 6e738ab-6e73962 153->155 154->155 199 6e73ce6-6e73d0a 155->199 200 6e73968-6e73971 155->200 159 6e74164-6e74178 157->159 160 6e73d53-6e73d5f 157->160 161 6e73d65-6e73de5 160->161 162 6e7413f-6e74144 160->162 181 6e73de7-6e73ded 161->181 182 6e73dfd-6e73e16 161->182 169 6e7414f 162->169 169->157 183 6e73df1-6e73df3 181->183 184 6e73def 181->184 187 6e73e46-6e73e84 182->187 188 6e73e18-6e73e41 182->188 183->182 184->182 207 6e73e86-6e73ea7 187->207 208 6e73ea9-6e73eb6 187->208 188->169 209 6e73d11-6e73d17 199->209 201 6e73973-6e73977 200->201 202 6e73978-6e7397d 200->202 201->202 204 6e73982-6e739a2 202->204 205 6e7397f 202->205 215 6e739a7-6e739b0 204->215 216 6e739a4 204->216 205->204 217 6e73ebd-6e73ec3 207->217 208->217 212 6e73d24 209->212 213 6e73d19 209->213 212->152 213->212 218 6e739b6-6e739d4 215->218 219 6e73c6a-6e73c75 215->219 216->215 223 6e73ec5-6e73ee0 217->223 224 6e73ee2-6e73f34 217->224 225 6e739d6-6e739d8 218->225 226 6e73a14-6e73a1d 218->226 221 6e73c77 219->221 222 6e73c7a-6e73ca3 219->222 221->222 254 6e73cab-6e73cb1 222->254 223->224 257 6e7404f-6e7408e 224->257 258 6e73f3a-6e73f3f 224->258 225->226 229 6e739da-6e739e3 225->229 227 6e73a23-6e73a33 226->227 228 6e73d0c 226->228 227->228 232 6e73a39-6e73a4a 227->232 228->209 235 6e73a70-6e73ab3 229->235 236 6e739e9 229->236 232->228 237 6e73a50-6e73a60 232->237 247 6e73ab5-6e73ac8 235->247 248 6e73ace-6e73af0 235->248 238 6e739ec-6e739ee 236->238 237->228 240 6e73a66-6e73a6d 237->240 244 6e739f4-6e739ff 238->244 245 6e739f0 238->245 240->235 244->228 246 6e73a05-6e73a10 244->246 245->244 246->238 250 6e73a12 246->250 247->248 255 6e73af2-6e73af9 248->255 256 6e73aff-6e73b7b 248->256 250->235 259 6e73cb3-6e73cdb 254->259 260 6e73cdd 254->260 255->256 262 6e73bd6-6e73be8 256->262 263 6e73b7d-6e73b7f 256->263 282 6e74090-6e740a8 257->282 283 6e740aa-6e740b9 257->283 264 6e73f49-6e73f4c 258->264 259->260 260->199 262->228 270 6e73bee-6e73c0b 262->270 263->262 267 6e73b81-6e73b8e 263->267 268 6e74017-6e7403f 264->268 269 6e73f52 264->269 272 6e73b94 267->272 273 6e73c5b-6e73c64 267->273 280 6e74045-6e74049 268->280 274 6e73fbb-6e73fe7 269->274 275 6e73f8a-6e73fb6 269->275 276 6e73f59-6e73f85 269->276 277 6e73fe9-6e74015 269->277 270->228 279 6e73c11-6e73c2d 270->279 281 6e73b9a-6e73b9c 272->281 273->218 273->219 274->280 275->280 276->280 277->280 279->228 284 6e73c33-6e73c51 279->284 280->257 280->264 287 6e73ba6-6e73bc2 281->287 288 6e73b9e-6e73ba2 281->288 291 6e740c2-6e74124 282->291 283->291 284->228 293 6e73c57 284->293 287->228 294 6e73bc8-6e73bcf 287->294 288->287 298 6e7412f-6e7413d 291->298 293->273 294->281 295 6e73bd1 294->295 295->273 298->169
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: LIZh$TJbq$Te]q$xb`q
                                        • API String ID: 0-2805892111
                                        • Opcode ID: 39558e00c0e3e3ad3c7bcad51ab9119d8571b4bcdde58325476f9062e5c9fea1
                                        • Instruction ID: ce5fa68ba8b7c56260ce55369a6bb6cacb4317d7a119de98d6f154f1a978f32d
                                        • Opcode Fuzzy Hash: 39558e00c0e3e3ad3c7bcad51ab9119d8571b4bcdde58325476f9062e5c9fea1
                                        • Instruction Fuzzy Hash: EAD16A71E106299FDB94CF68C984BADBBF2BF88304F158169E419EB355DB30AD45CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E73089 Relevance: 2.7, Strings: 2, Instructions: 174COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1410 6e73089-6e730a8 1411 6e73127-6e73371 1410->1411 1412 6e730aa-6e730c9 1410->1412 1413 6e730d3-6e730d9 1412->1413 1442 6e730db call 6e73837 1413->1442 1443 6e730db call 6e73d4a 1413->1443 1444 6e730db call 6e73858 1413->1444 1416 6e730e1-6e730e4 1442->1416 1443->1416 1444->1416
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q$4']q
                                        • API String ID: 0-3120983240
                                        • Opcode ID: 904fcdf5023079ff3b2573ffb2a06c1f382735a5fa6ab79cd5d518cf10bebbcd
                                        • Instruction ID: 0c3ca8acc846f7d4b3a7c1830be90a04f9f374c2c8f155d9fd1345a329b32e93
                                        • Opcode Fuzzy Hash: 904fcdf5023079ff3b2573ffb2a06c1f382735a5fa6ab79cd5d518cf10bebbcd
                                        • Instruction Fuzzy Hash: 0861A0B0A142098FD70DDF7AE95168ABFF3BFC9204B14C56AD004DB2A9EF784905DB52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E730E9 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1495 6e730e9-6e73109 1496 6e73111-6e73371 1495->1496
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q$4']q
                                        • API String ID: 0-3120983240
                                        • Opcode ID: f5fb447263f3daa61431501da98bd29122f027d8868f3feff53f0ab1fd2ce1fb
                                        • Instruction ID: 3ea5eead384045041c289671e4a7a97ae8226c3965df8ddbfafe3ade19e40f16
                                        • Opcode Fuzzy Hash: f5fb447263f3daa61431501da98bd29122f027d8868f3feff53f0ab1fd2ce1fb
                                        • Instruction Fuzzy Hash: B3513CB0A102098FD70CEF7AE95169ABFE3BFC9304B14C529D0149B268EF785905DB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E730F8 Relevance: 2.6, Strings: 2, Instructions: 150COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1598 6e730f8-6e73109 1599 6e73111-6e73371 1598->1599
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q$4']q
                                        • API String ID: 0-3120983240
                                        • Opcode ID: 60332465c38c95591fb23fdc78f76d14ecad11caef60a36ae7664531d00774a7
                                        • Instruction ID: c87bc31c11ac3d156ea5051c454fd6cedce6494dfef97f304ab5b295b31ba099
                                        • Opcode Fuzzy Hash: 60332465c38c95591fb23fdc78f76d14ecad11caef60a36ae7664531d00774a7
                                        • Instruction Fuzzy Hash: 63514BB0A102098FD70CEF7AE951A9ABFE3BFC9304F14C529D0049B2A8EF785905DB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 072407A0 Relevance: 1.9, Strings: 1, Instructions: 663COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @
                                        • API String ID: 0-2766056989
                                        • Opcode ID: b1cbc61950f17dcf208dd5b91944af3cb7bfb93b114fd7674d14384e41941690
                                        • Instruction ID: 0849f3da5895ebe25f76c37223ab24cc516e10204932ceb07d3b3d8fc2dae692
                                        • Opcode Fuzzy Hash: b1cbc61950f17dcf208dd5b91944af3cb7bfb93b114fd7674d14384e41941690
                                        • Instruction Fuzzy Hash: 80427EB0A10206DFDB28DF68C584A6EBBF6BF89300F1584A9D505DB7A5DB34EC85CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07240040 Relevance: .5, Instructions: 459COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fb80eb7dbe49fd752791c31e3da3cfeeab993d3e0cb2da8bd92feb560611bf4d
                                        • Instruction ID: 74087d90ba5b83fa402ab0c76101d4f9e72ce32d04376e650666590958089afb
                                        • Opcode Fuzzy Hash: fb80eb7dbe49fd752791c31e3da3cfeeab993d3e0cb2da8bd92feb560611bf4d
                                        • Instruction Fuzzy Hash: B2125CB4A102069FC719DF68C6849AEBBF2FF88300B19C599E509DB766D734EC85CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E76587 Relevance: .5, Instructions: 455COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b43c80732473077e87d1775d1fcaebf3ff3b7577f4ce6e7f8eb7ad83412f47c0
                                        • Instruction ID: 94b5f87a470b2722986b9a705c058d11403dfb75d450974893b09641a7de0a82
                                        • Opcode Fuzzy Hash: b43c80732473077e87d1775d1fcaebf3ff3b7577f4ce6e7f8eb7ad83412f47c0
                                        • Instruction Fuzzy Hash: EF220B74A11229CFCB95EF28C984A99BBF6FF88304F1085D9E509A7354DB34AE81CF45
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 072456A8 Relevance: 3.3, Instructions: 3292COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 300 72456a8-7245710 306 7245767-7245789 300->306 307 7245712-7245757 300->307 310 724578d-72457a4 306->310 311 724578b 306->311 993 7245759 call 7248fc0 307->993 994 7245759 call 7248fb1 307->994 995 7245759 call 7249018 307->995 996 7245759 call 7249068 307->996 315 72457a6-72457b0 310->315 316 72457b1-7245945 310->316 311->310 340 7248f22-7248f45 316->340 341 724594b-72459a5 316->341 317 724575f-7245766 344 7248f64-7248fa8 340->344 345 7248f47-7248f60 340->345 341->340 350 72459ab-724874a 341->350 350->340 901 7248750-72487bf 350->901 901->340 906 72487c5-7248834 901->906 906->340 911 724883a-7248db3 906->911 911->340 976 7248db9-7248f21 911->976 993->317 994->317 995->317 996->317
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7dd5998b7a9b97bd7c8b982012bab20f857bfc59701e2917c3674e6e6d038bb7
                                        • Instruction ID: b531979a79680e77584e2a74325536e72841f0a6941e82845170c05e08f4b4d4
                                        • Opcode Fuzzy Hash: 7dd5998b7a9b97bd7c8b982012bab20f857bfc59701e2917c3674e6e6d038bb7
                                        • Instruction Fuzzy Hash: AE638AB0B40219AFEB259B50CD95BAEBA76FF88700F1040D9E6093B2D5CB795E80CF55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07243548 Relevance: 2.9, Strings: 2, Instructions: 405COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 997 7243548-7243560 1000 7243562-724356d 997->1000 1001 724356f-724357a 997->1001 1000->1001 1004 7243591-724359c 1000->1004 1005 724357c-7243585 1001->1005 1006 724358a-724358c 1001->1006 1010 72435dc-72435e1 1004->1010 1011 724359e-72435c0 1004->1011 1007 7243a07-7243a13 1005->1007 1006->1007 1010->1007 1015 72435e6-72435f4 1011->1015 1016 72435c2-72435da 1011->1016 1019 72437a8-72437b6 1015->1019 1020 72435fa-7243608 1015->1020 1016->1010 1016->1015 1024 72438f7-7243905 1019->1024 1025 72437bc-72437ca 1019->1025 1020->1019 1026 724360e-7243619 1020->1026 1032 7243a05 1024->1032 1033 724390b-7243919 1024->1033 1025->1024 1034 72437d0-72437db 1025->1034 1030 72437a1-72437a3 1026->1030 1031 724361f-724362b 1026->1031 1030->1007 1031->1030 1038 7243631-724363d 1031->1038 1032->1007 1033->1032 1039 724391f-724392a 1033->1039 1040 72438f0-72438f2 1034->1040 1041 72437e1-7243805 1034->1041 1038->1030 1045 7243643-7243664 1038->1045 1046 7243930-7243951 1039->1046 1047 7243a01-7243a03 1039->1047 1040->1007 1041->1040 1053 724380b-7243829 1041->1053 1045->1030 1059 724366a-724368e 1045->1059 1046->1047 1058 7243957-724397b 1046->1058 1047->1007 1053->1040 1063 724382f-724384b 1053->1063 1058->1047 1073 7243981-72439a5 1058->1073 1059->1030 1072 7243694-72436b6 1059->1072 1067 724384d-7243863 1063->1067 1068 724388e-72438a7 1063->1068 1077 7243865 1067->1077 1078 724386c-724388c 1067->1078 1075 72438e5 1068->1075 1076 72438a9-72438bd 1068->1076 1072->1030 1093 72436bc-72436da 1072->1093 1073->1047 1092 72439a7-72439d3 1073->1092 1122 72438e5 call 7243ca0 1075->1122 1123 72438e5 call 7243c93 1075->1123 1084 72438c6-72438e3 1076->1084 1085 72438bf 1076->1085 1077->1078 1078->1068 1081 72438eb 1081->1007 1084->1075 1085->1084 1092->1047 1102 72439d5-72439ff 1092->1102 1093->1030 1099 72436e0-72436fc 1093->1099 1103 72436fe-7243714 1099->1103 1104 724373f-7243758 1099->1104 1102->1007 1110 7243716 1103->1110 1111 724371d-724373d 1103->1111 1108 7243796-724379c 1104->1108 1109 724375a-724376e 1104->1109 1108->1007 1117 7243777-7243794 1109->1117 1118 7243770 1109->1118 1110->1111 1111->1104 1117->1108 1118->1117 1122->1081 1123->1081
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ,aq$,aq
                                        • API String ID: 0-2990736959
                                        • Opcode ID: b88d3a7aeb9ba9fb09a24f53f572ddfa6381a927550329db29086dd5451abe6f
                                        • Instruction ID: 83a84bdd61e9e5ce5158270064ad0b572dffef2df130755327ce61c8af046b8a
                                        • Opcode Fuzzy Hash: b88d3a7aeb9ba9fb09a24f53f572ddfa6381a927550329db29086dd5451abe6f
                                        • Instruction Fuzzy Hash: B5E14BB47601128FC718DF3DC998A2AB7EABF8965471580A9E906CB376EF74DC01CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E7DD70 Relevance: 2.7, Strings: 2, Instructions: 237COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1357 6e7dd70-6e7dd82 1358 6e7dd84-6e7dda5 1357->1358 1359 6e7ddac-6e7ddb0 1357->1359 1358->1359 1360 6e7ddb2-6e7ddb6 call 6e7e040 1359->1360 1361 6e7ddbc-6e7ddcb 1359->1361 1360->1361 1362 6e7ddd7-6e7de03 1361->1362 1363 6e7ddcd 1361->1363 1367 6e7e024-6e7e03c 1362->1367 1368 6e7de09-6e7de0f 1362->1368 1363->1362 1369 6e7de15-6e7de1b 1368->1369 1370 6e7ded8-6e7dedc 1368->1370 1369->1367 1372 6e7de21-6e7de30 1369->1372 1373 6e7df01-6e7df0a 1370->1373 1374 6e7dede-6e7dee7 1370->1374 1376 6e7deb7-6e7dec0 1372->1376 1377 6e7de36-6e7de42 1372->1377 1379 6e7df2f-6e7df32 1373->1379 1380 6e7df0c-6e7df2c 1373->1380 1374->1367 1378 6e7deed-6e7deff 1374->1378 1376->1367 1382 6e7dec6-6e7ded2 1376->1382 1377->1367 1383 6e7de48-6e7de5f 1377->1383 1381 6e7df35-6e7df3b 1378->1381 1379->1381 1380->1379 1381->1367 1384 6e7df41-6e7df56 1381->1384 1382->1369 1382->1370 1385 6e7de61 1383->1385 1386 6e7de6b-6e7de7d 1383->1386 1384->1367 1388 6e7df5c-6e7df6e 1384->1388 1385->1386 1386->1376 1392 6e7de7f-6e7de85 1386->1392 1388->1367 1389 6e7df74-6e7df81 1388->1389 1389->1367 1393 6e7df87-6e7df9e 1389->1393 1394 6e7de87 1392->1394 1395 6e7de91-6e7de97 1392->1395 1393->1367 1398 6e7dfa4-6e7dfbc 1393->1398 1394->1395 1395->1367 1396 6e7de9d-6e7deb4 1395->1396 1398->1367 1399 6e7dfbe-6e7dfc9 1398->1399 1400 6e7dfcb-6e7dfd5 1399->1400 1401 6e7e01a-6e7e021 1399->1401 1400->1401 1403 6e7dfd7-6e7dfed 1400->1403 1405 6e7dfef 1403->1405 1406 6e7dff9-6e7e012 1403->1406 1405->1406 1406->1401
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (aq$d
                                        • API String ID: 0-3557608343
                                        • Opcode ID: 2336deff8fb6247159f57061d003490263ab921e4f5506b42e49a442686bc0b3
                                        • Instruction ID: f8db182c99740c562d500a4015c88d1c33849e207f1649fe5e4f7f71dd7304a5
                                        • Opcode Fuzzy Hash: 2336deff8fb6247159f57061d003490263ab921e4f5506b42e49a442686bc0b3
                                        • Instruction Fuzzy Hash: 75A13834A006058FCB64CF19C48096AF7F2FF88314B26DAA9D45A9B765DB30FC42CB95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724E4B1 Relevance: 2.7, Strings: 2, Instructions: 160COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1445 724e4b1-724e590 1461 724df74-724df77 1445->1461 1462 724e596-724e598 1445->1462 1463 724df80-724e009 1461->1463 1464 724df79 1461->1464 1462->1461 1493 724e00b call 724f208 1463->1493 1494 724e00b call 724f218 1463->1494 1464->1463 1465 724dea3-724debf 1464->1465 1466 724dec3-724deca 1464->1466 1467 724dee9-724defb 1464->1467 1468 724decb-724dee7 1464->1468 1474 724de97-724de9a 1465->1474 1475 724dec1 1465->1475 1478 724df05-724df70 1467->1478 1468->1474 1474->1466 1476 724de9c 1474->1476 1475->1474 1476->1463 1476->1465 1476->1466 1476->1467 1476->1468 1478->1461 1491 724e011-724e022 1491->1461 1492 724e028 1491->1492 1492->1461 1493->1491 1494->1491
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: a]q$xaq
                                        • API String ID: 0-2511178932
                                        • Opcode ID: 92b37a003c522d7d713980c464fe9b8e33221c90df39b56995f50da291233f47
                                        • Instruction ID: b2a83540c7533834d67db46af022290aba72f31a986440f3c024414bc0d0ceb7
                                        • Opcode Fuzzy Hash: 92b37a003c522d7d713980c464fe9b8e33221c90df39b56995f50da291233f47
                                        • Instruction Fuzzy Hash: C351CEB5B102058FD718AB68D489B6E76E7FFCA304F208429D1069B7D8CF789C05DB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07243CA0 Relevance: 2.6, Strings: 2, Instructions: 114COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1674 7243ca0-7243cbc 1675 7243cc2-7243cc4 1674->1675 1676 7243d6f-7243d94 1674->1676 1677 7243cca-7243cd6 call 7243fd0 1675->1677 1678 7243d9b-7243de3 1675->1678 1676->1678 1684 7243cdc-7243cde 1677->1684 1694 7243de5-7243def 1678->1694 1695 7243dfa-7243e10 1678->1695 1685 7243d20-7243d33 1684->1685 1686 7243ce0-7243cf7 1684->1686 1688 7243d35-7243d39 1685->1688 1698 7243d13-7243d1e 1686->1698 1699 7243cf9-7243d11 1686->1699 1691 7243d44-7243d5b 1688->1691 1692 7243d3b 1688->1692 1691->1688 1692->1691 1694->1695 1704 7243df1-7243df8 1694->1704 1706 7243e12-7243e38 1695->1706 1698->1685 1698->1686 1699->1688 1704->1706
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (aq$(aq
                                        • API String ID: 0-3916115647
                                        • Opcode ID: d05868e58bd11688ac0c78c71078d8026800ef590118cc517ce01d6067fac04c
                                        • Instruction ID: cd5213dfdb3159af23dfdec5209e164f45a119f97339523088e406897703a0fd
                                        • Opcode Fuzzy Hash: d05868e58bd11688ac0c78c71078d8026800ef590118cc517ce01d6067fac04c
                                        • Instruction Fuzzy Hash: 7841DF71610606CFCF2CDF29D5506AEBBF2AF88211F208569D406A739ADF719D06CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07241F78 Relevance: 1.9, Strings: 1, Instructions: 603COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Hb^q
                                        • API String ID: 0-932020720
                                        • Opcode ID: cc602fae3ea2b50973c96dd3f4a3ff6087d3c00f288b4c6ccfaac7799db892fe
                                        • Instruction ID: 62c268204a0be6401abf2d97971a0052e62644a9ea1152230844c3ee032b199e
                                        • Opcode Fuzzy Hash: cc602fae3ea2b50973c96dd3f4a3ff6087d3c00f288b4c6ccfaac7799db892fe
                                        • Instruction Fuzzy Hash: 8B4259B4A10206DFCB19CF69C584A9EBBF6FF48310F158599E805AB366DB30ED41CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 073A9F54 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073AA196
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230214258.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_73a0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: c289f83df6e987d6efc918a9322fc47e3521943f196033e88af814ac61c6ba56
                                        • Instruction ID: 8e86b4a9311a27bac1a4a23b03412d274cbfff158a6c9f3b838900de3fda2c9c
                                        • Opcode Fuzzy Hash: c289f83df6e987d6efc918a9322fc47e3521943f196033e88af814ac61c6ba56
                                        • Instruction Fuzzy Hash: 01A15DB2D1021ADFEB24DFA8C8417EDBBB2FF49314F148169D818A7240DB759985CF92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 073A9F60 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073AA196
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230214258.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_73a0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 2310fdc542d2b5143583c2d17d7ffc627a34c9153e0730ef7beebc27dc640a2c
                                        • Instruction ID: cd6fe436ef62fb281b303be42001fca509fcdaa804454283389d73a6837d60e5
                                        • Opcode Fuzzy Hash: 2310fdc542d2b5143583c2d17d7ffc627a34c9153e0730ef7beebc27dc640a2c
                                        • Instruction Fuzzy Hash: 47914CB2D1021ADFEB24DFA8C8417EDBBB2FF49314F148169D818A7240DB759985CF92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 073A9D53 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073A9E00
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230214258.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_73a0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: 91cbf5212bf2daeb7d4bd811eea146fd17fcea95a04bfad50fb93ceb5fda8e04
                                        • Instruction ID: e9e2d12c20662da3127c70d4e988bf0b7c12572996219dbe14d142d36f934f56
                                        • Opcode Fuzzy Hash: 91cbf5212bf2daeb7d4bd811eea146fd17fcea95a04bfad50fb93ceb5fda8e04
                                        • Instruction Fuzzy Hash: C831A9B18053499FCB10DFAAD841AEEFFF4FF49310F50846AE548A7251C738A944CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 073A9C68 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073A9D00
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230214258.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_73a0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 82b799432b18eee570e0697d62157e1ba64730f708207168ee9df7d9ce026593
                                        • Instruction ID: 8d197108a24a5a2fc597f28f9692f4bfc13ce7074e88f85dde137fba2e1b4575
                                        • Opcode Fuzzy Hash: 82b799432b18eee570e0697d62157e1ba64730f708207168ee9df7d9ce026593
                                        • Instruction Fuzzy Hash: 0E214BB69003599FDB10DFA9C845BEEBFF5FF49310F108429E559A7240C778A544CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 073A9C70 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073A9D00
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230214258.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_73a0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 9e03910f856ad6c52c86b3b37f31b3ac37bc49d9f1ed56cecb2ad9c5a52bf750
                                        • Instruction ID: 87bfa265932508c0df6673fe2c9c9a4e4545bbfda6f11a0bde58a25d8dbab1a3
                                        • Opcode Fuzzy Hash: 9e03910f856ad6c52c86b3b37f31b3ac37bc49d9f1ed56cecb2ad9c5a52bf750
                                        • Instruction Fuzzy Hash: F92119B59003599FDF10DFAAC885BEEBBF5FF48310F508429E959A7240C778A944CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02AC3768 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 02AC6EB7
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3218331453.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2ac0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID: CheckDebuggerPresentRemote
                                        • String ID:
                                        • API String ID: 3662101638-0
                                        • Opcode ID: 7796b16a093558eb2cb0f1b2de07d6b81bd52b443b2d6df8a12bb0592f15bd3d
                                        • Instruction ID: 123d008033c130a3c8e4b363b4fd286eccc073a14849217c6b3e891665c7c9fb
                                        • Opcode Fuzzy Hash: 7796b16a093558eb2cb0f1b2de07d6b81bd52b443b2d6df8a12bb0592f15bd3d
                                        • Instruction Fuzzy Hash: 0B2134B18002598FCB14DF9AD484BEEBBF8EF49310F24846AE459A3250D778A944CFA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02AC6E39 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 02AC6EB7
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3218331453.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2ac0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID: CheckDebuggerPresentRemote
                                        • String ID:
                                        • API String ID: 3662101638-0
                                        • Opcode ID: 15ed327549a8408810c6c06b6adbb78eb58fc0f5017e534f2919f51600a5257c
                                        • Instruction ID: 0c457fb8ba299a5b85242ae0921d92382e1302fbb4bd10315b8de8380fdca963
                                        • Opcode Fuzzy Hash: 15ed327549a8408810c6c06b6adbb78eb58fc0f5017e534f2919f51600a5257c
                                        • Instruction Fuzzy Hash: 282148B18002598FCB14DFAAD884BEEBBF5EF49314F14845AE458A3350C738A944CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 073A9D7B Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073A9E00
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230214258.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_73a0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: 5b3d531a814388b25e7b3060a68aceb70b6cc3e17f7d43fced64586ca5dcd0f4
                                        • Instruction ID: f8de6d76445a5338e8719a20f0ca857dd6276d899403d514149ce58631197965
                                        • Opcode Fuzzy Hash: 5b3d531a814388b25e7b3060a68aceb70b6cc3e17f7d43fced64586ca5dcd0f4
                                        • Instruction Fuzzy Hash: D52128B1C003599FDB10DFAAC881AEEFBF5FF48310F50842AE559A7241D778A945CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 073A9A2B Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073A9AAE
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230214258.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_73a0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: a63c5287d17a00d0a8fe4b9ef0608b206ebd95684d375fb43059e9550783ccd5
                                        • Instruction ID: cdb98b171df23f4d5feb246292baef2b729b31174fa041b742b9d32904f9f70a
                                        • Opcode Fuzzy Hash: a63c5287d17a00d0a8fe4b9ef0608b206ebd95684d375fb43059e9550783ccd5
                                        • Instruction Fuzzy Hash: 152157B19002099FDB10DFAAC4857EEBBF4EF48314F14842AD459A7240CB78A985CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 073A9D80 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073A9E00
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230214258.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_73a0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: 4dd6731e148e3791174b3ac8d73c02c96f5175830c58915a960f097b19e03962
                                        • Instruction ID: bc30cec41bd87047530fdbd0df80183d48fbdb5d6b2fa75671d09a34cf700c7e
                                        • Opcode Fuzzy Hash: 4dd6731e148e3791174b3ac8d73c02c96f5175830c58915a960f097b19e03962
                                        • Instruction Fuzzy Hash: 312137B1C003499FDB10DFAAC881AEEFBF5FF48310F50842AE519A7240C738A944CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 073A9A30 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073A9AAE
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230214258.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_73a0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: 4737cf1c220e71eaa2de420be990b4644a4337b9e84f646bb24378408130979d
                                        • Instruction ID: 19c34061b17c5a6ec1e38ee77d4a26cf46a995fecf25e36069ce62de0c8a054a
                                        • Opcode Fuzzy Hash: 4737cf1c220e71eaa2de420be990b4644a4337b9e84f646bb24378408130979d
                                        • Instruction Fuzzy Hash: 312135B19003099FDB10DFAAC485BEEBBF4EF88314F14842AD559A7240CB78A945CFA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 073A9B63 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073A9BFE
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230214258.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_73a0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 62b5869beba5afa9295fc7cea3968611bf833b0844c679c7b9587fce123e24ff
                                        • Instruction ID: 5fb1b09b9a2a2fc9362adc3d5b0bfa320bbd461356e7b2ec1323cb291e0ce0d8
                                        • Opcode Fuzzy Hash: 62b5869beba5afa9295fc7cea3968611bf833b0844c679c7b9587fce123e24ff
                                        • Instruction Fuzzy Hash: 0C21CDB19043899FCB11DFA9C8416EEBFF1EF49314F24849ED149A7251C738A944CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 073A9B88 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073A9BFE
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230214258.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_73a0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: ecdaeac443db1988ca8cd59939b2f96fd591e4093891e108f256e29f7ea9f388
                                        • Instruction ID: cb1135c5256dcfecebca42496dd8fa18ec3d42224b325872f28e977ea2d84acc
                                        • Opcode Fuzzy Hash: ecdaeac443db1988ca8cd59939b2f96fd591e4093891e108f256e29f7ea9f388
                                        • Instruction Fuzzy Hash: 162147B18002499FDB10DFAAC845BEEBFF5EF48314F248819E559A7250C739A541CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 073A9B90 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073A9BFE
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230214258.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_73a0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 066883ff061e700e4c0dd898cf9c3dc749e4a94a3947332187b91889841a5d26
                                        • Instruction ID: 90a6f14b4ef18661cb65c7e210cc667e9017accd8e21f33a2aaf9fa2691121c8
                                        • Opcode Fuzzy Hash: 066883ff061e700e4c0dd898cf9c3dc749e4a94a3947332187b91889841a5d26
                                        • Instruction Fuzzy Hash: 561137B58002499FDB10DFAAC845BEEBFF5EF48314F208419E519A7250C779A544CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02AC37BB Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3218331453.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2ac0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 2f3cfcf5e690e4a7fe8a2d714b5878c4b9caa0712cdab0c6664897a9368628dc
                                        • Instruction ID: adc952a3e20fb8a67453032a19c7b26627f8bc6d34121ba76b380396548f2049
                                        • Opcode Fuzzy Hash: 2f3cfcf5e690e4a7fe8a2d714b5878c4b9caa0712cdab0c6664897a9368628dc
                                        • Instruction Fuzzy Hash: 981136B1D003488FCB24EFAAC4457EEFBF5EF88324F248459D519A7240CB79A944CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02AC37C0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3218331453.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2ac0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 322ff088d88c075b4e368b8cc54c547699d0665ff66689eceea20e01e1d04f60
                                        • Instruction ID: e208cab40bbbb0fdc93e8eb897687db94dec471470e1f76b25c7f70843688a37
                                        • Opcode Fuzzy Hash: 322ff088d88c075b4e368b8cc54c547699d0665ff66689eceea20e01e1d04f60
                                        • Instruction Fuzzy Hash: 301136B1D003488FCB24EFAAC4457EEFBF5EF88324F208459D519A7240CB79A944CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02AC8740 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 02AC87AD
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3218331453.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2ac0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID: CriticalProcess
                                        • String ID:
                                        • API String ID: 2695349919-0
                                        • Opcode ID: 50319076c35f57374547b0b99e3889adb05cd4a01fd65b1d639f0ce8e7e69743
                                        • Instruction ID: 837b20d331482745842e86664339e2788a606c7538c19fa89999fd836511493b
                                        • Opcode Fuzzy Hash: 50319076c35f57374547b0b99e3889adb05cd4a01fd65b1d639f0ce8e7e69743
                                        • Instruction Fuzzy Hash: C21125B5800249CFCB20EF9AC884ADEBFF4FB48310F208069D518A7250D778A944CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02AC8748 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 02AC87AD
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3218331453.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_2ac0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID: CriticalProcess
                                        • String ID:
                                        • API String ID: 2695349919-0
                                        • Opcode ID: a4554584d5802c4de377d417a01f54e6d7ef66c0c387166da6e5d10ee1bfe5e6
                                        • Instruction ID: 593d84b162014ab6bec163f261298c7ab0aca568112a93708498af91300c5678
                                        • Opcode Fuzzy Hash: a4554584d5802c4de377d417a01f54e6d7ef66c0c387166da6e5d10ee1bfe5e6
                                        • Instruction Fuzzy Hash: BE11FEB59006498FCB20EF9AC984ADEBFF4FB89314F208069D518A7250D778A944CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E7E570 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $]q
                                        • API String ID: 0-1007455737
                                        • Opcode ID: 85a8f640baac82e1b41294479a08a6c8dce98bb108027c32cbdb75e66a5d1052
                                        • Instruction ID: f3b9846436b282bf51ce42ab51a97a31f14aced82c7652f598f01c3ba60e0fa4
                                        • Opcode Fuzzy Hash: 85a8f640baac82e1b41294479a08a6c8dce98bb108027c32cbdb75e66a5d1052
                                        • Instruction Fuzzy Hash: 3AA15F74F002158FCB54DF68C4549AEBBF6BF88704B2495AAD906EB355DB34DC42CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 072452F5 Relevance: 1.5, Strings: 1, Instructions: 263COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: 863c21267a31706d93ab2d872f5d83c247aa6b8bbc6f613d135ddd6f5aba0cd9
                                        • Instruction ID: ab98707536cbe3e02ab1aaf3db8193620da9b798f7b92130c42d1b798305cd8c
                                        • Opcode Fuzzy Hash: 863c21267a31706d93ab2d872f5d83c247aa6b8bbc6f613d135ddd6f5aba0cd9
                                        • Instruction Fuzzy Hash: 319121F2A20645EFC705CB64D8466DEBFF2FF89210F14895AE4859B242C738DC46CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724E2F1 Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: xaq
                                        • API String ID: 0-793007810
                                        • Opcode ID: c647c633ce3d8d1281193e833a3c929387abff8b1c37950ee4c852e01d1a7377
                                        • Instruction ID: e447820352ba96c2e13c61fc704f2646c47ead262e5b68795074c59cd58b3797
                                        • Opcode Fuzzy Hash: c647c633ce3d8d1281193e833a3c929387abff8b1c37950ee4c852e01d1a7377
                                        • Instruction Fuzzy Hash: 6371ECB5B20205DFE718EF68E488B6AB3F2FB85304F518529D1068B3C8CB799C45CB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 072497B0 Relevance: 1.4, Strings: 1, Instructions: 185COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: cU
                                        • API String ID: 0-2984249731
                                        • Opcode ID: 71620178b7c97a8d793e8606d82e82cdaa049717cbe29186423233154a4dbb93
                                        • Instruction ID: 67337b992614c9e321ea88061cd8a1c4d2508062d9ecc3901090b216ed26c87e
                                        • Opcode Fuzzy Hash: 71620178b7c97a8d793e8606d82e82cdaa049717cbe29186423233154a4dbb93
                                        • Instruction Fuzzy Hash: C8715DB0A10206CFCB18DF68D894AAEBBF5FF88311F148469E456DB365DB35AD81CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07242FC0 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q
                                        • API String ID: 0-1259897404
                                        • Opcode ID: 41e83da04b665083283a38c557e78fbfcaed1c0ce24a749a65bac5cf042ee2c2
                                        • Instruction ID: 871e598ee50e14789d55d6d0a654986fd08d758f46d92ae0795d7d996b682267
                                        • Opcode Fuzzy Hash: 41e83da04b665083283a38c557e78fbfcaed1c0ce24a749a65bac5cf042ee2c2
                                        • Instruction Fuzzy Hash: DB61CEB1A003469FC709DF38C88099ABBF5FF89314B1586AAD458CB366D734ED49CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724E3FA Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: xaq
                                        • API String ID: 0-793007810
                                        • Opcode ID: 2b2f6785507644498038381eed1993aed21fc05adccd72a7b88a6d6e7c70088b
                                        • Instruction ID: b61bbef1420f209a5558b071a46282933ba3b3177d90cabd75d825da18c9eb17
                                        • Opcode Fuzzy Hash: 2b2f6785507644498038381eed1993aed21fc05adccd72a7b88a6d6e7c70088b
                                        • Instruction Fuzzy Hash: E1519CB4B241059FE718EB68E488B6E77F2FB85304F608529E5068B3D8CB789C45DB42
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 072405F8 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @
                                        • API String ID: 0-2766056989
                                        • Opcode ID: 4212137017a7465613e7a32c8db1927572636bb9008d00fe3523a328a3d456d3
                                        • Instruction ID: cd643f50bea00cf89cd38572ee304b6890d36f95ade780a85ec53ca7d56dadc6
                                        • Opcode Fuzzy Hash: 4212137017a7465613e7a32c8db1927572636bb9008d00fe3523a328a3d456d3
                                        • Instruction Fuzzy Hash: 7F5181B5A102169FDB19CF68C884AAEBBF5FF88300F1480A9E905EB251D774DD84CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724E123 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: xaq
                                        • API String ID: 0-793007810
                                        • Opcode ID: 503c3d2fc1cedc64028eb1ca2c3f102c6e6b59c28a6056d45727bbcbea08f06a
                                        • Instruction ID: bfc361c3c63e09f860e55b89e7314e0d064e48f593a68b0c5ab5d44b3b992f74
                                        • Opcode Fuzzy Hash: 503c3d2fc1cedc64028eb1ca2c3f102c6e6b59c28a6056d45727bbcbea08f06a
                                        • Instruction Fuzzy Hash: 135103B5B152018FD719EB18E089B6E77B6FBC6304F508529D1068B7C8CB789C05DB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724E226 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: xaq
                                        • API String ID: 0-793007810
                                        • Opcode ID: ceb492a53848eea457363f523ab7d1fee3f0b8a0f1ea7e45ef9409c4f9a9c93b
                                        • Instruction ID: 79863a6f84cd87a5ef1c691e039b9a0cebbfd5dbb11607d66001b96c9b157477
                                        • Opcode Fuzzy Hash: ceb492a53848eea457363f523ab7d1fee3f0b8a0f1ea7e45ef9409c4f9a9c93b
                                        • Instruction Fuzzy Hash: 55519BB5B252058FD718EB14E088B6AB3B2FBC6304F618529D1068B7CCCB79AC45DB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724DE4A Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: xaq
                                        • API String ID: 0-793007810
                                        • Opcode ID: 2a448583f31f39bd88f652856a531428e9409006cfcd4e9699ba6af5781ab948
                                        • Instruction ID: c48c2df9a76fbef94bc6884bd951dd99a57bbc10648d12d45dd90031733a2c70
                                        • Opcode Fuzzy Hash: 2a448583f31f39bd88f652856a531428e9409006cfcd4e9699ba6af5781ab948
                                        • Instruction Fuzzy Hash: 264145B5B152048FD719EB18E058B6B7BA6FBC6304F108129E1069B7C8CB799C05CB82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724E393 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: xaq
                                        • API String ID: 0-793007810
                                        • Opcode ID: ba356f416b0a8746ac27185fb662da0303e854405199bc41a2552e4961a387da
                                        • Instruction ID: c4334a185ba3e23e41252aa1d9bc68202378c3ac85cb66363d7cb5fb004842c9
                                        • Opcode Fuzzy Hash: ba356f416b0a8746ac27185fb662da0303e854405199bc41a2552e4961a387da
                                        • Instruction Fuzzy Hash: B041DFB5B102058FD718EB18E098B6E73E6FBC5304F608529D1068B7C8CF799C05DB86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724E5A0 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: xaq
                                        • API String ID: 0-793007810
                                        • Opcode ID: 6f70840b0571d1ab6472f58dd8e8d2a28babb2e98c78c98638c600b0bcaf70cb
                                        • Instruction ID: b7425eb800d706d16445e1604f8a39c0b13321972478e488bcf1ddd9436550c4
                                        • Opcode Fuzzy Hash: 6f70840b0571d1ab6472f58dd8e8d2a28babb2e98c78c98638c600b0bcaf70cb
                                        • Instruction Fuzzy Hash: 8141FFB9B252058FD718EB18E489B6A73F2FB86304F508529E1068B7C8DB799C45CB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724DE70 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: xaq
                                        • API String ID: 0-793007810
                                        • Opcode ID: 4c9f3be09295dc4f023c7bd610efb1640f6091cbad979354a8f415ca5a991ade
                                        • Instruction ID: e7705385944b40462a50f7b0828b115878909b0e9835d6263f3fc22aef0d4d65
                                        • Opcode Fuzzy Hash: 4c9f3be09295dc4f023c7bd610efb1640f6091cbad979354a8f415ca5a991ade
                                        • Instruction Fuzzy Hash: 3A410FB5B152049FD718AB18E058B6F77A6FBC9304F208429E1069B7C8CF79AC05CB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724E476 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: xaq
                                        • API String ID: 0-793007810
                                        • Opcode ID: abd753eb01b39cdb5d7797f298dde2dbe355a1525f42ddf620eaadfd64254610
                                        • Instruction ID: 623c618e391b203ba726ae1dd26ab26bbf29b95e9274b8f7be7e9dbdc0039d9b
                                        • Opcode Fuzzy Hash: abd753eb01b39cdb5d7797f298dde2dbe355a1525f42ddf620eaadfd64254610
                                        • Instruction Fuzzy Hash: 5841D1B5B152058FD718FB14E499B6A73B2FBC5304F608529E1068B7CCCB79AC45DB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724E5C6 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: xaq
                                        • API String ID: 0-793007810
                                        • Opcode ID: 615830ba4998cb619b9faa185e41ccda0a2d86a275f81f47489a95b686b4cd9c
                                        • Instruction ID: b8907a5b03976d1fb09cd7ad886e67e94425b44b79bd07e97ae2d1da7c09ace8
                                        • Opcode Fuzzy Hash: 615830ba4998cb619b9faa185e41ccda0a2d86a275f81f47489a95b686b4cd9c
                                        • Instruction Fuzzy Hash: 6C41DFB5B152048FD718EB14E088B6A73B3FBC6304F608529D1068B7CCCB79AC45DB82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724DF72 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: xaq
                                        • API String ID: 0-793007810
                                        • Opcode ID: 53c458ab5c3f328e292dff1b755256d0781cef4d7a66981028618d07261287ce
                                        • Instruction ID: fd4b7dbaa8a78ef7c72d3dfaa080e6599e3aacfd8acc30b6b06d8926fb643097
                                        • Opcode Fuzzy Hash: 53c458ab5c3f328e292dff1b755256d0781cef4d7a66981028618d07261287ce
                                        • Instruction Fuzzy Hash: C941DFB5B152048FD718EB58E049B6E73A6FBCA304F608429E1068B7C8CB799C04DB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 072405E9 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @
                                        • API String ID: 0-2766056989
                                        • Opcode ID: ad2c49602b5f608bb1d33781bf2790b270c63ef4e26b33cefd1b830802c475c3
                                        • Instruction ID: 3850d7544a6e6ccfead573e59c896e6859001f63cc2a4275e9f8a29136d4df49
                                        • Opcode Fuzzy Hash: ad2c49602b5f608bb1d33781bf2790b270c63ef4e26b33cefd1b830802c475c3
                                        • Instruction Fuzzy Hash: B021B472A1021ADFCB15CFA5C885DAEBBF9FF89310B04806AE914DB251D734DA45CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 072447D0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: U
                                        • API String ID: 0-3372436214
                                        • Opcode ID: 3f584be2d0d0516b90414cd9958ea4f40e9898248211fa83927f44c210af0b7f
                                        • Instruction ID: 095fb8f312930fab7c9e47d88ae8979a0c657f43164bf572b926aa565e9345b5
                                        • Opcode Fuzzy Hash: 3f584be2d0d0516b90414cd9958ea4f40e9898248211fa83927f44c210af0b7f
                                        • Instruction Fuzzy Hash: 34116DB4F142149FCB08DBB8D4544AE7BF6AF8A300B0105AAD506EB3A5DA34DC05CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E7E4E8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q
                                        • API String ID: 0-1259897404
                                        • Opcode ID: 33af5460de11454c18113780f30436f9ddbea05c81ab0c0f357dc1abebd22204
                                        • Instruction ID: 5753b624e5a5f017b1b2d0b2f99596c9ea30924b80977727b033d7e58b058468
                                        • Opcode Fuzzy Hash: 33af5460de11454c18113780f30436f9ddbea05c81ab0c0f357dc1abebd22204
                                        • Instruction Fuzzy Hash: A7F090713002019FCA5CEB2CE450A6E77EBEFCA2443504A29D14A8F758EF74EC0687A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724A6BB Relevance: 1.3, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: J
                                        • API String ID: 0-1141589763
                                        • Opcode ID: 4e1f85e577427b74df4877ba5877c234f0fa67a0fff04cac20b8ebdd665642bc
                                        • Instruction ID: 9b6ef36d603643da9039b6f2006bc2674881ac32ef877d168a9c1099ab330b72
                                        • Opcode Fuzzy Hash: 4e1f85e577427b74df4877ba5877c234f0fa67a0fff04cac20b8ebdd665642bc
                                        • Instruction Fuzzy Hash: D9C08CF6B101A442CB59A320F1107AC7FA1AF8B964F280388C5089AA46C72498034B8B
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 071EF240 Relevance: .6, Instructions: 579COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3229877509.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_71e0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a30c92007041eb45ef3e108c36e32605b5d3e7790d9155b4d2a9b9beda309ee1
                                        • Instruction ID: 2e43b9987e5023a701ea11aecaa638df1964407d5f1f677449c73a481ddb8fa0
                                        • Opcode Fuzzy Hash: a30c92007041eb45ef3e108c36e32605b5d3e7790d9155b4d2a9b9beda309ee1
                                        • Instruction Fuzzy Hash: DB426BB5600605DFC765CF68D58495AFBFAFF48300B158669E84A8B6A5DB34FC82CF80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E7EED8 Relevance: .5, Instructions: 459COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3ec932c1c56ad197bce59738c0030aa3ea1568072a25d22f0fa2ee03868a71b9
                                        • Instruction ID: ed247036f85aeb8f1d4f8581cdc40e280c16c802951a9dc667ca6a661e120136
                                        • Opcode Fuzzy Hash: 3ec932c1c56ad197bce59738c0030aa3ea1568072a25d22f0fa2ee03868a71b9
                                        • Instruction Fuzzy Hash: F5023674B006058FCB44DF29D888A6ABBF6FF89304B1584A9E506CB376DB35EC46CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 071EE308 Relevance: .3, Instructions: 277COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3229877509.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_71e0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7e705528733074a49cb3eb139f57429eeb42bc3580194d8025c3f7a2ad499c84
                                        • Instruction ID: 61f9e019caa38e368081f91bd8f4be090a40e4a9189ea3806e870e3a0194dfa5
                                        • Opcode Fuzzy Hash: 7e705528733074a49cb3eb139f57429eeb42bc3580194d8025c3f7a2ad499c84
                                        • Instruction Fuzzy Hash: A6B17EB5204B41CFE722CF28D584B65BBFAAF41314F4884A9D0498FAE2D775E889CF51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07717490 Relevance: .2, Instructions: 230COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230269139.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7700000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 06514ce10595bd9414965e506b958f692f1754ccd45e8a920f7a97b8ea4054c5
                                        • Instruction ID: be3284505ea0bd133ecf64ee084fe0ec73dc80091bd9f8d274f2ccff9fc3d68b
                                        • Opcode Fuzzy Hash: 06514ce10595bd9414965e506b958f692f1754ccd45e8a920f7a97b8ea4054c5
                                        • Instruction Fuzzy Hash: AAA149B46002019FCB09DF68E584D59BBB6FF8931471089A8E45A8F776DB34FD49CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E7E040 Relevance: .2, Instructions: 228COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6b4611b9c2243fcce767f63d823df26d7eb0aa5bf3e6a48514827c4beb587073
                                        • Instruction ID: 45af3e017b8b50e51d7a0e100adf66a69c4596d9a8d5f13c5a0d102f725b4db3
                                        • Opcode Fuzzy Hash: 6b4611b9c2243fcce767f63d823df26d7eb0aa5bf3e6a48514827c4beb587073
                                        • Instruction Fuzzy Hash: 8A81BD74A007468FC724CF69C88096ABBF6FF89314B1486A9D169CB3A5D730FC46CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E71C5D Relevance: .2, Instructions: 212COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e49faff1f28b6d031c60c6547ad850d9ca2c66bc4aa2a63f93099dd323e1914c
                                        • Instruction ID: cf5bf6b3c802650de413cbb319332c9e0cd6b7160be25825c88e939087307168
                                        • Opcode Fuzzy Hash: e49faff1f28b6d031c60c6547ad850d9ca2c66bc4aa2a63f93099dd323e1914c
                                        • Instruction Fuzzy Hash: D651DE251563C2AFB3CA9EB69C499F23BD8D9CE207F141C75E983D7111F71A48438EA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E71E38 Relevance: .2, Instructions: 184COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f375229bb9e1d34797960b1b09a963900005c5626b8926af4940dfe57537305a
                                        • Instruction ID: 9db988d23e1abb906e35b979bc8f13764c517c7e72e3dc974f0746f76c2583d8
                                        • Opcode Fuzzy Hash: f375229bb9e1d34797960b1b09a963900005c5626b8926af4940dfe57537305a
                                        • Instruction Fuzzy Hash: 0361AF34B08349CFE794CBA4C854BF87BB1FF49310F286466E512AB691DB399D41CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07249601 Relevance: .1, Instructions: 148COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 68192a45cba337a42f996f7f174258acbc518bb928dfe49e39bbefb8adfa2f1f
                                        • Instruction ID: bb39e2edb60b175a6929176e67f005bf19b191236be4d091155ec1bb193001db
                                        • Opcode Fuzzy Hash: 68192a45cba337a42f996f7f174258acbc518bb928dfe49e39bbefb8adfa2f1f
                                        • Instruction Fuzzy Hash: 1851C6B5A14256DFCB15CF68C884EAABBF2FF46320F148555E495DB2A2C734ED80CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 072453D0 Relevance: .1, Instructions: 148COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5b1649ecda415e29529ee1e0e23b95fe03fc617771ea4534de33040016a47cf8
                                        • Instruction ID: 313ad3fcbd71fcc5fae268868b30004c5fac9224ac8e09f3c7a816f984fafc46
                                        • Opcode Fuzzy Hash: 5b1649ecda415e29529ee1e0e23b95fe03fc617771ea4534de33040016a47cf8
                                        • Instruction Fuzzy Hash: BC515BB0A012059FCB09DFA9D844AAEBBB7FF89310F248429E856A7795DB349C45CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E72D0E Relevance: .1, Instructions: 143COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 92cf37a7c444f7050ef82be601ea4e7cb8c921002ac7cee5052d5043703090b5
                                        • Instruction ID: 845b9a359663168b9f167181ec3be0d6b69d21bb0cb9c909144ae7f9e370bc50
                                        • Opcode Fuzzy Hash: 92cf37a7c444f7050ef82be601ea4e7cb8c921002ac7cee5052d5043703090b5
                                        • Instruction Fuzzy Hash: A95180B47002009FD748FB29D998A6AFAEBEFC9304B14C56884098F3A9DF759D45CB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07249018 Relevance: .1, Instructions: 138COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ca759c7b5ba7d3f5a9b4217d88e085df1b2ef9a29f5dcaf8efe5b6a2a01c0a05
                                        • Instruction ID: b43f0873b037d6af2698f2955fc8f0965f9c1699a0df96e49d656ade752c9979
                                        • Opcode Fuzzy Hash: ca759c7b5ba7d3f5a9b4217d88e085df1b2ef9a29f5dcaf8efe5b6a2a01c0a05
                                        • Instruction Fuzzy Hash: CD41D67661020A9FCF02CFA4E8448EF7FBAEF892107148066F955C7211D735D965CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0771C378 Relevance: .1, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230269139.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7700000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 245217392e27154204cdc59580e4293e2ded5da7995546cd054264245bb4db57
                                        • Instruction ID: f71136636fd92dfd2f5ae62886891122d7cf1e828ab34364de139920469ed433
                                        • Opcode Fuzzy Hash: 245217392e27154204cdc59580e4293e2ded5da7995546cd054264245bb4db57
                                        • Instruction Fuzzy Hash: 484116B27057118FC712CB69D88096BBBE5EFC57A0319C87AE449CB616C630FC06CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 077198F8 Relevance: .1, Instructions: 132COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230269139.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7700000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1697699587677a7e04b58a9dec90f45b444c3606cf5e43a5a58f6f9886ff0197
                                        • Instruction ID: 641a86a4ba886657c087063dbd7f31c26629d27bd04b3d40bd5f79af1c1a6780
                                        • Opcode Fuzzy Hash: 1697699587677a7e04b58a9dec90f45b444c3606cf5e43a5a58f6f9886ff0197
                                        • Instruction Fuzzy Hash: 06519DB1A002059FCB04DB98D980AAEFBBAFF84314F14C969D5499B215D735FD0ACB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 071EEB08 Relevance: .1, Instructions: 123COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3229877509.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_71e0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 114b8b4d09173b558eeaff69af4316f3d5c3c451f13bf28a7de814cdc8257997
                                        • Instruction ID: e51202cb6e68852aa0cedfcd3a2321a805ffc8c167f80cc832a38ec388425b0d
                                        • Opcode Fuzzy Hash: 114b8b4d09173b558eeaff69af4316f3d5c3c451f13bf28a7de814cdc8257997
                                        • Instruction Fuzzy Hash: 884198B0614B419FE7318A39C588726BBE9BF45354F048A5ED08783AE1C778E9CCCB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07180CF0 Relevance: .1, Instructions: 121COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3229535951.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7180000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1306b30bacd7f23c142417d9f82b18010979f871378d1477c7a13e90ad1b9b13
                                        • Instruction ID: f9bf62a8cfbbb84586cc1a7ef526c2dcc9413a9484fc960d8c1b05d18c2bf835
                                        • Opcode Fuzzy Hash: 1306b30bacd7f23c142417d9f82b18010979f871378d1477c7a13e90ad1b9b13
                                        • Instruction Fuzzy Hash: E141E6B620420EDFCF66AE14C8007EB7BA6EF8D395F144526F904861E0D735E858CF51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724A758 Relevance: .1, Instructions: 119COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fcf7696c71c8b6152421d1321f4f14f47ee70bceeff81307dcc32ada8156bc1d
                                        • Instruction ID: a46d7de317d33f791e5dd9fe94a704038d013d6a9204c37d50d8386c33b88caa
                                        • Opcode Fuzzy Hash: fcf7696c71c8b6152421d1321f4f14f47ee70bceeff81307dcc32ada8156bc1d
                                        • Instruction Fuzzy Hash: 6C4126757506019FCB18CF29D88892AB7F6FF89310B1581A9E546CB772CB74EC81CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0771B098 Relevance: .1, Instructions: 118COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230269139.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7700000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07f1b59c0bb62af0e32896b06716c1c672f32ee6142c54278d3f0f6bf433c23d
                                        • Instruction ID: 72463571a793c2570b44d24e251c404206b09b4a5e2436f10c2dfa8b1d0fbbe8
                                        • Opcode Fuzzy Hash: 07f1b59c0bb62af0e32896b06716c1c672f32ee6142c54278d3f0f6bf433c23d
                                        • Instruction Fuzzy Hash: 5F415F703107019FC719AB74E598A2EB7ABFFC9215B108A2CD4468B758DF79EC0ACB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724563B Relevance: .1, Instructions: 113COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 085378d1323996669a63e263b840c492e300223da39f7a503a90f943b5d89380
                                        • Instruction ID: d4af204ffaa75b9028b2262337b0527e676716c0a82abbf76287a9fc4bcd637f
                                        • Opcode Fuzzy Hash: 085378d1323996669a63e263b840c492e300223da39f7a503a90f943b5d89380
                                        • Instruction Fuzzy Hash: 8541D275600255DFCB06DF28E4889ADBFB6FF89311706809AE459CB362CB38DD45CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0771A0A8 Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230269139.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7700000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0ac970d11e0e456e2dd5cfd9569d66503d09e0bef0b1341e538ec586f42e8bfb
                                        • Instruction ID: 6404ebd4f27e61a5a620d01d4865df145430db67501fccea095799f4e12531a7
                                        • Opcode Fuzzy Hash: 0ac970d11e0e456e2dd5cfd9569d66503d09e0bef0b1341e538ec586f42e8bfb
                                        • Instruction Fuzzy Hash: C74171B02107015FD719EB64E584B4ABBAAEFC1314F41CA6CC1568FA69CB74F80DCB95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724C048 Relevance: .1, Instructions: 99COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d396cb33a02d80ff69e795f40fea343a59494484439d96c0f3cf4ebf3eb401b6
                                        • Instruction ID: cefa4c7fdcd174e6aa9a03a6bf30348f472ccc10e6c697d2102b169368c21752
                                        • Opcode Fuzzy Hash: d396cb33a02d80ff69e795f40fea343a59494484439d96c0f3cf4ebf3eb401b6
                                        • Instruction Fuzzy Hash: F731ADB5B212028FCB08EF79D85556EBBB6FFC8201B104169C856DB391DB389D01CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07712E40 Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230269139.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7700000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e69ef04d302c74c45d73120b11264078e5c1ac95539fe7d1b7ecd49c5d8feed7
                                        • Instruction ID: 373de32e8b6866b81380919d7b5fa446e991d03a2ff900b261615ff351f6dfdf
                                        • Opcode Fuzzy Hash: e69ef04d302c74c45d73120b11264078e5c1ac95539fe7d1b7ecd49c5d8feed7
                                        • Instruction Fuzzy Hash: 5031F7B63642058FDB08BA6CE48C73B72B6F7C5794F10843AD50AC3389DB388C568382
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E7FBA8 Relevance: .1, Instructions: 96COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 74c4b63665325c6e9357446b2c9f8a0fcd5bb9b97503c89f5fd6de08c76c6a28
                                        • Instruction ID: 7696d11ce0a7b46c15029771a4b8d3c37494f7266c0a3e0e2967f18e2bf0c76d
                                        • Opcode Fuzzy Hash: 74c4b63665325c6e9357446b2c9f8a0fcd5bb9b97503c89f5fd6de08c76c6a28
                                        • Instruction Fuzzy Hash: 93315A75B002149FCB55DF38E98896E7BB6FF89300B108069E905CB365DB35ED45CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07180CCF Relevance: .1, Instructions: 90COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3229535951.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7180000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 99fd8ae744cc87ba79e0f576331174b9bf0860c3bc34168333eb974b9fff2e26
                                        • Instruction ID: 63c094f275b8837f6a239c33b0f054bd10ff7aa7ccf133fc59fea3c95e5fe7d9
                                        • Opcode Fuzzy Hash: 99fd8ae744cc87ba79e0f576331174b9bf0860c3bc34168333eb974b9fff2e26
                                        • Instruction Fuzzy Hash: 3231C2F610834ADFDB676E10C9047EA3FB5AF4A394F090266E804861E1C379EC88CF61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07240006 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c17a2151e18f99c18e7587eebebd07ea9a0d533ce212edad33c226fbeff25c54
                                        • Instruction ID: c97f80718dfbd55c0b0f100334cac8ffb8089adc2baed1b9a3d09ba264c64dfe
                                        • Opcode Fuzzy Hash: c17a2151e18f99c18e7587eebebd07ea9a0d533ce212edad33c226fbeff25c54
                                        • Instruction Fuzzy Hash: 4E31B1B5A253428FC725CB64C5046A9BFF5FF46210F0984E6C548CB252E379E985CF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724D9F7 Relevance: .1, Instructions: 79COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 89f3d85850a841acd5da6ed8437a0052509fa0d09deeabc7f04fd6dba8747314
                                        • Instruction ID: f6fbc5ce822b3a6c21c9cefdc990dcf95b42854f57b023346e49571cb4238e9e
                                        • Opcode Fuzzy Hash: 89f3d85850a841acd5da6ed8437a0052509fa0d09deeabc7f04fd6dba8747314
                                        • Instruction Fuzzy Hash: 4F2105B273D3C04FC717DB7499604997FB29E5711071905DBC589CF2A3DA698E0AC722
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E72FD1 Relevance: .1, Instructions: 74COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0f5435331e10dfaafe6f3f3f180ed98695a52d2867555e96b9a28b9292f01352
                                        • Instruction ID: cb431eef0d08b2272b8b901bc3b7552be37db60d0415308e49587daa5f62928f
                                        • Opcode Fuzzy Hash: 0f5435331e10dfaafe6f3f3f180ed98695a52d2867555e96b9a28b9292f01352
                                        • Instruction Fuzzy Hash: 1411E26250E3C18FE7435B71A815755BFBA9B82200F0F40D7D4C9DB193EA698C05E3E2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724C045 Relevance: .1, Instructions: 73COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 222bf647cadf6ee74168fb109d439afaf0bb35fcf89727218ec90a8a7357064c
                                        • Instruction ID: 44d92de4221c8fe505fd9e89fd4dd6a99879a5c48293badd1d3177a4e034a9a6
                                        • Opcode Fuzzy Hash: 222bf647cadf6ee74168fb109d439afaf0bb35fcf89727218ec90a8a7357064c
                                        • Instruction Fuzzy Hash: 43218EB5B21112CFCB08EF79D99497EBBB6FF88201B104169D85AD73A1DB349D01CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0114D0EC Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3217287881.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_114d000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9b3b454d35da4a9f7594729819517d7b8cc7d4fa4a6c16b8ad6ead4bf76cae9b
                                        • Instruction ID: 0b401a7a4735c5430f5674cda89366956d72d2b7c47ff407eee11fdaa02cdc9d
                                        • Opcode Fuzzy Hash: 9b3b454d35da4a9f7594729819517d7b8cc7d4fa4a6c16b8ad6ead4bf76cae9b
                                        • Instruction Fuzzy Hash: 1E21F5715442049FDF09DF58E980B16BB65FB94B14F20C56DDD094B356C33AD406CAA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 071EF230 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3229877509.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_71e0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3a323c6aa643f4bbbe173119e61eb3e0881145cb020c1d4228a77a4c82ede195
                                        • Instruction ID: db6f9b245f56594dcfc46e652004556dac9c0b977aede3515c69918cff3a128f
                                        • Opcode Fuzzy Hash: 3a323c6aa643f4bbbe173119e61eb3e0881145cb020c1d4228a77a4c82ede195
                                        • Instruction Fuzzy Hash: E621C1757016018FC316CF29C544956BBFAEF88310B058599E846DB2A2DB30EC45CF40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E71D75 Relevance: .1, Instructions: 66COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 11f79d56e80386c7263713000c2b38580a0adc385ee1831f411e178791e8cb8d
                                        • Instruction ID: 773ac2f338d0cbf286850b68ffeebc6e90021b7a2539b34aee20d8c0c68a5f36
                                        • Opcode Fuzzy Hash: 11f79d56e80386c7263713000c2b38580a0adc385ee1831f411e178791e8cb8d
                                        • Instruction Fuzzy Hash: B81182202097C65FE3CAAF7658948F23FE1D9CE203F1918A6E587C7162E719080A8F95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724B200 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: edfbfd5c314e51aa617f9bd1db3c1b1cfe01ff23dbfc5c749023b64bc7c7d975
                                        • Instruction ID: b1144594ef24513b4d24757aa1e2836d8affc780781b6523d2bd10eff8d6dbe2
                                        • Opcode Fuzzy Hash: edfbfd5c314e51aa617f9bd1db3c1b1cfe01ff23dbfc5c749023b64bc7c7d975
                                        • Instruction Fuzzy Hash: BD1106F1B2022AABC61CF678A65096FA68AEFC5A00B018A25C5059F768DF70DC04C7D1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724B1F1 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae9091f4532b8f45c53cf76457031cbe64764e4d2d982eb44f183f398bacf086
                                        • Instruction ID: 7d212130f2cb82815d028c170ff34b206a9ecb154e21c34cee2b02467bef5c1a
                                        • Opcode Fuzzy Hash: ae9091f4532b8f45c53cf76457031cbe64764e4d2d982eb44f183f398bacf086
                                        • Instruction Fuzzy Hash: 9B1106F1724252ABC719A7789A4096EF79AEFC5600B008B2AD449DF668DB74DC04CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E72C3F Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ffeadfeca9ec1e14d62256b4495605d42f7aa4230c320638bb5845f0732a608e
                                        • Instruction ID: a155c3d1abdb7432a3e8a77f67ee62fce6dd94e95759b99d12b27847a4c0317b
                                        • Opcode Fuzzy Hash: ffeadfeca9ec1e14d62256b4495605d42f7aa4230c320638bb5845f0732a608e
                                        • Instruction Fuzzy Hash: 53115171B502518FCB85AB78C52466E3BE3AF8A21076144BED14AEB3A1EE34CD05CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724BDF8 Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a4af1c497d5ccf0044c496c3c0cf21c26746f050d460d9e739da826f773a6d85
                                        • Instruction ID: 4846f9a25e80bce507857792a207c6d0fa967a390db30ca48ddd4699429349bf
                                        • Opcode Fuzzy Hash: a4af1c497d5ccf0044c496c3c0cf21c26746f050d460d9e739da826f773a6d85
                                        • Instruction Fuzzy Hash: 3E11E2F4737585CBCB0C6BF5A14E52C7A76AF83202FC04154E20787280EB79CD548E5A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07242B49 Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dd5da467172d77ad13e3804b169f3a848c056a07d1650fe67b5df08e11ec0e86
                                        • Instruction ID: 558ccb0e2a540c5a912d8b3c018c7a7b5eaaa7604ce7e99f2efa363893828f1c
                                        • Opcode Fuzzy Hash: dd5da467172d77ad13e3804b169f3a848c056a07d1650fe67b5df08e11ec0e86
                                        • Instruction Fuzzy Hash: 7F219D352102459FC704CF68D884D9ABBF5FF89324B2480A9E849CB362D735ED46CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0771A770 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230269139.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7700000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b31dab83e14314d2b6fa2f84529327a9a487bd3bcecb11a5977bee6389c956dd
                                        • Instruction ID: ace8863b6b9b9ef5bba3cc689099ea2f57a06fdc757ad9d56aef6643dc0e4977
                                        • Opcode Fuzzy Hash: b31dab83e14314d2b6fa2f84529327a9a487bd3bcecb11a5977bee6389c956dd
                                        • Instruction Fuzzy Hash: 7C11BF717003068FCB249F68E48892ABBF9FFC42647118A2CD5068B714DB79DC018790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07241258 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5d4e423f6ed47e1a0e4d43684807be23d5d9b75ca97b04774488600d01203f9c
                                        • Instruction ID: 3d4b5c861d08a60e5daf575d72ee98e005fcd6c6db567445d2bd08fbd94dbbad
                                        • Opcode Fuzzy Hash: 5d4e423f6ed47e1a0e4d43684807be23d5d9b75ca97b04774488600d01203f9c
                                        • Instruction Fuzzy Hash: E211C175B0121ADFCB05EF74D8484EEBFF6EF88310B15416AE509D7250DB388956CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E72CF4 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fb0f7895e402b13f3fc4b015b14ba06827dfc25e1d2a076826090799e0becadf
                                        • Instruction ID: db2526e2bed127f8583d5f1ed87f717345832ef13484fe94bf68fdfc62ccd2a2
                                        • Opcode Fuzzy Hash: fb0f7895e402b13f3fc4b015b14ba06827dfc25e1d2a076826090799e0becadf
                                        • Instruction Fuzzy Hash: 2211AB35714140DFD799FB54E440A69BBB7FB8A714B204029D605DB39DCB319D41EF80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E72C50 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 98d96dbcdad4764f2ec1f7ad4515c522c552ee7b9dfcd45c282689eb9382c76e
                                        • Instruction ID: c98d611ff1db4bb347aea219996164a7e5ab9918048a0b30f58cd2a04997b2aa
                                        • Opcode Fuzzy Hash: 98d96dbcdad4764f2ec1f7ad4515c522c552ee7b9dfcd45c282689eb9382c76e
                                        • Instruction Fuzzy Hash: EB014471B502158FCB98FB78C52462E3AE7AF8A350B60447DD10AEB3A4EE35DD018B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724D950 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ada0fd8d2799f30beec998daf5f9a09a69ced9778b01e30b03ecba101800e3c2
                                        • Instruction ID: d1da569f78c0af26c54062bf0a3e11c94c837ac61a13fa0d2ef4ba92007ca129
                                        • Opcode Fuzzy Hash: ada0fd8d2799f30beec998daf5f9a09a69ced9778b01e30b03ecba101800e3c2
                                        • Instruction Fuzzy Hash: 7B0162617B41458BCB4D76B99A2033E25CBABC6310F70403FC24BE73C5ED649D028B96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0114D0E7 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3217287881.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_114d000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                        • Instruction ID: 7c32e6ccd11b2219ed5b0b6965d335b2393ef634344685fe4e39cb9aa91e1aba
                                        • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                        • Instruction Fuzzy Hash: 7411BB75504280DFDF06CF54E9C4B15BFA2FB84A14F24C6AADC494B256C33AD40ACBA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E78EEA Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3d8eaf5a56c41d390e352b1ca3628274f2df8246fd2db52793ad83872cd1a507
                                        • Instruction ID: aee592d86f98d255cb0686c0a68485bf9410e50a4f1fa4c1cf95c6dee9d4a3ff
                                        • Opcode Fuzzy Hash: 3d8eaf5a56c41d390e352b1ca3628274f2df8246fd2db52793ad83872cd1a507
                                        • Instruction Fuzzy Hash: 11113A70E24349EFDB89DF65D99829EBFF2AF52304F6080BAC415E7294DB349A41CB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 071EEDCB Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3229877509.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_71e0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 97f0283d026fe9c8e74b4e4e6e0b98e8cbad14044eabf854fdcc4f51c9affd12
                                        • Instruction ID: 2412a116eacb47233dcdd20d586e64cfdc65b1af750885de56243f47ce2f9877
                                        • Opcode Fuzzy Hash: 97f0283d026fe9c8e74b4e4e6e0b98e8cbad14044eabf854fdcc4f51c9affd12
                                        • Instruction Fuzzy Hash: 270149F6708B92CFE32ACA68D4446A6BBB6EB85210F0849ABC40587291C335D44ECB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E743D0 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8bf009dc8afe6bfc653e57440d4af032b5738774ce68b1b9a557a0e1eb4f1453
                                        • Instruction ID: 8767baa31528cb9cf45b9e5adf48c7d0c5e53a0651f9499a652b5e27a7ac34c3
                                        • Opcode Fuzzy Hash: 8bf009dc8afe6bfc653e57440d4af032b5738774ce68b1b9a557a0e1eb4f1453
                                        • Instruction Fuzzy Hash: 8801D87181E3C8EFD7939B3498153983FE09B02205F1945E7C588C71D3E1384A4AE712
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07242B58 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0d60bb51e8678804796395c725261c5ec079cd8ce6ab87d4c46bf58a9026c44d
                                        • Instruction ID: 2a724de3d670ccd1bf139ee83c49dfcacfa1db5c1fa85f54311926003c68c066
                                        • Opcode Fuzzy Hash: 0d60bb51e8678804796395c725261c5ec079cd8ce6ab87d4c46bf58a9026c44d
                                        • Instruction Fuzzy Hash: 451170356002059FCB04DF68D884D9EBBF6FF89324B1481A9E8199B362DB71ED06CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724D940 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 99e491ce5d3c7c23ca7418aa70b47a54d3320c44a801165d69edf03473e45ebb
                                        • Instruction ID: 939e3f54f59b3277e0a4df225bda0c6d5925c438069828efbe61e4c3da64e22c
                                        • Opcode Fuzzy Hash: 99e491ce5d3c7c23ca7418aa70b47a54d3320c44a801165d69edf03473e45ebb
                                        • Instruction Fuzzy Hash: DF0167617B41454BDB49B6B89B2033D16C76BDA210B74447FC14BE73C5DD248D028B55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07243C93 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f1936dabdf0e1a7646bdab635fe994df9b72f7c364863804f8426bb6e28e514
                                        • Instruction ID: 32a62ecb8843496c4c8e1848201476fcc6eee7d6831788574e2269f56d0a94fa
                                        • Opcode Fuzzy Hash: 9f1936dabdf0e1a7646bdab635fe994df9b72f7c364863804f8426bb6e28e514
                                        • Instruction Fuzzy Hash: 8A016DB1A1120ACBCF2CDBA4C5596EEBBF1AF4C700F144069E801B7296DB728D41CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E78EF8 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 22cc60c44d4bf05f2dcaccdcf41fe3de7bf111a6c565397543aaab4fd14f3d95
                                        • Instruction ID: bf4582259012094052b454e9e14914f58e729b68da1d045ca04892fc57000110
                                        • Opcode Fuzzy Hash: 22cc60c44d4bf05f2dcaccdcf41fe3de7bf111a6c565397543aaab4fd14f3d95
                                        • Instruction Fuzzy Hash: D3110070E1030DEFDB88DFA5D94869EBBF6BB95304F60D0B5D405E7284EB309A418B41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 071EE2CF Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3229877509.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_71e0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d7a6314462f73da92818c87a58e42cc1570a8f11226798dcfff2052936376bea
                                        • Instruction ID: 9c9080ddef98a53bbf5159294061c4e90dd117d201a601780001f8cb67826014
                                        • Opcode Fuzzy Hash: d7a6314462f73da92818c87a58e42cc1570a8f11226798dcfff2052936376bea
                                        • Instruction Fuzzy Hash: 2C012BB32296508FD7254A75F8C0BE67BECDF4AA75B0805AEE088C71D1D22A9509CB20
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0771EA18 Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230269139.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7700000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 92c5cb4eed74a2c4aa1e809f015ae4db949a8a2395fc4b4869193747caf31dfc
                                        • Instruction ID: 8ea0139a72e5eb62cda44077420245d998af826115392efebbcd6a26fbe6eb3e
                                        • Opcode Fuzzy Hash: 92c5cb4eed74a2c4aa1e809f015ae4db949a8a2395fc4b4869193747caf31dfc
                                        • Instruction Fuzzy Hash: EDF08172304219AF9B10DE59FC448BFBBEEFBC8661314812AF50DC3200DB7598058760
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724A748 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6c0e3eb8e50d0b720e8116cc625a3c69d83ca979f74597d0b2e57a02132994b0
                                        • Instruction ID: cf61f5a4e81caa58d9bd66f5413f27ace450cc778fb38ab175739e36abfa90e0
                                        • Opcode Fuzzy Hash: 6c0e3eb8e50d0b720e8116cc625a3c69d83ca979f74597d0b2e57a02132994b0
                                        • Instruction Fuzzy Hash: 05014F722546409FCB14CF69D884C56BBF9FF8A36131945AAE14AC7661C735EC42CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E72B88 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9160d167892bf3e38aeb3e64100335a1861177549de9ae7948e4e627113db1e0
                                        • Instruction ID: db459653001b10faa7a9ec07047f4e4a691a47e70e623aa92074b46b0281fc70
                                        • Opcode Fuzzy Hash: 9160d167892bf3e38aeb3e64100335a1861177549de9ae7948e4e627113db1e0
                                        • Instruction Fuzzy Hash: 0D018F30A05349DFE754DE60C9457EB76F2EB88344F201469D602AB388CBB6AE44CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07244370 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8c2e200b1bd1bfb69123b788eae80abb8c9115de9fd3c2c53e0a70512c5fd0ba
                                        • Instruction ID: b3407c06b01e2f4fe2aa69ecb60309f065d7192fdfa82bfb3d8386da8a660596
                                        • Opcode Fuzzy Hash: 8c2e200b1bd1bfb69123b788eae80abb8c9115de9fd3c2c53e0a70512c5fd0ba
                                        • Instruction Fuzzy Hash: 2DF078617252B00BC708A77C95A565E7FE9DFC2640B0040E7C406CF694CE2CCC06C395
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0771FB68 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230269139.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7700000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bdc2382f005e9bbee2b419431cc0b8810f9c0c6aff41e8158e21465814262c30
                                        • Instruction ID: 2bdd5c0761c7a84f57ae98ff4e4f6d6fae831d524ed99db31a34b0789c6da199
                                        • Opcode Fuzzy Hash: bdc2382f005e9bbee2b419431cc0b8810f9c0c6aff41e8158e21465814262c30
                                        • Instruction Fuzzy Hash: 310169B4E01219ABCB18DFA9D954AEEBFF2AF88350F108429E811B7250CB315900DFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07715B80 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230269139.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7700000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 681900b637537fe119a2d6891cbbc4afd1716d5591b2fa440046d98c08b1389a
                                        • Instruction ID: a5939895de5212fd55dce687c82a7fb5de3903af94d5ac445b8723120cccb50a
                                        • Opcode Fuzzy Hash: 681900b637537fe119a2d6891cbbc4afd1716d5591b2fa440046d98c08b1389a
                                        • Instruction Fuzzy Hash: 4BF0B4B7B012236BF725045B5850BBF6A4BDBC96A1F0A4025EE0583240C676CD6193A4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E72B79 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b6b82d7f999c4b9ec5f7c2203c90e63ef97653e8584da8a6e627c6c913c64c13
                                        • Instruction ID: f0c04d8e1bcd830e9a2a8c59356454a5d8ccc97d0bc2fd5a34028a4ae981738e
                                        • Opcode Fuzzy Hash: b6b82d7f999c4b9ec5f7c2203c90e63ef97653e8584da8a6e627c6c913c64c13
                                        • Instruction Fuzzy Hash: 54F0F634A143449FE705AA30C9857FB36EAEBC5344F144079D602A7388CEB7AD418B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E72938 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aa7889a0e4476c9072678ac30e9ae4ece927faa70529db50e53d8e1e0fcfcc1e
                                        • Instruction ID: dcd06245a5b7b23a950cb544b45eb20829a66df1c624244297769dcfe9a99f69
                                        • Opcode Fuzzy Hash: aa7889a0e4476c9072678ac30e9ae4ece927faa70529db50e53d8e1e0fcfcc1e
                                        • Instruction Fuzzy Hash: 0C015631A00349CFDF59EAA4C6557EAB6B2BB48300F284569C106BB398DB794D05CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07244300 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c4f07b18b5ebdf149a74fec17c1cbb96ebf9b47c36ff3b7890f70b62554c1939
                                        • Instruction ID: 13d3670c7a2088ad71d211ba562e18ea5162a54a62c0adf9f23009cd88025c81
                                        • Opcode Fuzzy Hash: c4f07b18b5ebdf149a74fec17c1cbb96ebf9b47c36ff3b7890f70b62554c1939
                                        • Instruction Fuzzy Hash: 97F0BB727582169F8B0CEEA8B4001AA7BD9EB4556575440ABE50DC7580DE35D841C780
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E72948 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 497bba8ca50fa8b7bdd542ef468c1da5e94653aa0a33a95854edff11ef8b1a02
                                        • Instruction ID: 1db3bd7934035b12ac12b436a0d8c5e6370278fe6e1d6ab863b0426de30b7107
                                        • Opcode Fuzzy Hash: 497bba8ca50fa8b7bdd542ef468c1da5e94653aa0a33a95854edff11ef8b1a02
                                        • Instruction Fuzzy Hash: 2D014630A00359CFDF58EAA4C5547EAB6F2BB48700F28456DC102B7388CB7A4E01CBE1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 071EED48 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3229877509.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_71e0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9adade898fa3d54e81dcde2e58a5c368ae1111410a6ed92fff48b0a89cbe745d
                                        • Instruction ID: 2a74c73d822c9b2ffba25db76474548cea67ccbc288ba0e20641a228b51c3413
                                        • Opcode Fuzzy Hash: 9adade898fa3d54e81dcde2e58a5c368ae1111410a6ed92fff48b0a89cbe745d
                                        • Instruction Fuzzy Hash: 5EF02472508BA30EE73316B86404392BBE8AF02124F0C49A7C4CDC25C1D759C54D8BC1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724F208 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 23a1c2b90e1afda4280dd319374dac7b649b35ca90d64ce95918414a898812d7
                                        • Instruction ID: a34e574852a50d78792294a40ebb0d24a68a0c674f126f2ea039c60d5505b435
                                        • Opcode Fuzzy Hash: 23a1c2b90e1afda4280dd319374dac7b649b35ca90d64ce95918414a898812d7
                                        • Instruction Fuzzy Hash: D3E06D3614425AAFCB028E94DC01CEA7F7AEB892207048056FD448B262C776DC22DBE1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 072455F9 Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d8be8ad5f3a5dadd40512fbc55718abf4525300e1472d6f4bb385ca9856a77fc
                                        • Instruction ID: 72831f7935aa5becbb40e562d4ee35163b9c6c4a90c26e22a15e6c98c2a5bcc0
                                        • Opcode Fuzzy Hash: d8be8ad5f3a5dadd40512fbc55718abf4525300e1472d6f4bb385ca9856a77fc
                                        • Instruction Fuzzy Hash: 69E026353093921FD712167938D807A7FAADBDA131308407BF488C7301CE588C0A8711
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724ECE9 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 612cc4925fdffef405fd6f76c47f4f23b5e0f0c385103c52b6f89866c2b24566
                                        • Instruction ID: 13d454a0ecfb70d2c5722beaa1abc992903ee7c8d45914d5031b43b3d776eea4
                                        • Opcode Fuzzy Hash: 612cc4925fdffef405fd6f76c47f4f23b5e0f0c385103c52b6f89866c2b24566
                                        • Instruction Fuzzy Hash: 1DE0D8361042549FC7028F58D9008E63B35DF4A21071480CBF894C7161C773DE25CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E74420 Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 43702d92491377d4f7a6ec34825f8f67d2f9171827145620472ffe9733c333df
                                        • Instruction ID: ab0eab588e5efa5a290f3903a905f57468a9ec51e1e658d1c44af133c7a58470
                                        • Opcode Fuzzy Hash: 43702d92491377d4f7a6ec34825f8f67d2f9171827145620472ffe9733c333df
                                        • Instruction Fuzzy Hash: 1EE04F7591120CEFCB80DEA4E80879A77E9E709305F109865E405D3140F6318651FB95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07245608 Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dd8b94d5554ff55375303780e9c1998701b59d2e231901d1df2de327ae0e2c89
                                        • Instruction ID: 5bfbc02ee094b9bdcf5642dd665cabce747d8b13a43bc7f05f8f7e8a8928d3ac
                                        • Opcode Fuzzy Hash: dd8b94d5554ff55375303780e9c1998701b59d2e231901d1df2de327ae0e2c89
                                        • Instruction Fuzzy Hash: 42D0A776704211279714256F78CC43FBA9EE7CC535314413AF50DC7300DDA5CC0A4290
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E72F93 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0172c396dc644672e07f9b0d345245dcc36a43efc86a13f2c4a7a731075b4e3d
                                        • Instruction ID: 21c4ac235aded016f6478fb62708d136eb6b0bc08384e7eb2ff311f4a1b84412
                                        • Opcode Fuzzy Hash: 0172c396dc644672e07f9b0d345245dcc36a43efc86a13f2c4a7a731075b4e3d
                                        • Instruction Fuzzy Hash: 19D0175200E3C42FD74317209829A403F68CB43201B8B01CBE4C4CB8A3E64E0928C3A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E7016C Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0a6ea5a6d9a85e8541725dbca57d1537fdf861b652286e30b2725811a794fc56
                                        • Instruction ID: 646071a261c7cd82fe83b7e87c10d3699905a5d9ea2b525972748d1a890a9b40
                                        • Opcode Fuzzy Hash: 0a6ea5a6d9a85e8541725dbca57d1537fdf861b652286e30b2725811a794fc56
                                        • Instruction Fuzzy Hash: 65F01C74A022188FEB26DF24C9657EE77B2FF49301F5001A9C0496B381DB342E81CF42
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724BFF8 Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4ccc01f79dd439636f67ef366cc82e6626b60e27e806c53c16096b7e98d6d54e
                                        • Instruction ID: c8ca344bacd7d87308857e0ba1adc6371b716f16d14721beec9e0448b49724c6
                                        • Opcode Fuzzy Hash: 4ccc01f79dd439636f67ef366cc82e6626b60e27e806c53c16096b7e98d6d54e
                                        • Instruction Fuzzy Hash: 10E0CDF17101249F8108B758E55081D379FBFC811034102D5D54D9F369DF20AC048BD5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0771A858 Relevance: .0, Instructions: 19COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230269139.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7700000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e4472cb56c05f99806fa1aea5e86747bbf52894e85c1b02818802b7b75b98182
                                        • Instruction ID: 88073959a09b7492b216dfee9502a8ad546c7439f568cf8e3ea919a0593636da
                                        • Opcode Fuzzy Hash: e4472cb56c05f99806fa1aea5e86747bbf52894e85c1b02818802b7b75b98182
                                        • Instruction Fuzzy Hash: 81E09270E0420CAFCB44EFA8E55559DBBF9AF48300F0085A99809A7354EA385A058F81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724EAA8 Relevance: .0, Instructions: 19COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 221de7c67574c74f872de0aeae7a906a20d3d2fb4f31fe73eb5d43981d4eb7b6
                                        • Instruction ID: 769a7baded1e8b8f74993d728152519fdfbe3c4caa0331d2e375939ea7c97fc4
                                        • Opcode Fuzzy Hash: 221de7c67574c74f872de0aeae7a906a20d3d2fb4f31fe73eb5d43981d4eb7b6
                                        • Instruction Fuzzy Hash: 8FE012752193915FD343DB14D851896BF71AF8621472598DFF4808B362C736DC47C7A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E71DD8 Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 382ed8240b9294ec6348f17b3a523a20432b446abf730b34c0560463d56c2b79
                                        • Instruction ID: 4cc9597ccd035425d9070b4f4e1c801c63bd337f9911657cea530f32ff07beb1
                                        • Opcode Fuzzy Hash: 382ed8240b9294ec6348f17b3a523a20432b446abf730b34c0560463d56c2b79
                                        • Instruction Fuzzy Hash: 31D0A930318324CF83846A89E8088F9379DEF049A33881096F20B8B221CE659C00CFD9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07244EBA Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1082cda8a672fabf30c9b64f0a22181895e452839a6ac82a02d8811606667b78
                                        • Instruction ID: 817c1499bc77a753215f8faf9da0fad167b085d83d4ca590bc4f02a41324015b
                                        • Opcode Fuzzy Hash: 1082cda8a672fabf30c9b64f0a22181895e452839a6ac82a02d8811606667b78
                                        • Instruction Fuzzy Hash: 38D0A775774095CFC718E6ACF0109E83BA5DF8511570000F6D206DF665CB318D128F85
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724ECF8 Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8ab869af69afa5e3705abfa003fbeb05737d94153e11a484e1e7a4c73e3e153c
                                        • Instruction ID: d8e6f52d84d0e9a7535ad6c92223e7db018a165c074aefbb2bfd7201b7f166f6
                                        • Opcode Fuzzy Hash: 8ab869af69afa5e3705abfa003fbeb05737d94153e11a484e1e7a4c73e3e153c
                                        • Instruction Fuzzy Hash: D3D05E322001187F8B00CE88DC00CA67BADEB89220B04C05AFD5887241CAB2ED22DBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724F218 Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0fe6e3aea478687c158d19a34a902664cc9df0a88a38a6ac68c528960ef1b384
                                        • Instruction ID: 29f6224dccce5c91cfde4dbcf6ef2d8eab8ae5265d8597ad401a6bfe491303de
                                        • Opcode Fuzzy Hash: 0fe6e3aea478687c158d19a34a902664cc9df0a88a38a6ac68c528960ef1b384
                                        • Instruction Fuzzy Hash: 44D06236100119BF9B05DE84DC41CA67B6AEB89660714C05AFD1547211C673DD22DBD0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E77601 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f4c714b939c9e1e78861e78fd3b2bb81921d96cddcfaf7549efd00a5f1d4395
                                        • Instruction ID: 243326fbef348659a765ab0b5110f4f6e24f5069a43d9b2c81dd58c6d3398090
                                        • Opcode Fuzzy Hash: 9f4c714b939c9e1e78861e78fd3b2bb81921d96cddcfaf7549efd00a5f1d4395
                                        • Instruction Fuzzy Hash: 50D05BB6D05248AFCBC3DBF48E115AD77F89F462107111BD78068D71D0ED354A04D741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E74250 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9e898971cc707d62048b700b0496549cd70d217a64e588e426a9726dd9678627
                                        • Instruction ID: 15b59b9f386015aca66567f2b9f3556dd069be98082357268896f5f10558b0da
                                        • Opcode Fuzzy Hash: 9e898971cc707d62048b700b0496549cd70d217a64e588e426a9726dd9678627
                                        • Instruction Fuzzy Hash: 83D0173420C3C14FC342CB14E952805BFB1AB86100B19888BE88087353C625881BCB62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E79A12 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eb81be1f6c49bbe68251ba81787965a5adcff6ea3ab513506b3a992a605d4e91
                                        • Instruction ID: 5883af268aa0ac2de3c56f8e9e9e6103cf958231b804e11d37f237db85fe3f0f
                                        • Opcode Fuzzy Hash: eb81be1f6c49bbe68251ba81787965a5adcff6ea3ab513506b3a992a605d4e91
                                        • Instruction Fuzzy Hash: A4D0A96260E2C00FC38387308C620A4BFB08F43000329C9D7C0C8CB263DA268A07C729
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07244360 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8373ff7193be368e1197293b394cc32f5b45b0753502319b6c4e8e1194849b3b
                                        • Instruction ID: 5bed3d8cec59c4dfc4208a568ba6d869574a784bc0ccabf4cd04577eef08c13a
                                        • Opcode Fuzzy Hash: 8373ff7193be368e1197293b394cc32f5b45b0753502319b6c4e8e1194849b3b
                                        • Instruction Fuzzy Hash: 7EC0C0235364F107C30919FC15008085E0947B0EC27F44A43F40CD7480C168CD480D80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E77610 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1ffd7b2dd49cf0427fd6098d33e456b4f6ab758daf9d8a18599119799df635e3
                                        • Instruction ID: d66c316532d011cab86964a480b65499564f89043665bf508bb8f092187035cb
                                        • Opcode Fuzzy Hash: 1ffd7b2dd49cf0427fd6098d33e456b4f6ab758daf9d8a18599119799df635e3
                                        • Instruction Fuzzy Hash: DBD0C9B694120CBF8B81DFA4890089EBBFDDB49200B5046EA9508D7210E9365A14A792
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E730C0 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 265f142f48f832c50908ea6a16803062b64abf813a3dd1f88b7512f6d863f837
                                        • Instruction ID: 0b692e77a4ffdf5027d1eb2c5fb3762474e37255ac8e8ec6b9518d8f66141690
                                        • Opcode Fuzzy Hash: 265f142f48f832c50908ea6a16803062b64abf813a3dd1f88b7512f6d863f837
                                        • Instruction Fuzzy Hash: C1D0C9B695120CEF8B00DFE4D90589EBBFDEF89200B5045E6E909D3210EE755A10ABA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07714090 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230269139.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7700000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4ba59828e43b232547ed76b9f68b7dd377be93fec430f963a41f890d1514310a
                                        • Instruction ID: 412dadd10f387ce7ee2c407015ac8f3ca417fc2cfd51ae314013f14975e4eff2
                                        • Opcode Fuzzy Hash: 4ba59828e43b232547ed76b9f68b7dd377be93fec430f963a41f890d1514310a
                                        • Instruction Fuzzy Hash: 5BD0C9B1A4120CFF8B80DFE4890089EBBEDDB49200B1046EAD508D7610E9355A14A791
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724E7E1 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1b2aaade5714164e8c12da39cc90bd035e579e2c23a2c088902d28919f7fc7b3
                                        • Instruction ID: f95e1085eb9bd3a703fa21d9560d08cd7954a296a2b42aa710c427859d7c5297
                                        • Opcode Fuzzy Hash: 1b2aaade5714164e8c12da39cc90bd035e579e2c23a2c088902d28919f7fc7b3
                                        • Instruction Fuzzy Hash: 84D05E316092808FC306DB60C850492BFB49F9A215724C1DAD488CB262DB328D07CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724B300 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 464cd76bd090f604abd28c3bbfa255b0106b9b651f25c6454207b0ed241074c9
                                        • Instruction ID: 5c24304067e0564610668268214733fa0bde338e905e644bf015d11859fd7095
                                        • Opcode Fuzzy Hash: 464cd76bd090f604abd28c3bbfa255b0106b9b651f25c6454207b0ed241074c9
                                        • Instruction Fuzzy Hash: ABD012796393D24FC7124B6464100D4BFB59E6752731941E2EC94C7256D33C0C52CF61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724490C Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 17e436e6c5bcd3aeaf5f49cce7bf2ebb3d43d42c9ea0d9e3ef6d983258375fd1
                                        • Instruction ID: cc5932912c8de5ffd0f637341f531924bbb30ab14e8c15d3207a728989dea888
                                        • Opcode Fuzzy Hash: 17e436e6c5bcd3aeaf5f49cce7bf2ebb3d43d42c9ea0d9e3ef6d983258375fd1
                                        • Instruction Fuzzy Hash: 1FD0C979B50004DFCB44DBADE55449C7BF5EFC9215B0000AAE20AEB664DB709C118F41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724E780 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 24a1d3e44a243d505c227010d16008571f9e4d8d0cbe6331653b655dac510a6e
                                        • Instruction ID: d2bf3b0b215eab6d49266bac6c0f4a8eb5321e2968131a29d154cc8b798f5ce2
                                        • Opcode Fuzzy Hash: 24a1d3e44a243d505c227010d16008571f9e4d8d0cbe6331653b655dac510a6e
                                        • Instruction Fuzzy Hash: D1D05E202083808FC302CB24C810882FBB09F9A20471884CAE494CB2A7C732E903C755
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 072455CF Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 52f0d7c6af83c92112eef3bbda2e1de07c46661e0ad488d3ebbe6ae58be696f0
                                        • Instruction ID: d2a5e80bf0558daf221eeb7e8faf69bd8baa72be6c6dfb235232d2fb00d841f1
                                        • Opcode Fuzzy Hash: 52f0d7c6af83c92112eef3bbda2e1de07c46661e0ad488d3ebbe6ae58be696f0
                                        • Instruction Fuzzy Hash: E6D0922251E3C39FCB475B348875550BFB0EA5326232940D6D4E58F493D228885BDB22
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07244B74 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ff7cdce03adb3779f99877fef25ece74243378ec1e9016afcf59bd844596d81
                                        • Instruction ID: 001448947d953c204dab344ce713a7ee2f2794ba23a6a83d84af06765e1e2ed3
                                        • Opcode Fuzzy Hash: 2ff7cdce03adb3779f99877fef25ece74243378ec1e9016afcf59bd844596d81
                                        • Instruction Fuzzy Hash: 7BD012757600008F8748DAADE41499837B5DFC4216B0000A6F30ADBA34CB30DC51CB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724DA30 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9b76dd311a8133362d7337ce09fac7fc81b869f3f2fc2c231303c3156f8e6c19
                                        • Instruction ID: 20b59e70e7c6045b1190145de4033b3ec2756928ac6a472d736e22f7909a178f
                                        • Opcode Fuzzy Hash: 9b76dd311a8133362d7337ce09fac7fc81b869f3f2fc2c231303c3156f8e6c19
                                        • Instruction Fuzzy Hash: 9DD012B11192505FD346CB14E4A1550BBB0DB5621232846D7E444CB352C7279E07CF20
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724E9EB Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a3078e8fd4bd80aae4142c402d156b0ac2578e65bbecb59c4e619e6c3d0036b1
                                        • Instruction ID: 83735a783ef2073c59f3b24c470f1a14983c022dba5fb6f7497a363aa0815496
                                        • Opcode Fuzzy Hash: a3078e8fd4bd80aae4142c402d156b0ac2578e65bbecb59c4e619e6c3d0036b1
                                        • Instruction Fuzzy Hash: 20D0C9352093805FC306C628C851892BFB29F8A254728C4EFE489CB263DA2A9D07C751
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E78660 Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5677cbd1846409c38fb42e58c0a36535fe3f62fbf8a0e4023ce35c5563830053
                                        • Instruction ID: 9bc0ec8008636c7dbffa873d21928fdf11f116b43794e4c7c001188e4212a1f6
                                        • Opcode Fuzzy Hash: 5677cbd1846409c38fb42e58c0a36535fe3f62fbf8a0e4023ce35c5563830053
                                        • Instruction Fuzzy Hash: 12D0C92005E3C06FD34387708815542BF645F83124B1A84DBD0808F1A3CA1AA90AD352
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E78EC0 Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4acd409dbaa61dec6f602f2c6ec0b7811af656db200782bcc385fb626dc02a03
                                        • Instruction ID: dc350b1bf9eb5da92e0dd00dca693e04a75f050fb0bb0fb074611bb1a063cb42
                                        • Opcode Fuzzy Hash: 4acd409dbaa61dec6f602f2c6ec0b7811af656db200782bcc385fb626dc02a03
                                        • Instruction Fuzzy Hash: 23D02272A582400FC380C330CC168807BD18B82114709C6AA80CCEB363CE2AEC07C342
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07243FD0 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 97530ce67924e03be5bc430ee6c9f303e25aa3ff199a49318af05d3b4c22df4c
                                        • Instruction ID: 11bad98d13a1439eae50ee154ceddaa78b966ba670ab4fee0307eb1eb6a92a02
                                        • Opcode Fuzzy Hash: 97530ce67924e03be5bc430ee6c9f303e25aa3ff199a49318af05d3b4c22df4c
                                        • Instruction Fuzzy Hash: 57C012A10552424FD3024F6199468D17FB0693221231504D2D5C586052D12C142AC36F
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724B2C9 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fdb3c1a4f858e71282c3b773e953efc71e9733ae7815cd880c5d08f07b8cc2a7
                                        • Instruction ID: e7db8194510e4de9e5bfaba94f884e22c233c9fcd8b8a514847659f29217852f
                                        • Opcode Fuzzy Hash: fdb3c1a4f858e71282c3b773e953efc71e9733ae7815cd880c5d08f07b8cc2a7
                                        • Instruction Fuzzy Hash: 57C08C760A03248FC3009B38E40AC90BBF8AF08A3932480E8E0088B623C722E8408B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724F9C1 Relevance: .0, Instructions: 10COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c55746b13ff2ad6f57ed3f574a0c1f60dfa631d39ff5b4ffb80d365229a7371d
                                        • Instruction ID: dd5b693ad3f8e695765fe0c20faf3feee6c334660dda41bf62845205f4e227ed
                                        • Opcode Fuzzy Hash: c55746b13ff2ad6f57ed3f574a0c1f60dfa631d39ff5b4ffb80d365229a7371d
                                        • Instruction Fuzzy Hash: B1C0127560410097D200C554C461915F7A1EBE5318F14C45DD44887395CE37E807C704
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0771A830 Relevance: .0, Instructions: 9COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230269139.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7700000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 21e48d86b5bf31b2b839f67d5617377b4cc179e2a0429307380a19a8637c1b0b
                                        • Instruction ID: f20cb4aa20cc7514c28073ab89714ffbcaf638a3f9660a7aa76e52c23cd2b014
                                        • Opcode Fuzzy Hash: 21e48d86b5bf31b2b839f67d5617377b4cc179e2a0429307380a19a8637c1b0b
                                        • Instruction Fuzzy Hash: 9EB0927094530CAF8620DA99A90285ABBACDA0A210B0005D9EA098B320D972A91056D1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07714520 Relevance: .0, Instructions: 8COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230269139.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7700000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                        • Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
                                        • Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                        • Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 077106B8 Relevance: .0, Instructions: 8COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230269139.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7700000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                        • Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
                                        • Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                        • Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724F2F0 Relevance: .0, Instructions: 8COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1c005c5180cb1d0f86b26974ce0d0bd0e5800ddea4c63ee03f8b31c8d0a73781
                                        • Instruction ID: bff8e6e071e5b12f16a9bf214ee95441f4e5c25f3c299216e859ca150ec3fca1
                                        • Opcode Fuzzy Hash: 1c005c5180cb1d0f86b26974ce0d0bd0e5800ddea4c63ee03f8b31c8d0a73781
                                        • Instruction Fuzzy Hash: FEC04C646091C44FC3059724C9714107B21AFA620535980FFA599CF293DA3AEC469B01
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0771BF58 Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230269139.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7700000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 491cb1b8d0ecb24bedf58a126b9a35ad8c2896a6a27e8e2c9b210a93c7cab198
                                        • Instruction ID: 9e6f19bd0f3b4823543ed80dc26e39c2571b6a7392393b17fa779308347fa8f3
                                        • Opcode Fuzzy Hash: 491cb1b8d0ecb24bedf58a126b9a35ad8c2896a6a27e8e2c9b210a93c7cab198
                                        • Instruction Fuzzy Hash: AAB0123004830D4FC500BB55F405A053B5CF9813047850221F40D8681DAA7C6D6486C8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724B2D0 Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                                        • Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
                                        • Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                                        • Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 072455E0 Relevance: .0, Instructions: 6COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9cbae6bea8fcaef81cb550d371be0828c2ff089a9cca5f3bace387d1df344e5e
                                        • Instruction ID: 997bd8686063e67c38d3ab5ae504695e400e5242420934523b2eb3b98d0120e7
                                        • Opcode Fuzzy Hash: 9cbae6bea8fcaef81cb550d371be0828c2ff089a9cca5f3bace387d1df344e5e
                                        • Instruction Fuzzy Hash: CBC09230506240CFCB06CF30D1489007B72FF4230536980E8E0898F562C736DC82CB00
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E72FC0 Relevance: .0, Instructions: 5COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 571d182884436e5aaa52bc9f964faea54af8ef7164f614ecda36735c4dbd241a
                                        • Instruction ID: f2ca9c34121f920f8fd6bc001f247dceb9d239051814f3887f5bd37fdf5c06d4
                                        • Opcode Fuzzy Hash: 571d182884436e5aaa52bc9f964faea54af8ef7164f614ecda36735c4dbd241a
                                        • Instruction Fuzzy Hash: 3890027106460C8F4F402B95740E5957B9CA5446157C40061B90D415016F99641085A6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06E77F60 Relevance: .0, Instructions: 5COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3228986985.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6e70000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                        • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                                        • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                        • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0724D840 Relevance: .0, Instructions: 5COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3230120448.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7240000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                        • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                                        • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                        • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 071E484E Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.3229877509.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_71e0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4c]q$4c]q$heq$heq
                                        • API String ID: 0-1656038003
                                        • Opcode ID: cb1dd9032b2d421626c37ce9f6d9c5e046c28501ec0e4f1ee9a81f467cb308df
                                        • Instruction ID: b0bf2a2a01dc299ea7b617c27d992eee4e63f68afb8c050ec9183af1ae635531
                                        • Opcode Fuzzy Hash: cb1dd9032b2d421626c37ce9f6d9c5e046c28501ec0e4f1ee9a81f467cb308df
                                        • Instruction Fuzzy Hash: C0315CB1E106458FCB48DFA9C48089DFBF6FF89314B15866AD405EB364DB30A845CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Executed Functions

                                        Function 02FB1D40 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Haq$dLcq
                                        • API String ID: 0-1713614415
                                        • Opcode ID: 925f6434d8d17cbe21e2823ce47aebc1d18563a803a083cf009263e65cbd0072
                                        • Instruction ID: a7f477311579f3d6571e076a1c3ad37d5a8ed04425f902a286658050e5523add
                                        • Opcode Fuzzy Hash: 925f6434d8d17cbe21e2823ce47aebc1d18563a803a083cf009263e65cbd0072
                                        • Instruction Fuzzy Hash: 5651B335B042048FCB069F6AC464AAEBBF2FF89340F1445AAD50ADB3A1CB74DD05CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB1D31 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: dLcq
                                        • API String ID: 0-2236789282
                                        • Opcode ID: 632bd15c7d620bd33539df14bce910e47cea1dec0b7c3ad9b8c8c0225b9a6df5
                                        • Instruction ID: 28578eac962adbf1e4b326cbed5714962be62ea92f3d2097022d4145d347da32
                                        • Opcode Fuzzy Hash: 632bd15c7d620bd33539df14bce910e47cea1dec0b7c3ad9b8c8c0225b9a6df5
                                        • Instruction Fuzzy Hash: EC316D35A002048FDB159F69C494BEABBF2FF49340F1485A9D506AB361C775AD05CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB1E65 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Haq
                                        • API String ID: 0-725504367
                                        • Opcode ID: 9b6489b2ae05232b43fb9b50679dcdf62f24a368d619ccd2811b0c5c740cdef6
                                        • Instruction ID: 8ef79a99d35e899032954cd38012f073259cbd0971312eef063a289c321b6f5f
                                        • Opcode Fuzzy Hash: 9b6489b2ae05232b43fb9b50679dcdf62f24a368d619ccd2811b0c5c740cdef6
                                        • Instruction Fuzzy Hash: E001F521B0C1804FC746AB7A88645AF3FE3AFCA26035544EAD14EDF3D6DD188C06C7A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB134B Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Te]q
                                        • API String ID: 0-52440209
                                        • Opcode ID: 17d4ae5a1677ab55c0863e91c6cdb95721f29a6e35c86a3c0dde135f0a9f5acb
                                        • Instruction ID: 5df3ff63a75d31a6778d7791517538d5ea9ab39acd918ea7cabcaa3cef37522e
                                        • Opcode Fuzzy Hash: 17d4ae5a1677ab55c0863e91c6cdb95721f29a6e35c86a3c0dde135f0a9f5acb
                                        • Instruction Fuzzy Hash: 5611C670B442428FC701ABBEC891BBFBBA36F89350B244529D106EB3A5CE548C068B52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB1FBE Relevance: .3, Instructions: 263COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c45f343b9ebc190714c5cbf043d62bfbb81a45ae5bea0020c900d0a10e3f26e0
                                        • Instruction ID: 81b106a653005c98fab288bd3cfa7a71a58ce45d8a9951df927050d8268c75cb
                                        • Opcode Fuzzy Hash: c45f343b9ebc190714c5cbf043d62bfbb81a45ae5bea0020c900d0a10e3f26e0
                                        • Instruction Fuzzy Hash: B7B13735B04104CFD756DF6AC894BAAB7B2BF48780F248599EA06DB3A5CB309D41CF41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB182E Relevance: .2, Instructions: 201COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 35079b3f32ea8488ccccda17d1b9bd3625b903c62b04cf696606fa093d7be722
                                        • Instruction ID: 0727542f74349154d6c9e7b7b123c11aaf010574d95abb648f3577e8cf10f7fb
                                        • Opcode Fuzzy Hash: 35079b3f32ea8488ccccda17d1b9bd3625b903c62b04cf696606fa093d7be722
                                        • Instruction Fuzzy Hash: 22817331744209CFC70ADB27E864EA67B7AFF45344B40CA29D95A87254EB3DEC86CB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB1608 Relevance: .2, Instructions: 172COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c054f1e1bb2170c51c92720764d7a5e62d5f6cdcf2d1d92ce545658e488b2847
                                        • Instruction ID: 1f3cb059c0a1bba2305516adaed35850defbbd5d92d6edde4f31f2b12e5a2048
                                        • Opcode Fuzzy Hash: c054f1e1bb2170c51c92720764d7a5e62d5f6cdcf2d1d92ce545658e488b2847
                                        • Instruction Fuzzy Hash: 0B51E532F4420ECBDB179B77D8746FB7BA6AF042C4F28456AD60E97580DB208845CF92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB1FFE Relevance: .2, Instructions: 172COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 29fc7e1f57276b41418ec90dd3a9f05973b510a20c7ea5061a7af4084be97be8
                                        • Instruction ID: 7835691e031602fef3e0cb20ba8dcb22095c5884e4b2de28bf27c0ce86ddc209
                                        • Opcode Fuzzy Hash: 29fc7e1f57276b41418ec90dd3a9f05973b510a20c7ea5061a7af4084be97be8
                                        • Instruction Fuzzy Hash: 76611836B04104CFD756CB6AC894BAAB7B2FF48780F158096EA06DB365CB35DD41CB02
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB221D Relevance: .1, Instructions: 148COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 06415441cef013259a1f8858a9abc89cd443cf500a18de65cd7dd63c3244de7e
                                        • Instruction ID: 7946c71f7a96d66baa5dec0176a0b6da0a20ca7deae44ebec7e020bdf00a066b
                                        • Opcode Fuzzy Hash: 06415441cef013259a1f8858a9abc89cd443cf500a18de65cd7dd63c3244de7e
                                        • Instruction Fuzzy Hash: 6A51F936B04104CFD756CB6AC894BA9B7B2FF48780F158595EA06DB3A5CB31DD41CB02
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB0E78 Relevance: .1, Instructions: 132COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 122508bd125bc15ea176937a760059d2709d6ca6e74fe21800289f4151a1f1f4
                                        • Instruction ID: 5c0d12a995fba2852469b726ed613108e18733408f8273be09df0fe2f388576e
                                        • Opcode Fuzzy Hash: 122508bd125bc15ea176937a760059d2709d6ca6e74fe21800289f4151a1f1f4
                                        • Instruction Fuzzy Hash: A6412732B182468BD7169A6ACC442BFBB62EFC0391F14857EE25AD7281CE34D942C791
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB15F9 Relevance: .1, Instructions: 124COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 826b141d7e8454a323fb63d66e6ba87251a8f3b627c1dea4cc05385744c15be1
                                        • Instruction ID: 1a68a29b03affae245856618d1bf1e0b616cd9574835799d7e8f2699a1dfe052
                                        • Opcode Fuzzy Hash: 826b141d7e8454a323fb63d66e6ba87251a8f3b627c1dea4cc05385744c15be1
                                        • Instruction Fuzzy Hash: 2541D432F0410ECBCB169B77C870AEB77B6AF043C4F588629D61EA7580EB309945CE51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB17D2 Relevance: .1, Instructions: 102COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4541a6619582e80da30658a35c375b231a4d898e64870213d0380ce4d5d568fc
                                        • Instruction ID: ba4d57ed0fd963d8cbdb15cf356cbf6fc6dd11d0d42686171b26c9ce50a35ab6
                                        • Opcode Fuzzy Hash: 4541a6619582e80da30658a35c375b231a4d898e64870213d0380ce4d5d568fc
                                        • Instruction Fuzzy Hash: 3D31D132F4010ACBCB169B77D870AEF77A6AF043C4F688529DA1E93580EB20D941CE52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB17B4 Relevance: .1, Instructions: 102COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6f6fed3a5e2b9d6d8206f5603dc719a15028cb719a5cdfe5062f699c690b661b
                                        • Instruction ID: 019a7d5e9fd8bf246d3d88bad3d7fe719566572c4a8aa65399850d7f50dac650
                                        • Opcode Fuzzy Hash: 6f6fed3a5e2b9d6d8206f5603dc719a15028cb719a5cdfe5062f699c690b661b
                                        • Instruction Fuzzy Hash: BE31D132F4010E8BCB169B77D870AEF77A6AF043C4F688529DA1E93580EB20D941CE52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB2AD8 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d1653d857e26bbce6c4ca95d2634c814e36d37723ef95957eb2fdbb0e2b439a8
                                        • Instruction ID: 0c37d9159ae2e8ed63529c3ce90305e477fea9718dc16c7e90a9153bff4710dc
                                        • Opcode Fuzzy Hash: d1653d857e26bbce6c4ca95d2634c814e36d37723ef95957eb2fdbb0e2b439a8
                                        • Instruction Fuzzy Hash: 90210E71B402059FCB08AFB9C9543AE7BDEEFC9711B10486CD54AC7345DE348C068BA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB2AE8 Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0780ca051e6946dfbbc3f454a92286842780c260745a939e3ac7842dc58766a3
                                        • Instruction ID: d7b843919e9a6005b9d5986773a67b068353ce273ec2984b279d24611ea9af93
                                        • Opcode Fuzzy Hash: 0780ca051e6946dfbbc3f454a92286842780c260745a939e3ac7842dc58766a3
                                        • Instruction Fuzzy Hash: DE11B471B402055FCB08AFBE991436EBADFEFC8700F108829D50AD3385DE388C0587A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB1008 Relevance: .1, Instructions: 66COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70a41461ae440e475a7d16b1225fa6ff4a3c1a2069edad1b3b9f3bc2e7127402
                                        • Instruction ID: 6248d2c7e9005672f140ac794e10138117f132533190436ec4cfdf2886f24840
                                        • Opcode Fuzzy Hash: 70a41461ae440e475a7d16b1225fa6ff4a3c1a2069edad1b3b9f3bc2e7127402
                                        • Instruction Fuzzy Hash: A821C672F05248DBCB11CFA6D8916EFFBB1BF48BD0F204269D609B72C0D6715905CA40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB2DD8 Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e8310b97027b28a191bff0f3928ca7904eea4a3fcf898a7b761407b557e41666
                                        • Instruction ID: f2ebb9fc2b77f9abeb2f5f36e785a58f8079f859d1257e5f0ad4e75152c3a965
                                        • Opcode Fuzzy Hash: e8310b97027b28a191bff0f3928ca7904eea4a3fcf898a7b761407b557e41666
                                        • Instruction Fuzzy Hash: 2B116D357002089FCB15EB7AC8146AE7AA7EF89345B104878D905DB394DE399C42CB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB07E8 Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7d7a6f988b62f2b4df1e55d67c9b1c3a4a1b50bb10b851934e6e8b57cbd21c2b
                                        • Instruction ID: 99fdfcdb9c454e353af49e6a22d8bf85f4554abe418823e6c7236023c67657eb
                                        • Opcode Fuzzy Hash: 7d7a6f988b62f2b4df1e55d67c9b1c3a4a1b50bb10b851934e6e8b57cbd21c2b
                                        • Instruction Fuzzy Hash: 6FD012929593C14FC71303A418AE0E57F78CC530303450AC7C0EB860F3DC0504139765
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB11C8 Relevance: .1, Instructions: 54COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f8abed0c215478968bb0af03f672dea81c9f6c228c949178f68a7a610eacb65f
                                        • Instruction ID: 147cd25871ac4f1a5ba68734a6987fa77488c022b8607af7ce83517d58b9181b
                                        • Opcode Fuzzy Hash: f8abed0c215478968bb0af03f672dea81c9f6c228c949178f68a7a610eacb65f
                                        • Instruction Fuzzy Hash: 62110832B44100CFC302DE6AD460B97BBE6EF84390B1586A6E60ECB7A4DA20DC01CF51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB1128 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2c49bff6daecd7b4f15ccd00c083260732ac4165a45d7473a99efb316ed238b7
                                        • Instruction ID: b574a0863b931bfc47529233cb8b17c6be7765e58d325b80a079c718af7111e1
                                        • Opcode Fuzzy Hash: 2c49bff6daecd7b4f15ccd00c083260732ac4165a45d7473a99efb316ed238b7
                                        • Instruction Fuzzy Hash: DE114C74E4020ADFDB01DFAAD9516EFBBF9EF44240F5085659609A7300DB305A44CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB08B1 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d746489b3063acae7e90141cabc39f77a42924e54c0d77521c66b879de113a8d
                                        • Instruction ID: bc9ad55f3354d0de2033daece239a4a828054076c3da8e63e85f8e98957352a7
                                        • Opcode Fuzzy Hash: d746489b3063acae7e90141cabc39f77a42924e54c0d77521c66b879de113a8d
                                        • Instruction Fuzzy Hash: F9F08C30D402488FD7059BA2DC14A9DBFB1EF88340F00857A8426972D8DE781945CB01
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB1EC8 Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f1a44c722738862a97c885e91f6b10474e85bd1aa29ea383de3424a896836dbf
                                        • Instruction ID: bc9cd51bd1f6fa04099e7ba003de16aadab6dd15efd8476ad8d57c1f77371122
                                        • Opcode Fuzzy Hash: f1a44c722738862a97c885e91f6b10474e85bd1aa29ea383de3424a896836dbf
                                        • Instruction Fuzzy Hash: 9AE086363041099F4705966FA4548AB77DAEFCC2753514475E20ECB310DE50AC0287A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB08C0 Relevance: .0, Instructions: 26COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: df25bf138fa73e0e16ac31bfbf97a4e5375ce368812dfed2771f0408befc8ced
                                        • Instruction ID: 2e8b34fb1033a11faaf752511ea227bf933a018c581555bf8e747893dff00012
                                        • Opcode Fuzzy Hash: df25bf138fa73e0e16ac31bfbf97a4e5375ce368812dfed2771f0408befc8ced
                                        • Instruction Fuzzy Hash: 3AF01734E40208DFDB04DBA6D804AADBFB6EF88340F408479D916A3398DFB46945CF41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02FB0850 Relevance: .0, Instructions: 5COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2090875111.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2fb0000_Taskhostm.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 65bd5e8c17c6969ec945ca5188f236987c0f5b3ac9f43808929a7e2d112db10c
                                        • Instruction ID: e2713f5adc33b315bfc4e33186e1f463d113c2ad228bfff0c235bd64b8bac1a2
                                        • Opcode Fuzzy Hash: 65bd5e8c17c6969ec945ca5188f236987c0f5b3ac9f43808929a7e2d112db10c
                                        • Instruction Fuzzy Hash: 579022300C030C8F000023C23808000B32CC2000003C00000A00C000020A2220200088
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Execution Graph

                                        Execution Coverage:16.1%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:70
                                        Total number of Limit Nodes:15
                                        execution_graph 21657 12b6408 21658 12b640c 21657->21658 21661 12b6628 21658->21661 21666 12b6781 21658->21666 21662 12b6664 21661->21662 21663 12b67b7 21662->21663 21671 12b6808 21662->21671 21679 12b6818 21662->21679 21663->21658 21667 12b6758 21666->21667 21668 12b67b7 21667->21668 21669 12b6808 3 API calls 21667->21669 21670 12b6818 3 API calls 21667->21670 21668->21658 21669->21667 21670->21667 21672 12b680b 21671->21672 21673 12b67d7 21672->21673 21687 12b7578 21672->21687 21692 12b7590 21672->21692 21697 12b79e2 21672->21697 21702 12b74b2 21672->21702 21707 12b751d 21672->21707 21673->21662 21681 12b683e 21679->21681 21680 12b67d7 21680->21662 21681->21680 21682 12b7578 3 API calls 21681->21682 21683 12b751d 3 API calls 21681->21683 21684 12b74b2 3 API calls 21681->21684 21685 12b79e2 3 API calls 21681->21685 21686 12b7590 3 API calls 21681->21686 21682->21681 21683->21681 21684->21681 21685->21681 21686->21681 21689 12b75c6 21687->21689 21688 12b79f3 21688->21672 21689->21688 21712 12bc368 21689->21712 21716 12bc378 21689->21716 21694 12b75b3 21692->21694 21693 12b79f3 21693->21672 21694->21693 21695 12bc368 3 API calls 21694->21695 21696 12bc378 3 API calls 21694->21696 21695->21694 21696->21694 21699 12b75c6 21697->21699 21698 12b79f3 21698->21672 21699->21698 21700 12bc368 3 API calls 21699->21700 21701 12bc378 3 API calls 21699->21701 21700->21699 21701->21699 21704 12b74b5 21702->21704 21703 12b74e7 21703->21672 21704->21703 21705 12bc368 3 API calls 21704->21705 21706 12bc378 3 API calls 21704->21706 21705->21704 21706->21704 21709 12b7521 21707->21709 21708 12b79f3 21708->21672 21709->21708 21710 12bc368 3 API calls 21709->21710 21711 12bc378 3 API calls 21709->21711 21710->21709 21711->21709 21713 12bc370 21712->21713 21714 12bc583 21713->21714 21720 12bc640 21713->21720 21714->21689 21717 12bc393 21716->21717 21718 12bc583 21717->21718 21719 12bc640 3 API calls 21717->21719 21718->21689 21719->21717 21724 12bc678 21720->21724 21732 12bc688 21720->21732 21721 12bc65e 21721->21713 21725 12bc67c 21724->21725 21726 12bc695 21725->21726 21740 12bb00c 21725->21740 21726->21721 21728 12bc6de 21728->21721 21730 12bc7a6 GlobalMemoryStatusEx 21731 12bc7d6 21730->21731 21731->21721 21733 12bc6bd 21732->21733 21734 12bc695 21732->21734 21735 12bb00c GlobalMemoryStatusEx 21733->21735 21734->21721 21737 12bc6da 21735->21737 21736 12bc6de 21736->21721 21737->21736 21738 12bc7a6 GlobalMemoryStatusEx 21737->21738 21739 12bc7d6 21738->21739 21739->21721 21741 12bc760 GlobalMemoryStatusEx 21740->21741 21743 12bc6da 21741->21743 21743->21728 21743->21730

                                        Executed Functions

                                        Function 06AE0040 Relevance: 12.2, Strings: 9, Instructions: 914COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
                                        • API String ID: 0-99275883
                                        • Opcode ID: 9f312eefeeff55347eb58025b100439eb8661b27f17727d3a3d9f9218c828d05
                                        • Instruction ID: 9d336270fb0a7cfd63001aeb9ec1a22b35516b53e41b9ebcc926850bb50d5297
                                        • Opcode Fuzzy Hash: 9f312eefeeff55347eb58025b100439eb8661b27f17727d3a3d9f9218c828d05
                                        • Instruction Fuzzy Hash: AE827E30A00609DFCB55EF68D984AAEBBF2FF88304F158559E445EB2A6D7B0EC51CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE389C Relevance: 1.3, Instructions: 1301COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6b6c32bf8417b8d0c31fd8d18df7b7d61147b4db4368f70cbfd7830821fff1cf
                                        • Instruction ID: 7c84161a26b094f55b417ba61c68ff58d5f7b5e760692dfe1333d5d58b6b7aab
                                        • Opcode Fuzzy Hash: 6b6c32bf8417b8d0c31fd8d18df7b7d61147b4db4368f70cbfd7830821fff1cf
                                        • Instruction Fuzzy Hash: ED827234B102198FE754FB24D9A4BBE73B6EB89300F1085A9D50A9B394DF759D81CF81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE1510 Relevance: 3.2, Strings: 2, Instructions: 709COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1467 6ae1510-6ae19fe 1543 6ae1a04-6ae1a14 1467->1543 1544 6ae1f50-6ae1f6a 1467->1544 1543->1544 1545 6ae1a1a-6ae1a2a 1543->1545 1548 6ae1f6c-6ae1f70 1544->1548 1549 6ae1f71-6ae1f72 1544->1549 1545->1544 1547 6ae1a30-6ae1a40 1545->1547 1547->1544 1550 6ae1a46-6ae1a56 1547->1550 1548->1549 1552 6ae1f79-6ae1f85 1549->1552 1553 6ae1f74-6ae1f77 1549->1553 1550->1544 1551 6ae1a5c-6ae1a6c 1550->1551 1551->1544 1554 6ae1a72-6ae1a82 1551->1554 1555 6ae1f87-6ae1f8c 1552->1555 1556 6ae1f91-6ae1faf 1552->1556 1553->1552 1554->1544 1557 6ae1a88-6ae1a98 1554->1557 1558 6ae2076-6ae207b 1555->1558 1566 6ae2026-6ae2032 1556->1566 1567 6ae1fb1-6ae1fbb 1556->1567 1557->1544 1559 6ae1a9e-6ae1aae 1557->1559 1559->1544 1561 6ae1ab4-6ae1ac4 1559->1561 1561->1544 1562 6ae1aca-6ae1ada 1561->1562 1562->1544 1564 6ae1ae0-6ae1f4f 1562->1564 1573 6ae2049-6ae2055 1566->1573 1574 6ae2034-6ae2040 1566->1574 1567->1566 1572 6ae1fbd-6ae1fc9 1567->1572 1581 6ae1fee-6ae1ff1 1572->1581 1582 6ae1fcb-6ae1fd6 1572->1582 1579 6ae206c-6ae206e 1573->1579 1580 6ae2057-6ae2063 1573->1580 1574->1573 1583 6ae2042-6ae2047 1574->1583 1579->1558 1580->1579 1593 6ae2065-6ae206a 1580->1593 1585 6ae2008-6ae2014 1581->1585 1586 6ae1ff3-6ae1fff 1581->1586 1582->1581 1595 6ae1fd8-6ae1fe2 1582->1595 1583->1558 1589 6ae207c-6ae208a 1585->1589 1590 6ae2016-6ae201d 1585->1590 1586->1585 1596 6ae2001-6ae2006 1586->1596 1599 6ae208c-6ae2090 1589->1599 1600 6ae2091-6ae2092 1589->1600 1590->1589 1594 6ae201f-6ae2024 1590->1594 1593->1558 1594->1558 1595->1581 1605 6ae1fe4-6ae1fe9 1595->1605 1596->1558 1599->1600 1603 6ae2099-6ae209e 1600->1603 1604 6ae2094 1600->1604 1606 6ae20ae 1603->1606 1607 6ae20a0 1603->1607 1604->1603 1605->1558 1608 6ae20b0-6ae20b1 1606->1608 1607->1606 1610 6ae20a7-6ae20ac 1607->1610 1610->1608
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $]q$$]q
                                        • API String ID: 0-127220927
                                        • Opcode ID: 08fe4d3f7b9209372929866b0a97e0f42b303ea8d45b6126dbb18522ba775d93
                                        • Instruction ID: 7a7cddfc8411c9624bdb7d38f0d944664f44b5854c93a2931e382c4459fe4e0f
                                        • Opcode Fuzzy Hash: 08fe4d3f7b9209372929866b0a97e0f42b303ea8d45b6126dbb18522ba775d93
                                        • Instruction Fuzzy Hash: 6F526F74A0021C8FEB55EBA4C960BAEBB76FF84340F1084AAC50AAB3A5DF345D45DF51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE2108 Relevance: 2.9, Strings: 2, Instructions: 388COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1860 6ae2108-6ae210a 1861 6ae210c-6ae2110 1860->1861 1862 6ae2111-6ae2112 1860->1862 1861->1862 1863 6ae2119-6ae2125 1862->1863 1864 6ae2114 1862->1864 1865 6ae2127-6ae212c 1863->1865 1866 6ae2131-6ae213d 1863->1866 1864->1863 1867 6ae24c6-6ae24cb 1865->1867 1869 6ae213f-6ae214b 1866->1869 1870 6ae214d-6ae2152 1866->1870 1869->1870 1872 6ae2157-6ae2163 1869->1872 1870->1867 1874 6ae2165-6ae2171 1872->1874 1875 6ae2173-6ae2178 1872->1875 1874->1875 1877 6ae217d-6ae2188 1874->1877 1875->1867 1879 6ae218e-6ae2199 1877->1879 1880 6ae2232-6ae223d 1877->1880 1885 6ae21af 1879->1885 1886 6ae219b-6ae21ad 1879->1886 1883 6ae2243-6ae2252 1880->1883 1884 6ae22e0-6ae22ec 1880->1884 1893 6ae2254-6ae225e 1883->1893 1894 6ae2263-6ae2272 1883->1894 1895 6ae22ee-6ae22fa 1884->1895 1896 6ae22fc-6ae230e 1884->1896 1887 6ae21b4-6ae21b6 1885->1887 1886->1887 1890 6ae21b8-6ae21c7 1887->1890 1891 6ae21d6-6ae21db 1887->1891 1890->1891 1902 6ae21c9-6ae21d4 1890->1902 1891->1867 1893->1867 1904 6ae2296-6ae229f 1894->1904 1905 6ae2274-6ae2280 1894->1905 1895->1896 1903 6ae233c-6ae2347 1895->1903 1909 6ae2332-6ae2337 1896->1909 1910 6ae2310-6ae231c 1896->1910 1902->1891 1913 6ae21e0-6ae21e9 1902->1913 1918 6ae234d-6ae2356 1903->1918 1919 6ae2429-6ae2434 1903->1919 1914 6ae22b5 1904->1914 1915 6ae22a1-6ae22b3 1904->1915 1916 6ae228c-6ae2291 1905->1916 1917 6ae2282-6ae2287 1905->1917 1909->1867 1929 6ae231e-6ae2323 1910->1929 1930 6ae2328-6ae232d 1910->1930 1925 6ae21eb-6ae21f0 1913->1925 1926 6ae21f5-6ae2204 1913->1926 1921 6ae22ba-6ae22bc 1914->1921 1915->1921 1916->1867 1917->1867 1931 6ae236c 1918->1931 1932 6ae2358-6ae236a 1918->1932 1933 6ae245e-6ae246d 1919->1933 1934 6ae2436-6ae2440 1919->1934 1921->1884 1927 6ae22be-6ae22ca 1921->1927 1925->1867 1942 6ae2228-6ae222d 1926->1942 1943 6ae2206-6ae2212 1926->1943 1944 6ae22cc-6ae22d1 1927->1944 1945 6ae22d6-6ae22db 1927->1945 1929->1867 1930->1867 1935 6ae2371-6ae2373 1931->1935 1932->1935 1947 6ae246f-6ae247e 1933->1947 1948 6ae24c1 1933->1948 1950 6ae2457-6ae245c 1934->1950 1951 6ae2442-6ae244e 1934->1951 1940 6ae2375-6ae2381 1935->1940 1941 6ae2383 1935->1941 1949 6ae2388-6ae238a 1940->1949 1941->1949 1942->1867 1957 6ae221e-6ae2223 1943->1957 1958 6ae2214-6ae2219 1943->1958 1944->1867 1945->1867 1947->1948 1960 6ae2480-6ae2498 1947->1960 1948->1867 1954 6ae238c-6ae2391 1949->1954 1955 6ae2396-6ae23a9 1949->1955 1950->1867 1951->1950 1962 6ae2450-6ae2455 1951->1962 1954->1867 1963 6ae23ab 1955->1963 1964 6ae23e1-6ae23eb 1955->1964 1957->1867 1958->1867 1976 6ae24ba-6ae24bf 1960->1976 1977 6ae249a-6ae24b8 1960->1977 1962->1867 1965 6ae23ae-6ae23bf call 6ae1f78 1963->1965 1970 6ae23ed-6ae23f9 call 6ae1f78 1964->1970 1971 6ae240a-6ae2416 1964->1971 1973 6ae23c6-6ae23cb 1965->1973 1974 6ae23c1-6ae23c4 1965->1974 1985 6ae23fb-6ae23fe 1970->1985 1986 6ae2400-6ae2405 1970->1986 1981 6ae241f 1971->1981 1982 6ae2418-6ae241d 1971->1982 1973->1867 1974->1973 1979 6ae23d0-6ae23d3 1974->1979 1976->1867 1977->1867 1983 6ae24cc-6ae24da 1979->1983 1984 6ae23d9-6ae23df 1979->1984 1988 6ae2424 1981->1988 1982->1988 1991 6ae24dc 1983->1991 1992 6ae24e1-6ae24e2 1983->1992 1984->1964 1984->1965 1985->1971 1985->1986 1986->1867 1988->1867 1991->1992 1994 6ae24e9-6ae2528 1992->1994 1995 6ae24e4-6ae24e6 1992->1995 1998 6ae252a-6ae2535 1994->1998 1999 6ae253b-6ae2546 1994->1999 1995->1994 1998->1999 2004 6ae25be-6ae2610 1998->2004 2002 6ae254c-6ae25a9 1999->2002 2003 6ae2617-6ae2642 1999->2003 2011 6ae25b2-6ae25bb 2002->2011 2015 6ae2649-6ae2653 2003->2015 2016 6ae2644-6ae2655 call 6ae0b80 2003->2016 2004->2003 2018 6ae265a-6ae265c 2015->2018 2019 6ae2655 call 6ae0b80 2015->2019 2016->2018 2022 6ae265e-6ae266b 2018->2022 2023 6ae266d-6ae267b 2018->2023 2019->2018 2029 6ae268b-6ae268e 2022->2029 2027 6ae267d-6ae2687 2023->2027 2028 6ae2689 2023->2028 2027->2029 2028->2029
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q$4']q
                                        • API String ID: 0-3120983240
                                        • Opcode ID: c9f4f24f26d00cdf9bcd66655d80db1e96d1abbba380179c9e828ea9c982a7ab
                                        • Instruction ID: f714150199a14558820ccf8f12c4d6b928c6f4186a2c03ff25d024803a0b0d9f
                                        • Opcode Fuzzy Hash: c9f4f24f26d00cdf9bcd66655d80db1e96d1abbba380179c9e828ea9c982a7ab
                                        • Instruction Fuzzy Hash: 16D15E307101018FEBA5AB2DC959B7D77AEAF84704F14446AE506CF3A1EA65CE42CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 012BC688 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3216741391.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_12b0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 739b234a6be68f4da223c5d8c8de53f2763b3b6f971dda08fbde2ab3bd6fb43c
                                        • Instruction ID: ec73223b02923eb9b818168952a6862a93e28a7fb6dd661e697f259f26ab4a9e
                                        • Opcode Fuzzy Hash: 739b234a6be68f4da223c5d8c8de53f2763b3b6f971dda08fbde2ab3bd6fb43c
                                        • Instruction Fuzzy Hash: 23411272D1434A8FCB14DFB9D8406EEBBF5AF89310F14856AC508A7291DB389884CBD0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 012BB00C Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,012BC6DA), ref: 012BC7C7
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3216741391.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_12b0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID: GlobalMemoryStatus
                                        • String ID:
                                        • API String ID: 1890195054-0
                                        • Opcode ID: 3cc3b1d39cc6aa03ee7a82de7384b6a0863345e0b1f0db87292ec0d88f8acb99
                                        • Instruction ID: 4e1dc3ffb954aa4e2ecdb9078dff1f86fc728ca87cdd1d8d6cd0d35899cf8637
                                        • Opcode Fuzzy Hash: 3cc3b1d39cc6aa03ee7a82de7384b6a0863345e0b1f0db87292ec0d88f8acb99
                                        • Instruction Fuzzy Hash: DD11F2B1C106599BDB14DF9AC584BDEFBB8EF48310F10816AD918A7240D378A954CFE5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE0DC8 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q
                                        • API String ID: 0-1259897404
                                        • Opcode ID: 5e107cced0cd1468324ed2fad7da9a04c3e88fe23ef1d2bd3e13433b4a9352e3
                                        • Instruction ID: 2ee9371f625396f68f87b5da744819c740298001f8b7ce73cd3a48103affb554
                                        • Opcode Fuzzy Hash: 5e107cced0cd1468324ed2fad7da9a04c3e88fe23ef1d2bd3e13433b4a9352e3
                                        • Instruction Fuzzy Hash: F361BE307141058FDB54EF39C894A6A7BE5FF4961070680BAF40ACF265DBB5DC61CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE24E8 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (o]q
                                        • API String ID: 0-794736227
                                        • Opcode ID: 2b7dd4024efef35615d86a296f3364356beabaed469da7b0afda993cf8ac1216
                                        • Instruction ID: 599d6b81f85f377be6d9d72ab6573c0399238d52cefd7247d0aa4739ce36b431
                                        • Opcode Fuzzy Hash: 2b7dd4024efef35615d86a296f3364356beabaed469da7b0afda993cf8ac1216
                                        • Instruction Fuzzy Hash: 4A41B631B002048FC758AB69D8586AE7BBAFFC8710F148569D906DB3A5DF31DD02C790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE0BB9 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4']q
                                        • API String ID: 0-1259897404
                                        • Opcode ID: ceaeeecc89d3e05e184ef362d8b2f604f517df685f62e6633a95f46161b21c50
                                        • Instruction ID: addc1fe698ddf295bda477bc62d5c3becad7ced8717335e60f79216810784f9d
                                        • Opcode Fuzzy Hash: ceaeeecc89d3e05e184ef362d8b2f604f517df685f62e6633a95f46161b21c50
                                        • Instruction Fuzzy Hash: B1415970B002198FCB15AF68D898A6A7BB5BB88311F114469F906CB3B1C7B1DD50CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE0FE7 Relevance: .1, Instructions: 93COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5760d751c5d23b940dffdaec685905244554343e96c14806c0f0aff74fb95cae
                                        • Instruction ID: 5a6c1e5f8dda036c435c9dba645f4641405bff48f48885c28216993bad5fc9c4
                                        • Opcode Fuzzy Hash: 5760d751c5d23b940dffdaec685905244554343e96c14806c0f0aff74fb95cae
                                        • Instruction Fuzzy Hash: E721F3317142614BDF54772AD8947BD7697AFC4644F14803AD902CF3A9EA3ACCD2C781
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE43CA Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d735e3bcf0d8643101f2f6f270bbd2e7539ff44352500b0944bcee1bd82f9b59
                                        • Instruction ID: 0a2a9d785d8bc046568f96646b56ea6e122a036066669f39f73da52fbb7b7d8a
                                        • Opcode Fuzzy Hash: d735e3bcf0d8643101f2f6f270bbd2e7539ff44352500b0944bcee1bd82f9b59
                                        • Instruction Fuzzy Hash: 1921E535A141068FEB94FB24D4907BA73F6FB88304F1080A6D4469B395CF359C45CB82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE4328 Relevance: .1, Instructions: 73COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 491a0320fe594a8c0e1aa1ce8cd3733abdb4d33878af1af8e850fbb942e73e72
                                        • Instruction ID: 9d3b4872572a229424ca6cfd42dd00bd923cf3774a46954f04206d194d8b3a4a
                                        • Opcode Fuzzy Hash: 491a0320fe594a8c0e1aa1ce8cd3733abdb4d33878af1af8e850fbb942e73e72
                                        • Instruction Fuzzy Hash: 21219134E101198FDB54FF28D4907BE72F6EB88304F0080A6D40AAB394DF749C858B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE41C2 Relevance: .1, Instructions: 73COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 01e62a45c3de4091f46f1b8f080695cff7a57800dcd32f8fb0aad4be22b33df4
                                        • Instruction ID: 67293bc27c5ab23bcb1e49caa5e19c7116bca38e5600cd5879af5c1816bb41f2
                                        • Opcode Fuzzy Hash: 01e62a45c3de4091f46f1b8f080695cff7a57800dcd32f8fb0aad4be22b33df4
                                        • Instruction Fuzzy Hash: C3218134F141198FDB55EF29D4947BEB2F6EB88304F0084A6D40AAB399DE749D85CB82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE3EFC Relevance: .1, Instructions: 68COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e9c418bf8c38b1f55f0d01f58dfc3bf5ae005d233428b688fba798b62a982eb8
                                        • Instruction ID: 2a88ef2db658302bdc32ceb92dc785dad4280817622bc22c20fd41401c9a3d83
                                        • Opcode Fuzzy Hash: e9c418bf8c38b1f55f0d01f58dfc3bf5ae005d233428b688fba798b62a982eb8
                                        • Instruction Fuzzy Hash: 40213E34E14119CFEBA4EB28D4547AEB7F2AB88344F0481A6D10A9B395DB759D81CF81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE4514 Relevance: .1, Instructions: 68COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fb09e18afe056915fbce258474e8ba424110ca462943754c2816820f0c5b0626
                                        • Instruction ID: b7cd4614fe32eb54a1c53d775e2457c2779cee810f9760404d1d05a3ecc536fb
                                        • Opcode Fuzzy Hash: fb09e18afe056915fbce258474e8ba424110ca462943754c2816820f0c5b0626
                                        • Instruction Fuzzy Hash: 1A219234E041458FDB95EB24D4947EA77F2AB49314F0581A7D44A9B395DB398C818F82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE49C5 Relevance: .1, Instructions: 66COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6f14dc3025ee3caada045b8a1386e7f935d0bc1c038bd91816c407533a480df5
                                        • Instruction ID: 6899995294c8b7db99a22f18b659e8a24edf0756de44be2972054a62f1bf33cd
                                        • Opcode Fuzzy Hash: 6f14dc3025ee3caada045b8a1386e7f935d0bc1c038bd91816c407533a480df5
                                        • Instruction Fuzzy Hash: F8219F34E142088FEB95EB14E4A47AB77B2EB49304F0184EAE50A9B399DB349D81CB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE3D03 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 73a46921ecc41220cc53ed8719780a1ef29d5d1b172fef0fbfa4cc906558d2c9
                                        • Instruction ID: 935dc770a40b2fc4ba62763b4bdebc33bed48a682287b4cdccd2b55ff38dd23b
                                        • Opcode Fuzzy Hash: 73a46921ecc41220cc53ed8719780a1ef29d5d1b172fef0fbfa4cc906558d2c9
                                        • Instruction Fuzzy Hash: E6219D34A141458FEB96BB24D4947AA77B2EB89304F1080E6D446CB396DB39DC49CB42
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE52C8 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 742ffc061ee92e84f693e8e1f39681daf4a89009ec97ededbb2f4d5eed8725e5
                                        • Instruction ID: 3f93db028fcc004da47b11e1df948075137bbab548eec99ae24ef5d97c0334de
                                        • Opcode Fuzzy Hash: 742ffc061ee92e84f693e8e1f39681daf4a89009ec97ededbb2f4d5eed8725e5
                                        • Instruction Fuzzy Hash: 6811A370F1020A9FDB98BF79A8246BFBAA6BF84754F148529D805CB340EBB1894087D0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE3FC1 Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd22fdedd26704274ac43e4e13a2030199fc8e67ae4f3038e6774cb76155367d
                                        • Instruction ID: c009fed2dd3eebda897aafb7bbcaa6415c2ea96d08fc048921922c72d86856df
                                        • Opcode Fuzzy Hash: fd22fdedd26704274ac43e4e13a2030199fc8e67ae4f3038e6774cb76155367d
                                        • Instruction Fuzzy Hash: 28118634F14104CFEB55FB14D4547AA73F2EB48344F0580A6E5468B39ADB79DC458B81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE3CA8 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 98def52bb6d04d2c0f77c8faf511db2825f3e1918ebc3550e541c2f808a91483
                                        • Instruction ID: 89f206e160dabe6b2034ddf85cd39a4e2e30a81c7be64adb092fed019ba0defd
                                        • Opcode Fuzzy Hash: 98def52bb6d04d2c0f77c8faf511db2825f3e1918ebc3550e541c2f808a91483
                                        • Instruction Fuzzy Hash: 5F118034F14005CFEB95FB28E4947AA73B2EB88304F0084A6E44B8B395CF39DC418B81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE3C98 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f8508dcdb32bc4a8aa6e792d089e158605c03f94daf98bae712a19a89407f258
                                        • Instruction ID: c75f0915a12496e0ea9bb8d21c3b26a715177e77589b16fa2add7334699a4c59
                                        • Opcode Fuzzy Hash: f8508dcdb32bc4a8aa6e792d089e158605c03f94daf98bae712a19a89407f258
                                        • Instruction Fuzzy Hash: 17114034A14045CFE755FB18E4947AA73F2EB89304F0480A6E5469B395DB799C45CB82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE2C00 Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0c7eb1bd8af75a4addcefdfa0771ba2195dfc2a6ce8d12dce000c05ddcb3166b
                                        • Instruction ID: c96085132981a3c69e5e53fd61e135a681af15c8c5d6e9001357c081ba857d41
                                        • Opcode Fuzzy Hash: 0c7eb1bd8af75a4addcefdfa0771ba2195dfc2a6ce8d12dce000c05ddcb3166b
                                        • Instruction Fuzzy Hash: 08E08CB1D002098FCBE4FFBD941529EBBF4FB58300B0045A9C808D2211F6708A02DB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE1F78 Relevance: .0, Instructions: 18COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                        • Instruction ID: b8e143069b8932732842cb0a522b4cc42cbf6057f5172a003538fdeda8f2fcb0
                                        • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                        • Instruction Fuzzy Hash: 3DC08C3360C1382EA374308E7C40EB3BB8CD3C13B5A210137F95DC7240A8429C8041F4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE2595 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a45176cc8813a888e83297e395a0fdfd88fdf949b62d9c6e6bd38bf4240bc978
                                        • Instruction ID: 0a735bce9d4a4388cb10f7c4aa888fcb6d08a10767617e1cf3fa099be10eaede
                                        • Opcode Fuzzy Hash: a45176cc8813a888e83297e395a0fdfd88fdf949b62d9c6e6bd38bf4240bc978
                                        • Instruction Fuzzy Hash: C9D0673AB400189FCB149F98EC448DDFB76FB98221B148126E915A3665C631A961DB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE2BD8 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d12842022dbe573fdc1e62c41cad6a627ec86e763f3e3c9a6cf4e9085c1a6e36
                                        • Instruction ID: 922a450c93852f166878d9b729a3e4de26eaa18460d8f8ae6c0c0fb5631ca853
                                        • Opcode Fuzzy Hash: d12842022dbe573fdc1e62c41cad6a627ec86e763f3e3c9a6cf4e9085c1a6e36
                                        • Instruction Fuzzy Hash: 84D0A920E0AA884FCA0DAEA12D392043BBA7A62200324088EC082CB3E6E9244805C326
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 06AE2C10 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cf5421be947490afb9da7f8bc68b4411f43d7d11357c3442534cd46e1f42b2d3
                                        • Instruction ID: 2ab35e393cbda4a4945b2f3402b09342284e369451bef3de5c17c3651bd34737
                                        • Opcode Fuzzy Hash: cf5421be947490afb9da7f8bc68b4411f43d7d11357c3442534cd46e1f42b2d3
                                        • Instruction Fuzzy Hash: 36D0C9B0D0420C9F8B90FFB8940926EBBF8FB08200F0085AAD809E3240FB3096118BD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 06AE0006 Relevance: 5.3, Strings: 4, Instructions: 296COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.3226907206.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_6ae0000_aspnet_compiler.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (o]q$(o]q$(o]q$(o]q
                                        • API String ID: 0-1261621458
                                        • Opcode ID: 844062818c55cbcca85191610bbd5003089d5c92ff5ed4cba7e798efbdd92ef9
                                        • Instruction ID: be07d7c19a531bf885e2f4b2623f4c292834a8dbcea8886641994c6897050558
                                        • Opcode Fuzzy Hash: 844062818c55cbcca85191610bbd5003089d5c92ff5ed4cba7e798efbdd92ef9
                                        • Instruction Fuzzy Hash: 6AC19C30A002099FCB54DFA9C984AAEBBF2FF49304F15819AE845EB265D774ED51CF60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Executed Functions

                                        Function 00F80C20 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2635184637.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_f80000_mDNSRespond.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: tP]q
                                        • API String ID: 0-2175968468
                                        • Opcode ID: 47056c11006ef0d60bb113ea15db7bbfec7fcbc8dbf3be0da4b65cb3cf964945
                                        • Instruction ID: 1f84261520395d3d69df998ed0b06119ab338d5734a437fb08c306f499220251
                                        • Opcode Fuzzy Hash: 47056c11006ef0d60bb113ea15db7bbfec7fcbc8dbf3be0da4b65cb3cf964945
                                        • Instruction Fuzzy Hash: 063126757416118FCB59AB39C45881D7BE2AF8A72636508B8E406CF3B5DE39EC42CB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F80D58 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2635184637.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_f80000_mDNSRespond.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8aq
                                        • API String ID: 0-538729646
                                        • Opcode ID: 264cc2dfb5d16dbcf92b6f6fc61c83a0cc499b3bbb339634fdaa5c1dbaeb2e56
                                        • Instruction ID: 56d28f9a22c111e063032060b8a4818de5b4e9a47f6b6d57015157ba9e821e5f
                                        • Opcode Fuzzy Hash: 264cc2dfb5d16dbcf92b6f6fc61c83a0cc499b3bbb339634fdaa5c1dbaeb2e56
                                        • Instruction Fuzzy Hash: B6F0A77424A3008FC342FB69E960E59B7E9EF86314B0404ADE1498F3B9CF74AC05E791
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F80D68 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2635184637.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_f80000_mDNSRespond.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8aq
                                        • API String ID: 0-538729646
                                        • Opcode ID: 65c83f87facdd8192de4f0dc63588af784967789774aa857a77c8c82342e7fb2
                                        • Instruction ID: a4174135829cc69248525f4d506c754b0a99a9555f97980335e94ec1674c7407
                                        • Opcode Fuzzy Hash: 65c83f87facdd8192de4f0dc63588af784967789774aa857a77c8c82342e7fb2
                                        • Instruction Fuzzy Hash: 91E09A742062008FC641FBA8E990E6AB7D9EF89314B00046DE10D8F3B8CF24AC05AB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F80848 Relevance: .2, Instructions: 214COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2635184637.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_f80000_mDNSRespond.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: acf504cb7d658d0427324b1c68bc24bd06ad75fb52861397e14987624dd43364
                                        • Instruction ID: 8294895b67310c04531434caa5ec4c266bd5d916fed27ea668c60e9523132e49
                                        • Opcode Fuzzy Hash: acf504cb7d658d0427324b1c68bc24bd06ad75fb52861397e14987624dd43364
                                        • Instruction Fuzzy Hash: F171DE35A01209CFCB15FFB8E854A9EB7B6EF84310F108529D4099B365DF74AD4ADB82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F808A8 Relevance: .1, Instructions: 148COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2635184637.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_f80000_mDNSRespond.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 21d4c071e773dcefb6b60400897fa1de99a5a942e9ad8e4818d82b82751713b8
                                        • Instruction ID: 54042282f753495f5eaea312853bb70e3e2d4bab962e4b0bd65a233b40e7bd4d
                                        • Opcode Fuzzy Hash: 21d4c071e773dcefb6b60400897fa1de99a5a942e9ad8e4818d82b82751713b8
                                        • Instruction Fuzzy Hash: 2551CD30E042099FDB05EFB8D9586ADB7F2EF88710F1484A9D4099B361DF759D4ACB82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F8092D Relevance: .1, Instructions: 73COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2635184637.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_f80000_mDNSRespond.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2cfae64f2c59c454dac5c4eb236913e9caafb7e4dbf4ef68d84560eaf954412a
                                        • Instruction ID: 43ee5369b9ac38f2c1fb31d2097dbfd5d82ae7b5a85cc5db0d8e99b903ea587b
                                        • Opcode Fuzzy Hash: 2cfae64f2c59c454dac5c4eb236913e9caafb7e4dbf4ef68d84560eaf954412a
                                        • Instruction Fuzzy Hash: A921AC34B002098FDB04BBB8D918A9CB3E2BFC4725F104469D809DB365DF39DD469B82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F80E18 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2635184637.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_f80000_mDNSRespond.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5deb0d301608d9ed9dd172df8972e8126306651638e3e777cd14247322700793
                                        • Instruction ID: 48c676efd85eb0269b5e97d8fbf312b154f6260449a6acb06c762cf22f5fad74
                                        • Opcode Fuzzy Hash: 5deb0d301608d9ed9dd172df8972e8126306651638e3e777cd14247322700793
                                        • Instruction Fuzzy Hash: 8CF09079208304DFCB41BBA8F984E647B74EF49724B5041AAF40C8B336DF25E804EB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F80D23 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2635184637.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_f80000_mDNSRespond.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c7271bd1043e54e3130b874c6b8fdbabbef39d693476074b293db30b900852b6
                                        • Instruction ID: 7f4f809ff41344da8fb5ac8032a2817c57619cd59e85b4a60e4841e617ad0305
                                        • Opcode Fuzzy Hash: c7271bd1043e54e3130b874c6b8fdbabbef39d693476074b293db30b900852b6
                                        • Instruction Fuzzy Hash: 98E017B421C3849FC302AF24E858C207FB4EF8B62030500C9E8898B237C731A851DB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Executed Functions

                                        Function 00C00C20 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2715545943.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_c00000_mDNSRespond.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: tP]q
                                        • API String ID: 0-2175968468
                                        • Opcode ID: cba40f274b1db7fc59aa9bbe5a741017af81c8c67a6adf0aeb6e361d00c57747
                                        • Instruction ID: 5b3ba2abac927a08bed831d05b318bb0d82af8a2e8bf2abd4618783887101462
                                        • Opcode Fuzzy Hash: cba40f274b1db7fc59aa9bbe5a741017af81c8c67a6adf0aeb6e361d00c57747
                                        • Instruction Fuzzy Hash: 7E319A757406108FCB19AB38D45892C7BA2AF8971672508B9E406CF3B6DA3ADC02CB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C00D58 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2715545943.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_c00000_mDNSRespond.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8aq
                                        • API String ID: 0-538729646
                                        • Opcode ID: 5fa1acd1fcf720ffe52e0bac328fec1435c301a0280f8caa28972f86c85361c0
                                        • Instruction ID: ae5db686dad02aa10fa125108f4a5f42c45b5ffda07b583d616accae108aa3da
                                        • Opcode Fuzzy Hash: 5fa1acd1fcf720ffe52e0bac328fec1435c301a0280f8caa28972f86c85361c0
                                        • Instruction Fuzzy Hash: 26F0A7746416009FC701F76CF955E59BBD5EF4A208B1500A9D109CF3B5DB24DC0AE792
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C00D68 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2715545943.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_c00000_mDNSRespond.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8aq
                                        • API String ID: 0-538729646
                                        • Opcode ID: f4e4ef8934fc411e60d6366158854870fbd6eb285ab9e968fcc5db18e13f47f6
                                        • Instruction ID: c8141cbd4b832994e39e55db3e747138eecf2796a81491b0ee23d7a614dd7398
                                        • Opcode Fuzzy Hash: f4e4ef8934fc411e60d6366158854870fbd6eb285ab9e968fcc5db18e13f47f6
                                        • Instruction Fuzzy Hash: EEE092342005008FC601FBACF946E19B7D9EF8D308B000468E1098B378CA20EC0AFB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C00848 Relevance: .2, Instructions: 216COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2715545943.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_c00000_mDNSRespond.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 734a65e16f91a96f72bce82914214fdc473951578955a41929d32ea3cddea7bb
                                        • Instruction ID: d0615593af8eeb2079a3086bc54c71b53f1515dea054ec4ce1ba5dc8ffc5dee6
                                        • Opcode Fuzzy Hash: 734a65e16f91a96f72bce82914214fdc473951578955a41929d32ea3cddea7bb
                                        • Instruction Fuzzy Hash: CD710034A00204DFDB05EBB8E844B9EB7E6FF88304F258429D419D7365DB759E0ADB82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C008A8 Relevance: .2, Instructions: 170COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2715545943.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_c00000_mDNSRespond.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9e89ffb99fc123d7b58fdc5f429e458a9598e08953ffc2a6e7ef92e54e6f982d
                                        • Instruction ID: b6bc047e641a55989210711908894272c8ddb381a7ed7616d167bda7a787212c
                                        • Opcode Fuzzy Hash: 9e89ffb99fc123d7b58fdc5f429e458a9598e08953ffc2a6e7ef92e54e6f982d
                                        • Instruction Fuzzy Hash: 9151DF30A002049FDB05EBB8D85879DB7F6FF89304F25806AD415DB3A1EB759D46CB82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C0092D Relevance: .1, Instructions: 73COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2715545943.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_c00000_mDNSRespond.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d0195940425442f2a5940519a0ec8b257f48abc7ad5df4aed5f636db6669dd4b
                                        • Instruction ID: 476eee5d3c822579b672e661921ddd1a7a893d0cbb5692a6a50160b05535d96c
                                        • Opcode Fuzzy Hash: d0195940425442f2a5940519a0ec8b257f48abc7ad5df4aed5f636db6669dd4b
                                        • Instruction Fuzzy Hash: EB217834B002058FEB04ABB8951875DB3E2FF94705F214469D81A973A5DF799E46CB82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C00DB7 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2715545943.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_c00000_mDNSRespond.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 25e67868fcf89ffc873d578a92dd987830cc9591cc2b0d69022774a8de990415
                                        • Instruction ID: e367f85cb340ae737c592afe8c75d7fb248000dfa33fd6a048fff434ae853cb3
                                        • Opcode Fuzzy Hash: 25e67868fcf89ffc873d578a92dd987830cc9591cc2b0d69022774a8de990415
                                        • Instruction Fuzzy Hash: 6AF03C382009008FC705EB68F589E597BA5EF89708B1145A9E1098B375DB25DC0BBB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C00E18 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2715545943.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_c00000_mDNSRespond.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f97242d614614a514a8e49c3513929a4fc8a6c787589fcdc5ebb183f436e9011
                                        • Instruction ID: b304cb891f5c97607b8ef2a005318885000ceecaf7b92981a2ae91b0e2f1ecdc
                                        • Opcode Fuzzy Hash: f97242d614614a514a8e49c3513929a4fc8a6c787589fcdc5ebb183f436e9011
                                        • Instruction Fuzzy Hash: 92F090792006009FCB01ABA8F149F643FA4EF4D725F210169E90C8B335C721DC06FB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C00D22 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2715545943.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_c00000_mDNSRespond.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 09f0e767ed48f281994208bb2af6abb650463cd8ecb1154040ab749016db182c
                                        • Instruction ID: e78051a0efdf25e635d7cd3f311000b08aa7108876f72a8851b60ee0084ee709
                                        • Opcode Fuzzy Hash: 09f0e767ed48f281994208bb2af6abb650463cd8ecb1154040ab749016db182c
                                        • Instruction Fuzzy Hash: ABD05EB9100600AFD3049F24F48CE253F65EB5A215F110098EE0987331D735DC56AA01
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C00D30 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2715545943.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_c00000_mDNSRespond.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0105d306288c46b58213c2a9b01e5f9f3e557986cd44151c2fba31fa2c874906
                                        • Instruction ID: b52a55354f4ba609372ecd0b901eb6817d85bea0035a386a75c6631a2bb1a670
                                        • Opcode Fuzzy Hash: 0105d306288c46b58213c2a9b01e5f9f3e557986cd44151c2fba31fa2c874906
                                        • Instruction Fuzzy Hash: 94D01238200604DFC704AF24F44CC253BB5FB4C6257100058E80987335C731EC46AA40
                                        Uniqueness

                                        Uniqueness Score: -1.00%