Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mhYCwt8wBz.exe

Overview

General Information

Sample name:mhYCwt8wBz.exe
renamed because original name is a hash value
Original sample name:2fb7fc0949aa14070e5e5d1ec37d48e7.exe
Analysis ID:1421033
MD5:2fb7fc0949aa14070e5e5d1ec37d48e7
SHA1:9b0043790d9881f690e11086004d3218648d9c22
SHA256:246ab25a7240d684c1a6bf5abd6bcd6f13e0d86c97940883bc249e2b7cb23853
Tags:exenjratRAT
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Disables zone checking for all users
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Self deletion via cmd or bat file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mhYCwt8wBz.exe (PID: 6988 cmdline: "C:\Users\user\Desktop\mhYCwt8wBz.exe" MD5: 2FB7FC0949AA14070E5E5D1EC37D48E7)
    • Exspa.exe (PID: 6552 cmdline: "C:\Users\user\AppData\Local\Temp\Exspa.exe" MD5: 2FB7FC0949AA14070E5E5D1EC37D48E7)
    • cmd.exe (PID: 2004 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\user\Desktop\mhYCwt8wBz.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 7060 cmdline: choice /C Y /N /D Y /T 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • Exspa.exe (PID: 7444 cmdline: "C:\Users\user\AppData\Local\Temp\Exspa.exe" .. MD5: 2FB7FC0949AA14070E5E5D1EC37D48E7)
  • Exspa.exe (PID: 7612 cmdline: "C:\Users\user\AppData\Local\Temp\Exspa.exe" .. MD5: 2FB7FC0949AA14070E5E5D1EC37D48E7)
  • Exspa.exe (PID: 7728 cmdline: "C:\Users\user\AppData\Local\Temp\Exspa.exe" .. MD5: 2FB7FC0949AA14070E5E5D1EC37D48E7)
  • Exspa.exe (PID: 7836 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe" MD5: 2FB7FC0949AA14070E5E5D1EC37D48E7)
  • Exspa.exe (PID: 7960 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe" MD5: 2FB7FC0949AA14070E5E5D1EC37D48E7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "6.tcp.eu.ngrok.io", "Port": "11964", "Campaign ID": "HacKed", "Version": "Platinum", "Network Seprator": "|Ghost|"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
mhYCwt8wBz.exeJoeSecurity_NjratYara detected NjratJoe Security
    mhYCwt8wBz.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      mhYCwt8wBz.exeWindows_Trojan_Njrat_30f3c220unknownunknown
      • 0xb7ff:$a1: get_Registry
      • 0xeb14:$a2: SEE_MASK_NOZONECHECKS
      • 0xe8e2:$a3: Download ERROR
      • 0xec6c:$a4: cmd.exe /c ping 0 -n 2 & del "
      mhYCwt8wBz.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
      • 0xec6c:$x1: cmd.exe /c ping 0 -n 2 & del "
      • 0xdefa:$s1: winmgmts:\\.\root\SecurityCenter2
      • 0xe904:$s3: Executed As
      • 0xe8e2:$s6: Download ERROR
      • 0xe560:$s7: shutdown -r -t 00
      • 0xdebc:$s8: Select * From AntiVirusProduct
      mhYCwt8wBz.exeUnknown_Malware_Sample_Jul17_2Detects unknown malware sample with pastebin RAW URLFlorian Roth
      • 0xf39a:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol
      • 0xdb86:$s2: https://pastebin.com/raw/
      • 0xf8d2:$s3: My.Computer
      • 0xf374:$s4: MyTemplate
      Click to see the 4 entries

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Temp\Exspa.exeJoeSecurity_NjratYara detected NjratJoe Security
        C:\Users\user\AppData\Local\Temp\Exspa.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Local\Temp\Exspa.exeWindows_Trojan_Njrat_30f3c220unknownunknown
          • 0xb7ff:$a1: get_Registry
          • 0xeb14:$a2: SEE_MASK_NOZONECHECKS
          • 0xe8e2:$a3: Download ERROR
          • 0xec6c:$a4: cmd.exe /c ping 0 -n 2 & del "
          C:\Users\user\AppData\Local\Temp\Exspa.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
          • 0xec6c:$x1: cmd.exe /c ping 0 -n 2 & del "
          • 0xdefa:$s1: winmgmts:\\.\root\SecurityCenter2
          • 0xe904:$s3: Executed As
          • 0xe8e2:$s6: Download ERROR
          • 0xe560:$s7: shutdown -r -t 00
          • 0xdebc:$s8: Select * From AntiVirusProduct
          C:\Users\user\AppData\Local\Temp\Exspa.exeUnknown_Malware_Sample_Jul17_2Detects unknown malware sample with pastebin RAW URLFlorian Roth
          • 0xf39a:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol
          • 0xdb86:$s2: https://pastebin.com/raw/
          • 0xf8d2:$s3: My.Computer
          • 0xf374:$s4: MyTemplate
          Click to see the 13 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.1618665113.0000000000062000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
            00000000.00000000.1618665113.0000000000062000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
            • 0xb5ff:$a1: get_Registry
            • 0xe914:$a2: SEE_MASK_NOZONECHECKS
            • 0xe6e2:$a3: Download ERROR
            • 0xea6c:$a4: cmd.exe /c ping 0 -n 2 & del "
            00000000.00000000.1618665113.0000000000062000.00000002.00000001.01000000.00000003.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
            • 0xe914:$a2: SEE_MASK_NOZONECHECKS
            • 0xeaf4:$b1: [TAP]
            • 0xea6c:$c3: cmd.exe /c ping
            00000000.00000000.1618665113.0000000000062000.00000002.00000001.01000000.00000003.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
            • 0xe914:$reg: SEE_MASK_NOZONECHECKS
            • 0xe6be:$msg: Execute ERROR
            • 0xe71e:$msg: Execute ERROR
            • 0xea6c:$ping: cmd.exe /c ping 0 -n 2 & del
            00000000.00000002.1685027347.0000000002782000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
              Click to see the 6 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.mhYCwt8wBz.exe.60000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
                0.0.mhYCwt8wBz.exe.60000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  0.0.mhYCwt8wBz.exe.60000.0.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
                  • 0xb7ff:$a1: get_Registry
                  • 0xeb14:$a2: SEE_MASK_NOZONECHECKS
                  • 0xe8e2:$a3: Download ERROR
                  • 0xec6c:$a4: cmd.exe /c ping 0 -n 2 & del "
                  0.0.mhYCwt8wBz.exe.60000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
                  • 0xec6c:$x1: cmd.exe /c ping 0 -n 2 & del "
                  • 0xdefa:$s1: winmgmts:\\.\root\SecurityCenter2
                  • 0xe904:$s3: Executed As
                  • 0xe8e2:$s6: Download ERROR
                  • 0xe560:$s7: shutdown -r -t 00
                  • 0xdebc:$s8: Select * From AntiVirusProduct
                  0.0.mhYCwt8wBz.exe.60000.0.unpackUnknown_Malware_Sample_Jul17_2Detects unknown malware sample with pastebin RAW URLFlorian Roth
                  • 0xf39a:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol
                  • 0xdb86:$s2: https://pastebin.com/raw/
                  • 0xf8d2:$s3: My.Computer
                  • 0xf374:$s4: MyTemplate
                  Click to see the 21 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: New RUN Key Pointing to Suspicious Folder
                  Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\user\AppData\Local\Temp\Exspa.exe" .., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Exspa.exe, ProcessId: 6552, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exspa.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\Temp\Exspa.exe" .., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Exspa.exe, ProcessId: 6552, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exspa.exe
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Exspa.exe, ProcessId: 6552, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe
                  Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\Temp\Exspa.exe" .., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Exspa.exe, ProcessId: 6552, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Exspa.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Exspa.exe, ProcessId: 6552, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.url

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: mhYCwt8wBz.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: 6.tcp.eu.ngrok.ioAvira URL Cloud: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeAvira: detection malicious, Label: TR/Dropper.Gen
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeAvira: detection malicious, Label: TR/Dropper.Gen
                  Found malware configuration
                  Source: 0.0.mhYCwt8wBz.exe.60000.0.unpackMalware Configuration Extractor: Njrat {"Host": "6.tcp.eu.ngrok.io", "Port": "11964", "Campaign ID": "HacKed", "Version": "Platinum", "Network Seprator": "|Ghost|"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeReversingLabs: Detection: 84%
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeReversingLabs: Detection: 84%
                  Multi AV Scanner detection for submitted file
                  Source: mhYCwt8wBz.exeReversingLabs: Detection: 84%
                  Yara detected Njrat
                  Source: Yara matchFile source: mhYCwt8wBz.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.mhYCwt8wBz.exe.60000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.mhYCwt8wBz.exe.2784b78.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1618665113.0000000000062000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1685027347.0000000002782000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4080946239.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: mhYCwt8wBz.exe PID: 6988, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Exspa.exe PID: 6552, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Exspa.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, type: DROPPED
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: mhYCwt8wBz.exeJoe Sandbox ML: detected
                  Source: mhYCwt8wBz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
                  Source: mhYCwt8wBz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 6.tcp.eu.ngrok.io
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: mhYCwt8wBz.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.mhYCwt8wBz.exe.60000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Exspa.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, type: DROPPED
                  Source: global trafficTCP traffic: 192.168.2.4:49730 -> 3.68.171.119:11964
                  Source: global trafficTCP traffic: 192.168.2.4:49748 -> 3.69.157.220:11964
                  Source: global trafficTCP traffic: 192.168.2.4:49760 -> 52.28.247.255:11964
                  Source: global trafficTCP traffic: 192.168.2.4:49775 -> 3.66.38.117:11964
                  Source: Joe Sandbox ViewIP Address: 3.66.38.117 3.66.38.117
                  Source: Joe Sandbox ViewIP Address: 52.28.247.255 52.28.247.255
                  Source: Joe Sandbox ViewIP Address: 3.68.171.119 3.68.171.119
                  Source: Joe Sandbox ViewIP Address: 3.69.157.220 3.69.157.220
                  Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownDNS traffic detected: queries for: 6.tcp.eu.ngrok.io
                  Source: mhYCwt8wBz.exe, 00000000.00000002.1685027347.0000000002761000.00000004.00000800.00020000.00000000.sdmp, Exspa.exe, 00000001.00000002.4080946239.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, Exspa.exe, 00000006.00000002.1921259206.0000000003201000.00000004.00000800.00020000.00000000.sdmp, Exspa.exe, 00000009.00000002.2003870537.0000000003291000.00000004.00000800.00020000.00000000.sdmp, Exspa.exe, 0000000A.00000002.2085871974.0000000003461000.00000004.00000800.00020000.00000000.sdmp, Exspa.exe, 0000000C.00000002.2167255698.0000000003351000.00000004.00000800.00020000.00000000.sdmp, Exspa.exe, 0000000D.00000002.2249619443.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/EngADTbC
                  Source: mhYCwt8wBz.exe, Exspa.exe.0.dr, Exspa.exe.1.drString found in binary or memory: https://pastebin.com/raw/EngADTbC=MicrosoftEdgeUpdateTaskMachine

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: mhYCwt8wBz.exe, Form1.cs.Net Code: SetHook
                  Source: mhYCwt8wBz.exe, kl.cs.Net Code: VKCodeToUnicode
                  Source: Exspa.exe.0.dr, Form1.cs.Net Code: SetHook
                  Source: Exspa.exe.0.dr, kl.cs.Net Code: VKCodeToUnicode
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, Form1.cs.Net Code: SetHook
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, kl.cs.Net Code: VKCodeToUnicode
                  Source: Exspa.exe.1.dr, Form1.cs.Net Code: SetHook
                  Source: Exspa.exe.1.dr, kl.cs.Net Code: VKCodeToUnicode

                  E-Banking Fraud

                  barindex
                  Yara detected Njrat
                  Source: Yara matchFile source: mhYCwt8wBz.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.mhYCwt8wBz.exe.60000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.mhYCwt8wBz.exe.2784b78.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1618665113.0000000000062000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1685027347.0000000002782000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4080946239.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: mhYCwt8wBz.exe PID: 6988, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Exspa.exe PID: 6552, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Exspa.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, type: DROPPED

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: mhYCwt8wBz.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                  Source: mhYCwt8wBz.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: mhYCwt8wBz.exe, type: SAMPLEMatched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
                  Source: mhYCwt8wBz.exe, type: SAMPLEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                  Source: mhYCwt8wBz.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: mhYCwt8wBz.exe, type: SAMPLEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: mhYCwt8wBz.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: 0.0.mhYCwt8wBz.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                  Source: 0.0.mhYCwt8wBz.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 0.0.mhYCwt8wBz.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
                  Source: 0.0.mhYCwt8wBz.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                  Source: 0.0.mhYCwt8wBz.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: 0.0.mhYCwt8wBz.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.0.mhYCwt8wBz.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.unpack, type: UNPACKEDPEMatched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: 00000000.00000000.1618665113.0000000000062000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                  Source: 00000000.00000000.1618665113.0000000000062000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                  Source: 00000000.00000000.1618665113.0000000000062000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000002.1685027347.0000000002782000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                  Source: 00000000.00000002.1685027347.0000000002782000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                  Source: 00000000.00000002.1685027347.0000000002782000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, type: DROPPEDMatched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, type: DROPPEDMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, type: DROPPEDMatched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, type: DROPPEDMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeCode function: 1_2_0501172A NtQuerySystemInformation,1_2_0501172A
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeCode function: 1_2_050116EF NtQuerySystemInformation,1_2_050116EF
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeCode function: 1_2_04F51B0A1_2_04F51B0A
                  Source: mhYCwt8wBz.exe, 00000000.00000002.1684741339.00000000007FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs mhYCwt8wBz.exe
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeSection loaded: uxtheme.dllJump to behavior
                  Source: mhYCwt8wBz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: mhYCwt8wBz.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                  Source: mhYCwt8wBz.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: mhYCwt8wBz.exe, type: SAMPLEMatched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: mhYCwt8wBz.exe, type: SAMPLEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                  Source: mhYCwt8wBz.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: mhYCwt8wBz.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: mhYCwt8wBz.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: 0.0.mhYCwt8wBz.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                  Source: 0.0.mhYCwt8wBz.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.0.mhYCwt8wBz.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.0.mhYCwt8wBz.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                  Source: 0.0.mhYCwt8wBz.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: 0.0.mhYCwt8wBz.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.0.mhYCwt8wBz.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.unpack, type: UNPACKEDPEMatched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, type: UNPACKEDPEMatched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: 00000000.00000000.1618665113.0000000000062000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                  Source: 00000000.00000000.1618665113.0000000000062000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                  Source: 00000000.00000000.1618665113.0000000000062000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: 00000000.00000002.1685027347.0000000002782000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                  Source: 00000000.00000002.1685027347.0000000002782000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                  Source: 00000000.00000002.1685027347.0000000002782000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, type: DROPPEDMatched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, type: DROPPEDMatched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: mhYCwt8wBz.exe, BotKillers.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: mhYCwt8wBz.exe, BotKillers.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: mhYCwt8wBz.exe, BotKillers.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: Exspa.exe.1.dr, BotKillers.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: Exspa.exe.1.dr, BotKillers.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: Exspa.exe.1.dr, BotKillers.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: Exspa.exe.0.dr, BotKillers.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: Exspa.exe.0.dr, BotKillers.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: Exspa.exe.0.dr, BotKillers.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, BotKillers.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, BotKillers.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, BotKillers.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.phis.troj.adwa.spyw.expl.evad.winEXE@13/5@4/4
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeCode function: 1_2_050114EA AdjustTokenPrivileges,1_2_050114EA
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeCode function: 1_2_050114B3 AdjustTokenPrivileges,1_2_050114B3
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\mhYCwt8wBz.exe.logJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeMutant created: \Sessions\1\BaseNamedObjects\Exspa.exe
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeMutant created: NULL
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3444:120:WilError_03
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeFile created: C:\Users\user\AppData\Local\Temp\Exspa.exeJump to behavior
                  Source: mhYCwt8wBz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: mhYCwt8wBz.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: mhYCwt8wBz.exeReversingLabs: Detection: 84%
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeFile read: C:\Users\user\Desktop\mhYCwt8wBz.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\mhYCwt8wBz.exe "C:\Users\user\Desktop\mhYCwt8wBz.exe"
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess created: C:\Users\user\AppData\Local\Temp\Exspa.exe "C:\Users\user\AppData\Local\Temp\Exspa.exe"
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\user\Desktop\mhYCwt8wBz.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 5
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Exspa.exe "C:\Users\user\AppData\Local\Temp\Exspa.exe" ..
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Exspa.exe "C:\Users\user\AppData\Local\Temp\Exspa.exe" ..
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Exspa.exe "C:\Users\user\AppData\Local\Temp\Exspa.exe" ..
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe"
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess created: C:\Users\user\AppData\Local\Temp\Exspa.exe "C:\Users\user\AppData\Local\Temp\Exspa.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\user\Desktop\mhYCwt8wBz.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 5Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                  Source: mhYCwt8wBz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
                  Source: mhYCwt8wBz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: mhYCwt8wBz.exe, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                  Source: Exspa.exe.0.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                  Source: Exspa.exe.1.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeCode function: 6_2_01100734 push ss; retf 6_2_0110073D
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeFile created: C:\Users\user\AppData\Local\Temp\Exspa.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops PE files to the startup folder
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.urlJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Exspa.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Exspa.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Exspa.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Exspa.exeJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Self deletion via cmd or bat file
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\user\Desktop\mhYCwt8wBz.exe"
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\user\Desktop\mhYCwt8wBz.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeMemory allocated: 7E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeMemory allocated: 2760000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeMemory allocated: 4760000 memory commit | memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeMemory allocated: 1130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeMemory allocated: 2DB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeMemory allocated: 4DB0000 memory commit | memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeMemory allocated: 13F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeMemory allocated: 3200000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeMemory allocated: 5200000 memory commit | memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeMemory allocated: 1430000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeMemory allocated: 3290000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeMemory allocated: 1460000 memory commit | memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeMemory allocated: 1740000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeMemory allocated: 3460000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeMemory allocated: 1760000 memory commit | memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeMemory allocated: 3350000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeMemory allocated: 3350000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeMemory allocated: 5350000 memory commit | memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeMemory allocated: 10C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeMemory allocated: 3050000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeMemory allocated: 5050000 memory commit | memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeWindow / User API: threadDelayed 1387Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeWindow / User API: threadDelayed 3589Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeWindow / User API: threadDelayed 4396Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeWindow / User API: foregroundWindowGot 1763Jump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exe TID: 6264Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe TID: 7104Thread sleep count: 1387 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe TID: 7104Thread sleep time: -1387000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe TID: 7212Thread sleep count: 3589 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe TID: 7104Thread sleep count: 4396 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe TID: 7104Thread sleep time: -4396000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe TID: 7476Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe TID: 7632Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exe TID: 7752Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe TID: 7864Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe TID: 7984Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: Exspa.exe.1.drBinary or memory string: VBoxServiceM{00AAC56B-CD44-11d0-8CC2-00C04FC295EE}
                  Source: Exspa.exe, 00000001.00000002.4080351898.0000000000CA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: mhYCwt8wBz.exe, kl.csReference to suspicious API methods: MapVirtualKey(a, 0u)
                  Source: mhYCwt8wBz.exe, kl.csReference to suspicious API methods: GetAsyncKeyState(num2)
                  Source: mhYCwt8wBz.exe, OK.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess created: C:\Users\user\AppData\Local\Temp\Exspa.exe "C:\Users\user\AppData\Local\Temp\Exspa.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\mhYCwt8wBz.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\user\Desktop\mhYCwt8wBz.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 5Jump to behavior
                  Source: Exspa.exe, 00000001.00000002.4080946239.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, Exspa.exe, 00000001.00000002.4080946239.00000000032F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: mhYCwt8wBz.exe, Exspa.exe.0.dr, Exspa.exe.1.drBinary or memory string: Shell_TrayWnd
                  Source: mhYCwt8wBz.exe, Exspa.exe.0.dr, Exspa.exe.1.drBinary or memory string: Progman!ChamaFrmTerrorrr
                  Source: Exspa.exe, 00000001.00000002.4080946239.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, Exspa.exe, 00000001.00000002.4080946239.00000000032F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@9
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Disables zone checking for all users
                  Source: C:\Users\user\AppData\Local\Temp\Exspa.exeRegistry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKSJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Njrat
                  Source: Yara matchFile source: mhYCwt8wBz.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.mhYCwt8wBz.exe.60000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.mhYCwt8wBz.exe.2784b78.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1618665113.0000000000062000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1685027347.0000000002782000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4080946239.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: mhYCwt8wBz.exe PID: 6988, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Exspa.exe PID: 6552, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Exspa.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected Njrat
                  Source: Yara matchFile source: mhYCwt8wBz.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.mhYCwt8wBz.exe.60000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.mhYCwt8wBz.exe.2784b78.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.mhYCwt8wBz.exe.2784b78.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1618665113.0000000000062000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1685027347.0000000002782000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4080946239.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: mhYCwt8wBz.exe PID: 6988, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Exspa.exe PID: 6552, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Exspa.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		121
                  Registry Run Keys / Startup Folder                  		1
                  Access Token Manipulation                  		1
                  Masquerading                  		1
                  Input Capture                  		11
                  Security Software Discovery                  		Remote Services1
                  Input Capture                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading                  		12
                  Process Injection                  		11
                  Disable or Modify Tools                  		LSASS Memory2
                  Process Discovery                  		Remote Desktop Protocol1
                  Archive Collected Data                  		1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)121
                  Registry Run Keys / Startup Folder                  		31
                  Virtualization/Sandbox Evasion                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  DLL Side-Loading                  		1
                  Access Token Manipulation                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture11
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                  Process Injection                  		LSA Secrets2
                  File and Directory Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Obfuscated Files or Information                  		Cached Domain Credentials2
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Software Packing                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  File Deletion                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1421033 Sample: mhYCwt8wBz.exe Startdate: 05/04/2024 Architecture: WINDOWS Score: 100 35 6.tcp.eu.ngrok.io 2->35 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 14 other signatures 2->49 8 mhYCwt8wBz.exe 1 5 2->8         started        12 Exspa.exe 2 2->12         started        14 Exspa.exe 3 2->14         started        16 3 other processes 2->16 signatures3 process4 file5 33 C:\Users\user\AppData\Local\Tempxspa.exe, PE32 8->33 dropped 59 Self deletion via cmd or bat file 8->59 18 Exspa.exe 4 6 8->18         started        23 cmd.exe 1 8->23         started        signatures6 process7 dnsIp8 37 6.tcp.eu.ngrok.io 3.68.171.119, 11964, 49730, 49736 AMAZON-02US United States 18->37 39 3.66.38.117, 11964, 49775, 49776 AMAZON-02US United States 18->39 41 2 other IPs or domains 18->41 29 C:\Users\user\AppData\Roaming\...xspa.exe, PE32 18->29 dropped 31 C:\Users\user\AppData\Roaming\...xspa.url, MS 18->31 dropped 51 Antivirus detection for dropped file 18->51 53 Multi AV Scanner detection for dropped file 18->53 55 Machine Learning detection for dropped file 18->55 57 2 other signatures 18->57 25 conhost.exe 23->25         started        27 choice.exe 1 23->27         started        file9 signatures10 process11

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  mhYCwt8wBz.exe84%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
                  mhYCwt8wBz.exe100%AviraTR/Dropper.Gen
                  mhYCwt8wBz.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\Exspa.exe100%AviraTR/Dropper.Gen
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe100%AviraTR/Dropper.Gen
                  C:\Users\user\AppData\Local\Temp\Exspa.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\Exspa.exe84%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe84%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  6.tcp.eu.ngrok.io100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  6.tcp.eu.ngrok.io
                  		3.68.171.119
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    6.tcp.eu.ngrok.iotrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://pastebin.com/raw/EngADTbC=MicrosoftEdgeUpdateTaskMachinemhYCwt8wBz.exe, Exspa.exe.0.dr, Exspa.exe.1.drfalse
                      		high
                      https://pastebin.com/raw/EngADTbCmhYCwt8wBz.exe, 00000000.00000002.1685027347.0000000002761000.00000004.00000800.00020000.00000000.sdmp, Exspa.exe, 00000001.00000002.4080946239.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, Exspa.exe, 00000006.00000002.1921259206.0000000003201000.00000004.00000800.00020000.00000000.sdmp, Exspa.exe, 00000009.00000002.2003870537.0000000003291000.00000004.00000800.00020000.00000000.sdmp, Exspa.exe, 0000000A.00000002.2085871974.0000000003461000.00000004.00000800.00020000.00000000.sdmp, Exspa.exe, 0000000C.00000002.2167255698.0000000003351000.00000004.00000800.00020000.00000000.sdmp, Exspa.exe, 0000000D.00000002.2249619443.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        3.66.38.117
                        		unknownUnited States
                        		16509AMAZON-02USfalse
                        52.28.247.255
                        		unknownUnited States
                        		16509AMAZON-02USfalse
                        3.68.171.119
                        		6.tcp.eu.ngrok.ioUnited States
                        		16509AMAZON-02UStrue
                        3.69.157.220
                        		unknownUnited States
                        		16509AMAZON-02USfalse

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1421033
                        Start date and time:2024-04-05 19:21:05 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 7m 46s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:15
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:mhYCwt8wBz.exe
                        renamed because original name is a hash value
                        Original Sample Name:2fb7fc0949aa14070e5e5d1ec37d48e7.exe
                        Detection:MAL
                        Classification:mal100.phis.troj.adwa.spyw.expl.evad.winEXE@13/5@4/4
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 98%
                        • Number of executed functions: 184
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: mhYCwt8wBz.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        18:22:07AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Exspa.exe "C:\Users\user\AppData\Local\Temp\Exspa.exe" ..
                        18:22:15AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Exspa.exe "C:\Users\user\AppData\Local\Temp\Exspa.exe" ..
                        18:22:24AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Exspa.exe "C:\Users\user\AppData\Local\Temp\Exspa.exe" ..
                        18:22:32AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe
                        18:22:40AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.url
                        19:22:38API Interceptor519533x Sleep call for process: Exspa.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        3.66.38.117592CDAD0A5B0AE90E0C812AECB2677096AF06CF941CE2.exeGet hashmaliciousNjratBrowse
                          U22p1GcCSb.exeGet hashmaliciousNjratBrowse
                            NfJ0jC2dPr.exeGet hashmaliciousNjratBrowse
                              ziTLBa3N50.exeGet hashmaliciousNjratBrowse
                                1.exeGet hashmaliciousNjratBrowse
                                  226dVJ2zRZ.exeGet hashmaliciousNjratBrowse
                                    IsJb5hB84q.exeGet hashmaliciousNjratBrowse
                                      Terraria.exeGet hashmaliciousNjratBrowse
                                        rkIcS0Y2WY.exeGet hashmaliciousNjratBrowse
                                          m5l9v13hIi.exeGet hashmaliciousNjratBrowse
                                            52.28.247.255592CDAD0A5B0AE90E0C812AECB2677096AF06CF941CE2.exeGet hashmaliciousNjratBrowse
                                              U22p1GcCSb.exeGet hashmaliciousNjratBrowse
                                                M5vARlA2c4.exeGet hashmaliciousNjratBrowse
                                                  1.exeGet hashmaliciousNjratBrowse
                                                    rkIcS0Y2WY.exeGet hashmaliciousNjratBrowse
                                                      N1aqZIb7KG.exeGet hashmaliciousNjratBrowse
                                                        QsKtlzYaKF.exeGet hashmaliciousNjratBrowse
                                                          dKe1GfZOs1.exeGet hashmaliciousNjratBrowse
                                                            X5eo58PPCB.exeGet hashmaliciousNjratBrowse
                                                              ZuXcnAYgVp.exeGet hashmaliciousNjratBrowse
                                                                3.68.171.119592CDAD0A5B0AE90E0C812AECB2677096AF06CF941CE2.exeGet hashmaliciousNjratBrowse
                                                                  U22p1GcCSb.exeGet hashmaliciousNjratBrowse
                                                                    M5vARlA2c4.exeGet hashmaliciousNjratBrowse
                                                                      YTYyFVemXR.exeGet hashmaliciousNjratBrowse
                                                                        zyx3qItgQK.exeGet hashmaliciousNjratBrowse
                                                                          NfJ0jC2dPr.exeGet hashmaliciousNjratBrowse
                                                                            226dVJ2zRZ.exeGet hashmaliciousNjratBrowse
                                                                              N1aqZIb7KG.exeGet hashmaliciousNjratBrowse
                                                                                m5l9v13hIi.exeGet hashmaliciousNjratBrowse
                                                                                  sCXwkZrcZ3.exeGet hashmaliciousNjratBrowse
                                                                                    3.69.157.220Client.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                      YTYyFVemXR.exeGet hashmaliciousNjratBrowse
                                                                                        NfJ0jC2dPr.exeGet hashmaliciousNjratBrowse
                                                                                          ziTLBa3N50.exeGet hashmaliciousNjratBrowse
                                                                                            1.exeGet hashmaliciousNjratBrowse
                                                                                              226dVJ2zRZ.exeGet hashmaliciousNjratBrowse
                                                                                                myidJB8lDL.exeGet hashmaliciousNjratBrowse
                                                                                                  QsKtlzYaKF.exeGet hashmaliciousNjratBrowse
                                                                                                    xZLQ8X9Cxo.exeGet hashmaliciousNjratBrowse
                                                                                                      dKe1GfZOs1.exeGet hashmaliciousNjratBrowse

                                                                                                        Domains

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        6.tcp.eu.ngrok.io592CDAD0A5B0AE90E0C812AECB2677096AF06CF941CE2.exeGet hashmaliciousNjratBrowse
                                                                                                        • 52.28.247.255
                                                                                                        U22p1GcCSb.exeGet hashmaliciousNjratBrowse
                                                                                                        • 3.66.38.117
                                                                                                        Client.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                        • 3.69.157.220
                                                                                                        M5vARlA2c4.exeGet hashmaliciousNjratBrowse
                                                                                                        • 3.68.171.119
                                                                                                        YTYyFVemXR.exeGet hashmaliciousNjratBrowse
                                                                                                        • 3.68.171.119
                                                                                                        zyx3qItgQK.exeGet hashmaliciousNjratBrowse
                                                                                                        • 3.69.115.178
                                                                                                        NfJ0jC2dPr.exeGet hashmaliciousNjratBrowse
                                                                                                        • 3.69.157.220
                                                                                                        ziTLBa3N50.exeGet hashmaliciousNjratBrowse
                                                                                                        • 3.69.157.220
                                                                                                        1.exeGet hashmaliciousNjratBrowse
                                                                                                        • 3.66.38.117
                                                                                                        226dVJ2zRZ.exeGet hashmaliciousNjratBrowse
                                                                                                        • 3.69.157.220

                                                                                                        ASNs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        AMAZON-02UShttps://trk.klclick.com/ls/click?upn=u001.Q-2FRM-2Bs26jJfGw5AtNrGvPElR21Fg91L95yj4Iz7-2B9G-2B3KPT4UTHFBvpJSSQd5DbUCa-2FgT20Nr-2FI-2Fl-2Bw02Q5kQVLNQCmEXSYzNqG4I9-2FWzMU-3D_yf-_EMv3ibMoStDGptK1Lms5B9GNcIxUJoI7nZBoidcaOggmj5FAjQl0qnOmLtI1x1Ohc-2BFRm3llFgfvw4mcvsY2XyBfnm98SHSdVCZ86-2BuKsLC9TiMREXmWLtb9XN85omSoULbzgNKo8btbmPCJnm6DuzybU2cyp-2BAjh-2BCBHcGcZ-2BljQXaxBUINeSHu-2Bxv5rrih-2FiSTOEtfcLo-2FbwjHZ3ZafNJBrTlWjJSftzVp-2FcV-2BioF1z5UMgToiIzYHW-2Br37XcJ57c-2FuTma8IFo-2B3lZn3cS-2BLKyyRV321xRUJLTBYZ63nI5Z9Ta0wRgXvdEvqv1OsFXGet hashmaliciousUnknownBrowse
                                                                                                        • 99.84.252.110
                                                                                                        JmGzVinPrF.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                        • 34.249.145.219
                                                                                                        MxKeSlvcDj.elfGet hashmaliciousUnknownBrowse
                                                                                                        • 34.243.160.129
                                                                                                        qT9zrWgIvh.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                        • 34.254.182.186
                                                                                                        PJVtvJuItD.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                        • 54.171.230.55
                                                                                                        https://ex.amarokse.de/i21/Get hashmaliciousUnknownBrowse
                                                                                                        • 108.156.83.83
                                                                                                        https://flow.page/carricoaquatics.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                        • 108.156.83.27
                                                                                                        https://onlinecheckwriter.comGet hashmaliciousUnknownBrowse
                                                                                                        • 65.8.178.89
                                                                                                        Bmvs4x3PTn.elfGet hashmaliciousUnknownBrowse
                                                                                                        • 54.171.230.55
                                                                                                        5Mi7o1wTLj.elfGet hashmaliciousMiraiBrowse
                                                                                                        • 34.249.145.219
                                                                                                        AMAZON-02UShttps://trk.klclick.com/ls/click?upn=u001.Q-2FRM-2Bs26jJfGw5AtNrGvPElR21Fg91L95yj4Iz7-2B9G-2B3KPT4UTHFBvpJSSQd5DbUCa-2FgT20Nr-2FI-2Fl-2Bw02Q5kQVLNQCmEXSYzNqG4I9-2FWzMU-3D_yf-_EMv3ibMoStDGptK1Lms5B9GNcIxUJoI7nZBoidcaOggmj5FAjQl0qnOmLtI1x1Ohc-2BFRm3llFgfvw4mcvsY2XyBfnm98SHSdVCZ86-2BuKsLC9TiMREXmWLtb9XN85omSoULbzgNKo8btbmPCJnm6DuzybU2cyp-2BAjh-2BCBHcGcZ-2BljQXaxBUINeSHu-2Bxv5rrih-2FiSTOEtfcLo-2FbwjHZ3ZafNJBrTlWjJSftzVp-2FcV-2BioF1z5UMgToiIzYHW-2Br37XcJ57c-2FuTma8IFo-2B3lZn3cS-2BLKyyRV321xRUJLTBYZ63nI5Z9Ta0wRgXvdEvqv1OsFXGet hashmaliciousUnknownBrowse
                                                                                                        • 99.84.252.110
                                                                                                        JmGzVinPrF.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                        • 34.249.145.219
                                                                                                        MxKeSlvcDj.elfGet hashmaliciousUnknownBrowse
                                                                                                        • 34.243.160.129
                                                                                                        qT9zrWgIvh.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                        • 34.254.182.186
                                                                                                        PJVtvJuItD.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                        • 54.171.230.55
                                                                                                        https://ex.amarokse.de/i21/Get hashmaliciousUnknownBrowse
                                                                                                        • 108.156.83.83
                                                                                                        https://flow.page/carricoaquatics.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                        • 108.156.83.27
                                                                                                        https://onlinecheckwriter.comGet hashmaliciousUnknownBrowse
                                                                                                        • 65.8.178.89
                                                                                                        Bmvs4x3PTn.elfGet hashmaliciousUnknownBrowse
                                                                                                        • 54.171.230.55
                                                                                                        5Mi7o1wTLj.elfGet hashmaliciousMiraiBrowse
                                                                                                        • 34.249.145.219
                                                                                                        AMAZON-02UShttps://trk.klclick.com/ls/click?upn=u001.Q-2FRM-2Bs26jJfGw5AtNrGvPElR21Fg91L95yj4Iz7-2B9G-2B3KPT4UTHFBvpJSSQd5DbUCa-2FgT20Nr-2FI-2Fl-2Bw02Q5kQVLNQCmEXSYzNqG4I9-2FWzMU-3D_yf-_EMv3ibMoStDGptK1Lms5B9GNcIxUJoI7nZBoidcaOggmj5FAjQl0qnOmLtI1x1Ohc-2BFRm3llFgfvw4mcvsY2XyBfnm98SHSdVCZ86-2BuKsLC9TiMREXmWLtb9XN85omSoULbzgNKo8btbmPCJnm6DuzybU2cyp-2BAjh-2BCBHcGcZ-2BljQXaxBUINeSHu-2Bxv5rrih-2FiSTOEtfcLo-2FbwjHZ3ZafNJBrTlWjJSftzVp-2FcV-2BioF1z5UMgToiIzYHW-2Br37XcJ57c-2FuTma8IFo-2B3lZn3cS-2BLKyyRV321xRUJLTBYZ63nI5Z9Ta0wRgXvdEvqv1OsFXGet hashmaliciousUnknownBrowse
                                                                                                        • 99.84.252.110
                                                                                                        JmGzVinPrF.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                        • 34.249.145.219
                                                                                                        MxKeSlvcDj.elfGet hashmaliciousUnknownBrowse
                                                                                                        • 34.243.160.129
                                                                                                        qT9zrWgIvh.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                        • 34.254.182.186
                                                                                                        PJVtvJuItD.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                        • 54.171.230.55
                                                                                                        https://ex.amarokse.de/i21/Get hashmaliciousUnknownBrowse
                                                                                                        • 108.156.83.83
                                                                                                        https://flow.page/carricoaquatics.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                        • 108.156.83.27
                                                                                                        https://onlinecheckwriter.comGet hashmaliciousUnknownBrowse
                                                                                                        • 65.8.178.89
                                                                                                        Bmvs4x3PTn.elfGet hashmaliciousUnknownBrowse
                                                                                                        • 54.171.230.55
                                                                                                        5Mi7o1wTLj.elfGet hashmaliciousMiraiBrowse
                                                                                                        • 34.249.145.219
                                                                                                        AMAZON-02UShttps://trk.klclick.com/ls/click?upn=u001.Q-2FRM-2Bs26jJfGw5AtNrGvPElR21Fg91L95yj4Iz7-2B9G-2B3KPT4UTHFBvpJSSQd5DbUCa-2FgT20Nr-2FI-2Fl-2Bw02Q5kQVLNQCmEXSYzNqG4I9-2FWzMU-3D_yf-_EMv3ibMoStDGptK1Lms5B9GNcIxUJoI7nZBoidcaOggmj5FAjQl0qnOmLtI1x1Ohc-2BFRm3llFgfvw4mcvsY2XyBfnm98SHSdVCZ86-2BuKsLC9TiMREXmWLtb9XN85omSoULbzgNKo8btbmPCJnm6DuzybU2cyp-2BAjh-2BCBHcGcZ-2BljQXaxBUINeSHu-2Bxv5rrih-2FiSTOEtfcLo-2FbwjHZ3ZafNJBrTlWjJSftzVp-2FcV-2BioF1z5UMgToiIzYHW-2Br37XcJ57c-2FuTma8IFo-2B3lZn3cS-2BLKyyRV321xRUJLTBYZ63nI5Z9Ta0wRgXvdEvqv1OsFXGet hashmaliciousUnknownBrowse
                                                                                                        • 99.84.252.110
                                                                                                        JmGzVinPrF.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                        • 34.249.145.219
                                                                                                        MxKeSlvcDj.elfGet hashmaliciousUnknownBrowse
                                                                                                        • 34.243.160.129
                                                                                                        qT9zrWgIvh.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                        • 34.254.182.186
                                                                                                        PJVtvJuItD.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                        • 54.171.230.55
                                                                                                        https://ex.amarokse.de/i21/Get hashmaliciousUnknownBrowse
                                                                                                        • 108.156.83.83
                                                                                                        https://flow.page/carricoaquatics.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                        • 108.156.83.27
                                                                                                        https://onlinecheckwriter.comGet hashmaliciousUnknownBrowse
                                                                                                        • 65.8.178.89
                                                                                                        Bmvs4x3PTn.elfGet hashmaliciousUnknownBrowse
                                                                                                        • 54.171.230.55
                                                                                                        5Mi7o1wTLj.elfGet hashmaliciousMiraiBrowse
                                                                                                        • 34.249.145.219

                                                                                                        JA3 Fingerprints

                                                                                                        No context

                                                                                                        Dropped Files

                                                                                                        No context

                                                                                                        Created / dropped Files

                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Exspa.exe.log

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Local\Temp\Exspa.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):525
                                                                                                        Entropy (8bit):5.259753436570609
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                                                                                                        MD5:260E01CC001F9C4643CA7A62F395D747
                                                                                                        SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                                                                                                        SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                                                                                                        SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                                                                                                        Malicious:false
                                                                                                        Reputation:moderate, very likely benign file
                                                                                                        Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\mhYCwt8wBz.exe.log

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\mhYCwt8wBz.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):525
                                                                                                        Entropy (8bit):5.259753436570609
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                                                                                                        MD5:260E01CC001F9C4643CA7A62F395D747
                                                                                                        SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                                                                                                        SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                                                                                                        SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                                                                                                        Malicious:false
                                                                                                        Reputation:moderate, very likely benign file
                                                                                                        Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                                                                                        C:\Users\user\AppData\Local\Temp\Exspa.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\mhYCwt8wBz.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):67072
                                                                                                        Entropy (8bit):5.822801904545
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:1536:FIkoUoN36tSQviFw1gnRuBnvbLfLteF3nLrB9z3nNaF9bIS9vM:FIkoUoN36tSQviFC08BnHfWl9zdaF9bw
                                                                                                        MD5:2FB7FC0949AA14070E5E5D1EC37D48E7
                                                                                                        SHA1:9B0043790D9881F690E11086004D3218648D9C22
                                                                                                        SHA-256:246AB25A7240D684C1A6BF5ABD6BCD6F13E0D86C97940883BC249E2B7CB23853
                                                                                                        SHA-512:13A475DF0962A72F8C817511DBDA22EFB07C41167EBAC229C7B0193A88C0F6BF383025E1327732B152D8A53AB4358D4B40D3C6F4B09CC3881165BDA826E16F3B
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, Author: unknown
                                                                                                        • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, Author: Florian Roth
                                                                                                        • Rule: Unknown_Malware_Sample_Jul17_2, Description: Detects unknown malware sample with pastebin RAW URL, Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, Author: Florian Roth
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, Author: ditekSHen
                                                                                                        • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, Author: ditekSHen
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: ReversingLabs, Detection: 84%
                                                                                                        Reputation:low
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K..f................................. ... ....@.. .......................`............@.....................................W.... ..@....................@....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B........................H...........8.............................................................1..........$|..........<.t........I am virus! Fuck You :-)............................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Local\Temp\Exspa.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):67072
                                                                                                        Entropy (8bit):5.822801904545
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:1536:FIkoUoN36tSQviFw1gnRuBnvbLfLteF3nLrB9z3nNaF9bIS9vM:FIkoUoN36tSQviFC08BnHfWl9zdaF9bw
                                                                                                        MD5:2FB7FC0949AA14070E5E5D1EC37D48E7
                                                                                                        SHA1:9B0043790D9881F690E11086004D3218648D9C22
                                                                                                        SHA-256:246AB25A7240D684C1A6BF5ABD6BCD6F13E0D86C97940883BC249E2B7CB23853
                                                                                                        SHA-512:13A475DF0962A72F8C817511DBDA22EFB07C41167EBAC229C7B0193A88C0F6BF383025E1327732B152D8A53AB4358D4B40D3C6F4B09CC3881165BDA826E16F3B
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, Author: unknown
                                                                                                        • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, Author: Florian Roth
                                                                                                        • Rule: Unknown_Malware_Sample_Jul17_2, Description: Detects unknown malware sample with pastebin RAW URL, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, Author: Florian Roth
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, Author: ditekSHen
                                                                                                        • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, Author: ditekSHen
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: ReversingLabs, Detection: 84%
                                                                                                        Reputation:low
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K..f................................. ... ....@.. .......................`............@.....................................W.... ..@....................@....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B........................H...........8.............................................................1..........$|..........<.t........I am virus! Fuck You :-)............................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.url

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Local\Temp\Exspa.exe
                                                                                                        File Type:MS Windows 95 Internet shortcut text (URL=<file:///C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe>), ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):176
                                                                                                        Entropy (8bit):5.162178625646672
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:HRAbABGQYm5uOt+kiEaKC5SufyM1K/RFofD6tRQ8Wu0rvQJ5UvycAI9Ryn:HRYFVmwOwknaZ5SuH1MUmt28307QJ5Uo
                                                                                                        MD5:C33C9E15DA17109681EDD9C87E157454
                                                                                                        SHA1:09D81E9DB269945CCF07DA9EFC4E991A13777E78
                                                                                                        SHA-256:F783C993AA04883B0E64E222FBA31CA6A936F59ED581D673095DEBCD014D0033
                                                                                                        SHA-512:7DEF42DCE5BFEA6F72DDC47BB0505D71A9F0D98FD230E56FFCCFADC59B50783D5DD283F8BE9300A886F4403AE608DF2948A22A7E7A12112F77E17360ACFDB5BC
                                                                                                        Malicious:true
                                                                                                        Reputation:low
                                                                                                        Preview:[InternetShortcut]..URL=file:///C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe..IconIndex=17..IconFile=C:\Windows\system32\SHELL32.dll..

                                                                                                        Static File Info

                                                                                                        General

                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Entropy (8bit):5.822801904545
                                                                                                        TrID:
                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                        • Windows Screen Saver (13104/52) 0.07%
                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                        File name:mhYCwt8wBz.exe
                                                                                                        File size:67'072 bytes
                                                                                                        MD5:2fb7fc0949aa14070e5e5d1ec37d48e7
                                                                                                        SHA1:9b0043790d9881f690e11086004d3218648d9c22
                                                                                                        SHA256:246ab25a7240d684c1a6bf5abd6bcd6f13e0d86c97940883bc249e2b7cb23853
                                                                                                        SHA512:13a475df0962a72f8c817511dbda22efb07c41167ebac229c7b0193a88c0f6bf383025e1327732b152d8a53ab4358d4b40d3c6f4b09cc3881165bda826e16f3b
                                                                                                        SSDEEP:1536:FIkoUoN36tSQviFw1gnRuBnvbLfLteF3nLrB9z3nNaF9bIS9vM:FIkoUoN36tSQviFC08BnHfWl9zdaF9bw
                                                                                                        TLSH:11634B4877958A55D2BD2E7844F296518730E50B6D03F72E4CD120FBABB3EC44A82BE7
                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K..f................................. ... ....@.. .......................`............@................................

                                                                                                        File Icon

                                                                                                        Icon Hash:90cececece8e8eb0

                                                                                                        Static PE Info

                                                                                                        General

                                                                                                        Entrypoint:0x411c2e
                                                                                                        Entrypoint Section:.text
                                                                                                        Digitally signed:false
                                                                                                        Imagebase:0x400000
                                                                                                        Subsystem:windows gui
                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                        Time Stamp:0x66069F4B [Fri Mar 29 11:00:27 2024 UTC]
                                                                                                        TLS Callbacks:
                                                                                                        CLR (.Net) Version:
                                                                                                        OS Version Major:4
                                                                                                        OS Version Minor:0
                                                                                                        File Version Major:4
                                                                                                        File Version Minor:0
                                                                                                        Subsystem Version Major:4
                                                                                                        Subsystem Version Minor:0
                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                        Entrypoint Preview

                                                                                                        Instruction
                                                                                                        jmp dword ptr [00402000h]
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al

                                                                                                        Data Directories

                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x11bd40x57.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x240.rsrc
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xc.reloc
                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                        Sections

                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                        .text0x20000xfc340xfe000008859b44bad9698c92ad320324bed2False0.47038016732283466data5.846326734727716IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                        .rsrc0x120000x2400x40008e614b8f1d20a50b5b3684e856ff5f3False0.3115234375data4.965539353996097IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                        .reloc0x140000xc0x2004998dab38619fe0880bcb520e43fac21False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                        Resources

                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                        RT_MANIFEST0x120580x1e7XML 1.0 document, ASCII text, with CRLF line terminators0.5338809034907598

                                                                                                        Imports

                                                                                                        DLLImport
                                                                                                        mscoree.dll_CorExeMain

                                                                                                        Network Behavior

                                                                                                        Network Port Distribution

                                                                                                        TCP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Apr 5, 2024 19:22:07.297816992 CEST4973011964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:07.537115097 CEST11964497303.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:08.041009903 CEST4973011964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:08.280199051 CEST11964497303.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:08.791017056 CEST4973011964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:09.030184984 CEST11964497303.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:09.541027069 CEST4973011964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:09.780365944 CEST11964497303.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:10.290986061 CEST4973011964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:10.530154943 CEST11964497303.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:12.543591976 CEST4973611964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:12.785280943 CEST11964497363.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:13.290991068 CEST4973611964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:13.531755924 CEST11964497363.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:14.041004896 CEST4973611964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:14.282237053 CEST11964497363.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:14.790998936 CEST4973611964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:15.033235073 CEST11964497363.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:15.541068077 CEST4973611964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:15.781963110 CEST11964497363.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:17.792440891 CEST4973811964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:18.033575058 CEST11964497383.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:18.541110039 CEST4973811964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:18.781913042 CEST11964497383.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:19.291182995 CEST4973811964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:19.532299042 CEST11964497383.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:20.041100979 CEST4973811964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:20.281969070 CEST11964497383.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:20.791136980 CEST4973811964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:21.032208920 CEST11964497383.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:23.042489052 CEST4973911964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:23.288069010 CEST11964497393.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:23.790998936 CEST4973911964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:24.030498028 CEST11964497393.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:24.541148901 CEST4973911964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:24.780972958 CEST11964497393.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:25.291121006 CEST4973911964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:25.530958891 CEST11964497393.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:26.041121960 CEST4973911964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:26.280565023 CEST11964497393.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:29.386138916 CEST4974011964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:29.626821995 CEST11964497403.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:30.134767056 CEST4974011964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:30.374135971 CEST11964497403.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:30.884887934 CEST4974011964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:31.125152111 CEST11964497403.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:31.634818077 CEST4974011964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:31.874281883 CEST11964497403.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:32.384761095 CEST4974011964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:32.624665976 CEST11964497403.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:34.651366949 CEST4974111964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:34.892337084 CEST11964497413.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:35.400394917 CEST4974111964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:35.641218901 CEST11964497413.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:36.150466919 CEST4974111964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:36.391288996 CEST11964497413.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:36.900392056 CEST4974111964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:37.141921043 CEST11964497413.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:37.650381088 CEST4974111964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:37.891030073 CEST11964497413.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:39.902389050 CEST4974211964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:40.143434048 CEST11964497423.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:40.650388956 CEST4974211964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:40.893666029 CEST11964497423.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:41.400412083 CEST4974211964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:41.641434908 CEST11964497423.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:42.150455952 CEST4974211964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:42.391464949 CEST11964497423.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:42.900372982 CEST4974211964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:43.141352892 CEST11964497423.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:45.214732885 CEST4974311964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:45.454227924 CEST11964497433.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:45.962941885 CEST4974311964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:46.201275110 CEST11964497433.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:46.712901115 CEST4974311964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:46.951157093 CEST11964497433.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:47.463067055 CEST4974311964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:47.702070951 CEST11964497433.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:48.212982893 CEST4974311964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:48.451857090 CEST11964497433.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:50.464070082 CEST4974511964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:50.705948114 CEST11964497453.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:51.212992907 CEST4974511964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:51.454996109 CEST11964497453.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:51.962922096 CEST4974511964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:52.204854965 CEST11964497453.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:52.712944984 CEST4974511964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:52.954829931 CEST11964497453.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:53.462941885 CEST4974511964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:53.704904079 CEST11964497453.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:55.714411974 CEST4974611964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:55.956093073 CEST11964497463.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:56.462908030 CEST4974611964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:56.704787970 CEST11964497463.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:57.212958097 CEST4974611964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:57.454622030 CEST11964497463.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:57.963002920 CEST4974611964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:58.204879045 CEST11964497463.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:22:58.712914944 CEST4974611964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:22:58.954618931 CEST11964497463.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:23:02.179332972 CEST4974711964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:23:02.419209957 CEST11964497473.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:23:02.931751966 CEST4974711964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:23:03.171639919 CEST11964497473.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:23:03.681854010 CEST4974711964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:23:03.925462961 CEST11964497473.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:23:04.431691885 CEST4974711964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:23:04.671680927 CEST11964497473.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:23:05.181653023 CEST4974711964192.168.2.43.68.171.119
                                                                                                        Apr 5, 2024 19:23:05.422029018 CEST11964497473.68.171.119192.168.2.4
                                                                                                        Apr 5, 2024 19:23:07.572887897 CEST4974811964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:07.814635992 CEST11964497483.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:08.322419882 CEST4974811964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:08.562649965 CEST11964497483.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:09.072408915 CEST4974811964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:09.312814951 CEST11964497483.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:09.822283983 CEST4974811964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:10.062478065 CEST11964497483.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:10.572297096 CEST4974811964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:10.815032959 CEST11964497483.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:12.823803902 CEST4974911964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:13.064291000 CEST11964497493.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:13.572813034 CEST4974911964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:13.813113928 CEST11964497493.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:14.323796988 CEST4974911964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:14.564997911 CEST11964497493.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:15.072309971 CEST4974911964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:15.312861919 CEST11964497493.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:15.822365046 CEST4974911964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:16.062577009 CEST11964497493.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:18.073355913 CEST4975011964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:18.313458920 CEST11964497503.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:18.824409008 CEST4975011964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:19.064522028 CEST11964497503.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:19.572319031 CEST4975011964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:19.812208891 CEST11964497503.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:20.385602951 CEST4975011964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:20.625541925 CEST11964497503.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:21.275468111 CEST4975011964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:21.515302896 CEST11964497503.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:23.526591063 CEST4975111964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:23.768583059 CEST11964497513.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:24.369205952 CEST4975111964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:24.610922098 CEST11964497513.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:25.259862900 CEST4975111964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:25.501583099 CEST11964497513.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:26.072318077 CEST4975111964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:26.314327002 CEST11964497513.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:26.869163990 CEST4975111964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:27.110781908 CEST11964497513.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:29.123294115 CEST4975211964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:29.364614010 CEST11964497523.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:29.884793997 CEST4975211964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:30.127505064 CEST11964497523.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:30.681695938 CEST4975211964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:30.922976017 CEST11964497523.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:31.572388887 CEST4975211964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:31.813725948 CEST11964497523.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:32.384944916 CEST4975211964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:32.626513958 CEST11964497523.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:34.638606071 CEST4975311964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:34.881577969 CEST11964497533.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:35.462948084 CEST4975311964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:35.705112934 CEST11964497533.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:36.259927988 CEST4975311964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:36.500511885 CEST11964497533.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:37.072329044 CEST4975311964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:37.312895060 CEST11964497533.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:37.869240046 CEST4975311964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:38.110050917 CEST11964497533.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:39.996628046 CEST4975411964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:40.236109972 CEST11964497543.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:40.744123936 CEST4975411964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:40.983221054 CEST11964497543.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:41.572367907 CEST4975411964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:41.812868118 CEST11964497543.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:42.369196892 CEST4975411964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:42.608921051 CEST11964497543.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:43.259850025 CEST4975411964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:43.499108076 CEST11964497543.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:45.245676041 CEST4975511964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:45.486275911 CEST11964497553.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:46.072351933 CEST4975511964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:46.312643051 CEST11964497553.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:46.884871006 CEST4975511964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:47.125252008 CEST11964497553.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:47.775651932 CEST4975511964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:48.020858049 CEST11964497553.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:48.572324038 CEST4975511964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:48.812227011 CEST11964497553.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:50.452354908 CEST4975611964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:50.692250013 CEST11964497563.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:51.247174978 CEST4975611964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:51.486927032 CEST11964497563.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:52.072323084 CEST4975611964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:52.311897993 CEST11964497563.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:52.962955952 CEST4975611964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:53.202617884 CEST11964497563.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:53.775440931 CEST4975611964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:54.015185118 CEST11964497563.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:56.246052027 CEST4975711964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:56.488111019 CEST11964497573.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:57.077641964 CEST4975711964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:57.319461107 CEST11964497573.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:57.884896994 CEST4975711964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:58.126749039 CEST11964497573.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:58.681824923 CEST4975711964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:58.923748970 CEST11964497573.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:23:59.572442055 CEST4975711964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:23:59.814918995 CEST11964497573.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:24:01.263046980 CEST4975811964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:24:01.504719019 CEST11964497583.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:24:02.087954998 CEST4975811964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:24:02.329411030 CEST11964497583.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:24:02.884826899 CEST4975811964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:24:03.127078056 CEST11964497583.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:24:03.681822062 CEST4975811964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:24:03.923358917 CEST11964497583.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:24:04.587965965 CEST4975811964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:24:04.829462051 CEST11964497583.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:24:06.167346954 CEST4975911964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:24:06.410228968 CEST11964497593.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:24:07.072443008 CEST4975911964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:24:07.313772917 CEST11964497593.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:24:07.869225979 CEST4975911964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:24:08.124398947 CEST11964497593.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:24:08.759835005 CEST4975911964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:24:09.001341105 CEST11964497593.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:24:09.572391033 CEST4975911964192.168.2.43.69.157.220
                                                                                                        Apr 5, 2024 19:24:09.813731909 CEST11964497593.69.157.220192.168.2.4
                                                                                                        Apr 5, 2024 19:24:12.649383068 CEST4976011964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:12.892554045 CEST119644976052.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:13.587976933 CEST4976011964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:13.830274105 CEST119644976052.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:14.384968042 CEST4976011964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:14.627065897 CEST119644976052.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:15.181706905 CEST4976011964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:15.423703909 CEST119644976052.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:16.072335958 CEST4976011964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:16.314817905 CEST119644976052.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:17.479774952 CEST4976111964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:17.719369888 CEST119644976152.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:18.224705935 CEST4976111964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:18.464500904 CEST119644976152.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:19.072331905 CEST4976111964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:19.311927080 CEST119644976152.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:19.962969065 CEST4976111964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:20.203484058 CEST119644976152.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:20.775475025 CEST4976111964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:21.019875050 CEST119644976152.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:22.109770060 CEST4976211964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:22.350229979 CEST119644976252.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:22.869206905 CEST4976211964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:23.109728098 CEST119644976252.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:23.666110039 CEST4976211964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:23.906630993 CEST119644976252.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:24.572341919 CEST4976211964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:24.813199997 CEST119644976252.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:25.462975025 CEST4976211964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:25.703763008 CEST119644976252.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:26.714397907 CEST4976311964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:26.956549883 CEST119644976352.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:27.572352886 CEST4976311964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:27.813064098 CEST119644976352.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:28.384850025 CEST4976311964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:28.625664949 CEST119644976352.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:29.181760073 CEST4976311964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:29.422352076 CEST119644976352.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:30.087980986 CEST4976311964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:30.328695059 CEST119644976352.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:32.058938980 CEST4976411964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:32.301079035 CEST119644976452.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:32.962969065 CEST4976411964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:33.205022097 CEST119644976452.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:33.759872913 CEST4976411964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:34.001944065 CEST119644976452.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:34.572336912 CEST4976411964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:34.814367056 CEST119644976452.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:35.463032007 CEST4976411964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:35.705465078 CEST119644976452.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:36.589509964 CEST4976511964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:36.831367970 CEST119644976552.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:37.337991953 CEST4976511964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:37.579674006 CEST119644976552.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:38.087984085 CEST4976511964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:38.329571962 CEST119644976552.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:38.839442015 CEST4976511964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:39.081033945 CEST119644976552.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:39.588037014 CEST4976511964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:39.829595089 CEST119644976552.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:40.651725054 CEST4976611964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:40.892986059 CEST119644976652.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:41.400532007 CEST4976611964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:41.641864061 CEST119644976652.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:42.150496960 CEST4976611964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:42.391733885 CEST119644976652.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:42.900475025 CEST4976611964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:43.141802073 CEST119644976652.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:43.650490046 CEST4976611964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:43.891813993 CEST119644976652.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:44.668334961 CEST4976711964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:44.908256054 CEST119644976752.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:45.572386980 CEST4976711964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:45.811589956 CEST119644976752.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:46.322370052 CEST4976711964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:46.561327934 CEST119644976752.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:47.072391033 CEST4976711964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:47.312304974 CEST119644976752.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:47.822360992 CEST4976711964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:48.061244965 CEST119644976752.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:49.184050083 CEST4976811964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:49.425971031 CEST119644976852.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:49.931859016 CEST4976811964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:50.174396992 CEST119644976852.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:50.681745052 CEST4976811964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:50.923355103 CEST119644976852.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:51.431860924 CEST4976811964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:51.674660921 CEST119644976852.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:52.181741953 CEST4976811964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:52.423387051 CEST119644976852.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:53.089647055 CEST4976911964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:53.331455946 CEST119644976952.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:53.838017941 CEST4976911964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:54.080256939 CEST119644976952.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:54.588021994 CEST4976911964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:54.829710007 CEST119644976952.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:55.338016987 CEST4976911964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:55.579731941 CEST119644976952.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:56.088097095 CEST4976911964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:56.329849958 CEST119644976952.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:56.964318037 CEST4977011964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:57.204320908 CEST119644977052.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:57.713006020 CEST4977011964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:57.952430964 CEST119644977052.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:58.462999105 CEST4977011964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:58.702302933 CEST119644977052.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:59.212997913 CEST4977011964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:24:59.452316999 CEST119644977052.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:24:59.962994099 CEST4977011964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:00.202317953 CEST119644977052.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:00.792211056 CEST4977111964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:01.031544924 CEST119644977152.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:01.541148901 CEST4977111964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:01.780400038 CEST119644977152.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:02.291136026 CEST4977111964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:02.530307055 CEST119644977152.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:03.041126013 CEST4977111964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:03.280313969 CEST119644977152.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:03.791348934 CEST4977111964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:04.030649900 CEST119644977152.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:04.573507071 CEST4977211964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:04.812726974 CEST119644977252.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:05.322411060 CEST4977211964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:05.562650919 CEST119644977252.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:06.066909075 CEST4977211964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:06.306195021 CEST119644977252.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:06.806775093 CEST4977211964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:07.045878887 CEST119644977252.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:07.556751966 CEST4977211964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:07.795777082 CEST119644977252.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:08.315831900 CEST4977311964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:08.555104971 CEST119644977352.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:09.056783915 CEST4977311964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:09.296416044 CEST119644977352.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:09.806767941 CEST4977311964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:10.048887014 CEST119644977352.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:10.556766033 CEST4977311964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:10.796128988 CEST119644977352.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:11.306761980 CEST4977311964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:11.546577930 CEST119644977352.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:12.028295040 CEST4977411964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:12.268028021 CEST119644977452.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:12.775547981 CEST4977411964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:13.015346050 CEST119644977452.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:13.525516033 CEST4977411964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:13.765528917 CEST119644977452.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:14.275585890 CEST4977411964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:14.515638113 CEST119644977452.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:15.025501966 CEST4977411964192.168.2.452.28.247.255
                                                                                                        Apr 5, 2024 19:25:15.265203953 CEST119644977452.28.247.255192.168.2.4
                                                                                                        Apr 5, 2024 19:25:15.842367887 CEST4977511964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:16.082531929 CEST11964497753.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:16.588037014 CEST4977511964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:16.828027964 CEST11964497753.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:17.338047028 CEST4977511964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:17.578061104 CEST11964497753.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:18.088108063 CEST4977511964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:18.328228951 CEST11964497753.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:18.838028908 CEST4977511964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:19.077990055 CEST11964497753.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:19.495503902 CEST4977611964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:19.737445116 CEST11964497763.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:20.244266033 CEST4977611964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:20.486155987 CEST11964497763.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:20.994402885 CEST4977611964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:21.236941099 CEST11964497763.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:21.759912014 CEST4977611964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:22.001879930 CEST11964497763.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:22.666189909 CEST4977611964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:22.908193111 CEST11964497763.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:23.292469025 CEST4977711964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:23.532253981 CEST11964497773.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:24.088025093 CEST4977711964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:24.328263044 CEST11964497773.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:24.900548935 CEST4977711964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:25.140991926 CEST11964497773.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:25.697627068 CEST4977711964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:25.937335014 CEST11964497773.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:26.588052034 CEST4977711964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:26.827799082 CEST11964497773.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:27.200978041 CEST4977811964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:27.442257881 CEST11964497783.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:28.088017941 CEST4977811964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:28.329315901 CEST11964497783.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:28.884902954 CEST4977811964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:29.126118898 CEST11964497783.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:29.697451115 CEST4977811964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:29.938955069 CEST11964497783.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:30.494277000 CEST4977811964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:30.735719919 CEST11964497783.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:31.074537039 CEST4977911964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:31.316025972 CEST11964497793.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:31.822504997 CEST4977911964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:32.063308001 CEST11964497793.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:32.572494030 CEST4977911964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:32.813374043 CEST11964497793.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:33.322396994 CEST4977911964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:33.563108921 CEST11964497793.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:34.072407961 CEST4977911964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:34.313245058 CEST11964497793.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:34.636576891 CEST4978011964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:34.877774954 CEST11964497803.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:35.400580883 CEST4978011964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:35.642462015 CEST11964497803.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:36.291249990 CEST4978011964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:36.532505989 CEST11964497803.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:37.197432995 CEST4978011964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:37.438641071 CEST11964497803.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:37.947391987 CEST4978011964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:38.190748930 CEST11964497803.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:38.639174938 CEST4978111964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:38.879858017 CEST11964497813.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:39.384897947 CEST4978111964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:39.625772953 CEST11964497813.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:40.291152000 CEST4978111964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:40.531929016 CEST11964497813.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:41.166192055 CEST4978111964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:41.406826019 CEST11964497813.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:41.978703022 CEST4978111964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:42.220755100 CEST11964497813.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:42.498361111 CEST4978211964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:42.737929106 CEST11964497823.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:43.275521994 CEST4978211964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:43.515212059 CEST11964497823.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:44.166256905 CEST4978211964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:44.406040907 CEST11964497823.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:44.978735924 CEST4978211964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:45.218743086 CEST11964497823.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:45.775568962 CEST4978211964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:46.015441895 CEST11964497823.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:46.276957989 CEST4978311964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:46.517575979 CEST11964497833.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:47.025542974 CEST4978311964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:47.266141891 CEST11964497833.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:47.775556087 CEST4978311964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:48.015958071 CEST11964497833.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:48.525991917 CEST4978311964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:48.766473055 CEST11964497833.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:49.275557041 CEST4978311964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:49.516298056 CEST11964497833.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:49.761346102 CEST4978411964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:50.002140045 CEST11964497843.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:50.509924889 CEST4978411964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:50.750116110 CEST11964497843.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:51.259932995 CEST4978411964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:51.501058102 CEST11964497843.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:52.009929895 CEST4978411964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:52.250560999 CEST11964497843.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:52.759918928 CEST4978411964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:53.000305891 CEST11964497843.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:53.229871988 CEST4978511964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:53.469588041 CEST11964497853.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:53.978678942 CEST4978511964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:54.218391895 CEST11964497853.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:54.728646040 CEST4978511964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:54.968301058 CEST11964497853.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:55.478674889 CEST4978511964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:55.718230009 CEST11964497853.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:56.228652954 CEST4978511964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:56.469310999 CEST11964497853.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:57.843935966 CEST4978611964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:58.085999012 CEST11964497863.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:58.596972942 CEST4978611964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:58.839190960 CEST11964497863.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:25:59.353660107 CEST4978611964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:25:59.595747948 CEST11964497863.66.38.117192.168.2.4
                                                                                                        Apr 5, 2024 19:26:00.244399071 CEST4978611964192.168.2.43.66.38.117
                                                                                                        Apr 5, 2024 19:26:00.486531019 CEST11964497863.66.38.117192.168.2.4

                                                                                                        UDP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Apr 5, 2024 19:22:07.168579102 CEST5784253192.168.2.41.1.1.1
                                                                                                        Apr 5, 2024 19:22:07.295521021 CEST53578421.1.1.1192.168.2.4
                                                                                                        Apr 5, 2024 19:23:07.432658911 CEST5657653192.168.2.41.1.1.1
                                                                                                        Apr 5, 2024 19:23:07.571945906 CEST53565761.1.1.1192.168.2.4
                                                                                                        Apr 5, 2024 19:24:12.509212017 CEST6058553192.168.2.41.1.1.1
                                                                                                        Apr 5, 2024 19:24:12.648593903 CEST53605851.1.1.1192.168.2.4
                                                                                                        Apr 5, 2024 19:25:15.714392900 CEST6547653192.168.2.41.1.1.1
                                                                                                        Apr 5, 2024 19:25:15.840666056 CEST53654761.1.1.1192.168.2.4

                                                                                                        DNS Queries

                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                        Apr 5, 2024 19:22:07.168579102 CEST192.168.2.41.1.1.10xb75aStandard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                                        Apr 5, 2024 19:23:07.432658911 CEST192.168.2.41.1.1.10xaaafStandard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                                        Apr 5, 2024 19:24:12.509212017 CEST192.168.2.41.1.1.10xed99Standard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                                        Apr 5, 2024 19:25:15.714392900 CEST192.168.2.41.1.1.10x4cdbStandard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false

                                                                                                        DNS Answers

                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                        Apr 5, 2024 19:22:07.295521021 CEST1.1.1.1192.168.2.40xb75aNo error (0)6.tcp.eu.ngrok.io3.68.171.119A (IP address)IN (0x0001)false
                                                                                                        Apr 5, 2024 19:23:07.571945906 CEST1.1.1.1192.168.2.40xaaafNo error (0)6.tcp.eu.ngrok.io3.69.157.220A (IP address)IN (0x0001)false
                                                                                                        Apr 5, 2024 19:24:12.648593903 CEST1.1.1.1192.168.2.40xed99No error (0)6.tcp.eu.ngrok.io52.28.247.255A (IP address)IN (0x0001)false
                                                                                                        Apr 5, 2024 19:25:15.840666056 CEST1.1.1.1192.168.2.40x4cdbNo error (0)6.tcp.eu.ngrok.io3.66.38.117A (IP address)IN (0x0001)false

                                                                                                        Statistics

                                                                                                        CPU Usage

                                                                                                        Click to jump to process

                                                                                                        Memory Usage

                                                                                                        Click to jump to process

                                                                                                        High Level Behavior Distribution

                                                                                                        Click to dive into process behavior distribution

                                                                                                        Behavior

                                                                                                        Click to jump to process

                                                                                                        System Behavior

                                                                                                        General

                                                                                                        Target ID:0
                                                                                                        Start time:19:21:50
                                                                                                        Start date:05/04/2024
                                                                                                        Path:C:\Users\user\Desktop\mhYCwt8wBz.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\Desktop\mhYCwt8wBz.exe"
                                                                                                        Imagebase:0x60000
                                                                                                        File size:67'072 bytes
                                                                                                        MD5 hash:2FB7FC0949AA14070E5E5D1EC37D48E7
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1618665113.0000000000062000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1618665113.0000000000062000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.1618665113.0000000000062000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.1618665113.0000000000062000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.1685027347.0000000002782000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.1685027347.0000000002782000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.1685027347.0000000002782000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.1685027347.0000000002782000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        Reputation:low
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:1
                                                                                                        Start time:19:21:57
                                                                                                        Start date:05/04/2024
                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Exspa.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\Exspa.exe"
                                                                                                        Imagebase:0x770000
                                                                                                        File size:67'072 bytes
                                                                                                        MD5 hash:2FB7FC0949AA14070E5E5D1EC37D48E7
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000002.4080946239.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, Author: unknown
                                                                                                        • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, Author: Florian Roth
                                                                                                        • Rule: Unknown_Malware_Sample_Jul17_2, Description: Detects unknown malware sample with pastebin RAW URL, Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, Author: Florian Roth
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, Author: ditekSHen
                                                                                                        • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\Exspa.exe, Author: ditekSHen
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        • Detection: 84%, ReversingLabs
                                                                                                        Reputation:low
                                                                                                        Has exited:false

                                                                                                        General

                                                                                                        Target ID:2
                                                                                                        Start time:19:21:57
                                                                                                        Start date:05/04/2024
                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\user\Desktop\mhYCwt8wBz.exe"
                                                                                                        Imagebase:0x240000
                                                                                                        File size:236'544 bytes
                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:3
                                                                                                        Start time:19:21:57
                                                                                                        Start date:05/04/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                        File size:862'208 bytes
                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:4
                                                                                                        Start time:19:21:57
                                                                                                        Start date:05/04/2024
                                                                                                        Path:C:\Windows\SysWOW64\choice.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:choice /C Y /N /D Y /T 5
                                                                                                        Imagebase:0xa0000
                                                                                                        File size:28'160 bytes
                                                                                                        MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:moderate
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:6
                                                                                                        Start time:19:22:15
                                                                                                        Start date:05/04/2024
                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Exspa.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\Exspa.exe" ..
                                                                                                        Imagebase:0xb40000
                                                                                                        File size:67'072 bytes
                                                                                                        MD5 hash:2FB7FC0949AA14070E5E5D1EC37D48E7
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:low
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:9
                                                                                                        Start time:19:22:24
                                                                                                        Start date:05/04/2024
                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Exspa.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\Exspa.exe" ..
                                                                                                        Imagebase:0xb90000
                                                                                                        File size:67'072 bytes
                                                                                                        MD5 hash:2FB7FC0949AA14070E5E5D1EC37D48E7
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:low
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:10
                                                                                                        Start time:19:22:32
                                                                                                        Start date:05/04/2024
                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Exspa.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\Exspa.exe" ..
                                                                                                        Imagebase:0xd90000
                                                                                                        File size:67'072 bytes
                                                                                                        MD5 hash:2FB7FC0949AA14070E5E5D1EC37D48E7
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:low
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:12
                                                                                                        Start time:19:22:40
                                                                                                        Start date:05/04/2024
                                                                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe"
                                                                                                        Imagebase:0xd90000
                                                                                                        File size:67'072 bytes
                                                                                                        MD5 hash:2FB7FC0949AA14070E5E5D1EC37D48E7
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, Author: unknown
                                                                                                        • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, Author: Florian Roth
                                                                                                        • Rule: Unknown_Malware_Sample_Jul17_2, Description: Detects unknown malware sample with pastebin RAW URL, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, Author: Florian Roth
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, Author: ditekSHen
                                                                                                        • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe, Author: ditekSHen
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        • Detection: 84%, ReversingLabs
                                                                                                        Reputation:low
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:13
                                                                                                        Start time:19:22:48
                                                                                                        Start date:05/04/2024
                                                                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Exspa.exe"
                                                                                                        Imagebase:0x950000
                                                                                                        File size:67'072 bytes
                                                                                                        MD5 hash:2FB7FC0949AA14070E5E5D1EC37D48E7
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:low
                                                                                                        Has exited:true

                                                                                                        Disassembly

                                                                                                        Reset < >

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:7.7%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:47
                                                                                                          Total number of Limit Nodes:2
                                                                                                          execution_graph 2155 63a462 2156 63a486 RegSetValueExW 2155->2156 2158 63a507 2156->2158 2159 63a361 2161 63a392 RegQueryValueExW 2159->2161 2162 63a41b 2161->2162 2119 63a646 2121 63a67e CreateMutexW 2119->2121 2122 63a6c1 2121->2122 2127 63a986 2128 63a9be CreateFileW 2127->2128 2130 63aa0d 2128->2130 2163 63a94f 2164 63a986 CreateFileW 2163->2164 2166 63aa0d 2164->2166 2131 63a74e 2132 63a77a FindCloseChangeNotification 2131->2132 2133 63a7b9 2131->2133 2134 63a788 2132->2134 2133->2132 2135 63ac2e 2137 63ac63 WriteFile 2135->2137 2138 63ac95 2137->2138 2179 63ac0e 2180 63ac2e WriteFile 2179->2180 2182 63ac95 2180->2182 2139 63ae52 2140 63ae78 ShellExecuteExW 2139->2140 2142 63ae94 2140->2142 2167 63a2d2 2168 63a2d6 SetErrorMode 2167->2168 2170 63a33f 2168->2170 2183 63a612 2185 63a646 CreateMutexW 2183->2185 2186 63a6c1 2185->2186 2175 63ae30 2178 63ae52 ShellExecuteExW 2175->2178 2177 63ae94 2178->2177 2187 63a710 2188 63a74e FindCloseChangeNotification 2187->2188 2190 63a788 2188->2190 2147 63a2fe 2148 63a353 2147->2148 2149 63a32a SetErrorMode 2147->2149 2148->2149 2150 63a33f 2149->2150 2171 63aa5c 2174 63aa9e GetFileType 2171->2174 2173 63ab00 2174->2173

                                                                                                          Callgraph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          • Opacity -> Relevance
                                                                                                          • Disassembly available
                                                                                                          callgraph 0 Function_00BF05BF 1 Function_00A803A8 28 Function_00A80B05 1->28 37 Function_00BF0606 1->37 2 Function_0063A462 3 Function_0063A361 4 Function_00632364 5 Function_00632264 6 Function_00632669 7 Function_00A80AA4 8 Function_0063A56E 9 Function_00A80438 9->28 9->37 10 Function_0063A172 11 Function_00A8093A 12 Function_006321F0 13 Function_006323F4 14 Function_0063A1F4 15 Function_0063A078 16 Function_0063A2FE 17 Function_0063247C 18 Function_00A80DB7 19 Function_00A81309 20 Function_0063A540 21 Function_0063A7C7 22 Function_0063A646 23 Function_0063A8C6 24 Function_00A80400 24->28 24->37 25 Function_00A80081 26 Function_00A80E04 27 Function_0063A94F 29 Function_0063A74E 30 Function_00A80006 31 Function_0063AED3 32 Function_0063AE52 33 Function_0063A2D2 34 Function_006320D0 35 Function_0063ACD7 36 Function_00A81310 38 Function_00632458 39 Function_00A80494 39->28 39->37 40 Function_0063A25E 41 Function_0063AB5E 42 Function_00A80397 42->28 42->37 43 Function_0063A45C 44 Function_0063AA5C 45 Function_00BF067F 46 Function_00A806E8 47 Function_00A81368 48 Function_0063A120 49 Function_0063A8A4 50 Function_0063ADAA 51 Function_00BF0074 52 Function_0063AC2E 53 Function_0063A02E 54 Function_00A80466 54->28 54->37 55 Function_0063AB2C 56 Function_00BF026D 57 Function_00632430 58 Function_0063AE30 59 Function_00A8077C 60 Function_00BF066A 61 Function_00A80F7D 62 Function_00A80670 63 Function_00A804F1 63->28 63->37 64 Function_0063253D 65 Function_006323BC 66 Function_0063213C 67 Function_0063A23C 68 Function_0063AD80 69 Function_0063A486 70 Function_0063A986 71 Function_0063AF06 72 Function_0063A005 73 Function_00A812CF 74 Function_0063AC04 75 Function_0063AC0E 76 Function_00A80EC7 77 Function_00BF05CF 78 Function_0063A392 79 Function_0063AD12 80 Function_0063A612 81 Function_0063A710 82 Function_00632194 83 Function_00BF0648 83->60 84 Function_0063A09A 85 Function_00632098 86 Function_0063A81E 87 Function_0063AA9E 88 Function_0063AE1D 89 Function_0063201C 90 Function_00BF0740

                                                                                                          Executed Functions

                                                                                                          Function 00A803A8 Relevance: 4.1, Strings: 3, Instructions: 356COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 0 a803a8-a803f6 4 a803f8-a803fe 0->4 5 a8041d-a80424 0->5 4->5 6 a80455-a8045c 5->6 7 a80426-a80436 5->7 8 a8045e-a80464 6->8 9 a80483-a8048a 6->9 7->6 8->9 11 a8048c-a80492 9->11 12 a804b1-a804b8 9->12 11->12 18 a804ba-a80524 12->18 19 a8052e-a8056b 12->19 18->19 27 a8056d 19->27 28 a80572 19->28 27->28 113 a80572 call bf0606 28->113 114 a80572 call a80b05 28->114 29 a80578-a8057f 30 a80581-a805ab 29->30 31 a805b6-a80603 29->31 30->31 41 a8066e-a806af 31->41 42 a80605-a80667 31->42 44 a806b1-a806e6 41->44 45 a80712-a80723 41->45 42->41 44->45 50 a8072e-a80739 45->50 51 a80725-a8072b 45->51 55 a8073f-a80746 50->55 56 a80ad3-a80b00 50->56 51->50 59 a80748-a8077a 55->59 60 a807a6-a807aa 55->60 56->45 59->60 61 a807ac-a807c9 60->61 62 a807ed-a807f4 60->62 61->62 77 a807cb-a807e5 61->77 66 a807fa-a808a8 62->66 67 a80ace 62->67 90 a80938-a80a12 66->90 91 a808ae-a80931 66->91 67->56 77->62 106 a80a18-a80a9b 90->106 107 a80aa2 90->107 91->90 106->107 107->67 113->29 114->29
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684927878.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_a80000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 2l$2l$Z8l^
                                                                                                          • API String ID: 0-2650419959
                                                                                                          • Opcode ID: 6bb93bd11911de77ca1ecfb636b349e851fa9659c5a9caa2d5a00b932193b8a6
                                                                                                          • Instruction ID: b72d1c5f76515440f7adb690f58ecf14673a30b64cb70f68214f1be985cfb3af
                                                                                                          • Opcode Fuzzy Hash: 6bb93bd11911de77ca1ecfb636b349e851fa9659c5a9caa2d5a00b932193b8a6
                                                                                                          • Instruction Fuzzy Hash: 2CF17B34A01309CFDB58EF74D864BADB7B2AF49304F1084A9D409AB3A5DB399D89CF51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00A80397 Relevance: 4.1, Strings: 3, Instructions: 348COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 115 a80397-a803f6 120 a803f8-a803fe 115->120 121 a8041d-a80424 115->121 120->121 122 a80455-a8045c 121->122 123 a80426-a80436 121->123 124 a8045e-a80464 122->124 125 a80483-a8048a 122->125 123->122 124->125 127 a8048c-a80492 125->127 128 a804b1-a804b8 125->128 127->128 134 a804ba-a80524 128->134 135 a8052e-a8056b 128->135 134->135 143 a8056d 135->143 144 a80572 135->144 143->144 229 a80572 call bf0606 144->229 230 a80572 call a80b05 144->230 145 a80578-a8057f 146 a80581-a805ab 145->146 147 a805b6-a80603 145->147 146->147 157 a8066e-a806af 147->157 158 a80605-a80667 147->158 160 a806b1-a806e6 157->160 161 a80712-a80723 157->161 158->157 160->161 166 a8072e-a80739 161->166 167 a80725-a8072b 161->167 171 a8073f-a80746 166->171 172 a80ad3-a80b00 166->172 167->166 175 a80748-a8077a 171->175 176 a807a6-a807aa 171->176 172->161 175->176 177 a807ac-a807c9 176->177 178 a807ed-a807f4 176->178 177->178 193 a807cb-a807e5 177->193 182 a807fa-a808a8 178->182 183 a80ace 178->183 206 a80938-a80a12 182->206 207 a808ae-a80931 182->207 183->172 193->178 222 a80a18-a80a9b 206->222 223 a80aa2 206->223 207->206 222->223 223->183 229->145 230->145
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684927878.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_a80000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 2l$2l$Z8l^
                                                                                                          • API String ID: 0-2650419959
                                                                                                          • Opcode ID: e4eb1cf26e1c5f6e8186dbee7c3a6a69135083c79a235519327f901a115570b7
                                                                                                          • Instruction ID: 06d0dd189720b0030d223065010f9122b34923a0f7b23c4553b79da0f0a8ab4f
                                                                                                          • Opcode Fuzzy Hash: e4eb1cf26e1c5f6e8186dbee7c3a6a69135083c79a235519327f901a115570b7
                                                                                                          • Instruction Fuzzy Hash: 66F16A34A01309CFDB58EF74D864BADB7B2AF49304F1084A9D409AB3A5DB399D89CF51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00A80400 Relevance: 4.1, Strings: 3, Instructions: 324COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 231 a80400-a80424 236 a80455-a8045c 231->236 237 a80426-a80436 231->237 238 a8045e-a80464 236->238 239 a80483-a8048a 236->239 237->236 238->239 240 a8048c-a80492 239->240 241 a804b1-a804b8 239->241 240->241 247 a804ba-a80524 241->247 248 a8052e-a8056b 241->248 247->248 256 a8056d 248->256 257 a80572 248->257 256->257 342 a80572 call bf0606 257->342 343 a80572 call a80b05 257->343 258 a80578-a8057f 259 a80581-a805ab 258->259 260 a805b6-a80603 258->260 259->260 270 a8066e-a806af 260->270 271 a80605-a80667 260->271 273 a806b1-a806e6 270->273 274 a80712-a80723 270->274 271->270 273->274 279 a8072e-a80739 274->279 280 a80725-a8072b 274->280 284 a8073f-a80746 279->284 285 a80ad3-a80b00 279->285 280->279 288 a80748-a8077a 284->288 289 a807a6-a807aa 284->289 285->274 288->289 290 a807ac-a807c9 289->290 291 a807ed-a807f4 289->291 290->291 306 a807cb-a807e5 290->306 295 a807fa-a808a8 291->295 296 a80ace 291->296 319 a80938-a80a12 295->319 320 a808ae-a80931 295->320 296->285 306->291 335 a80a18-a80a9b 319->335 336 a80aa2 319->336 320->319 335->336 336->296 342->258 343->258
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684927878.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_a80000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 2l$2l$Z8l^
                                                                                                          • API String ID: 0-2650419959
                                                                                                          • Opcode ID: e4d193d4dfb2e1655f0df33cd48dbe0b0b0e98ea7e237ec49c3ac1abd6746116
                                                                                                          • Instruction ID: 09ab6060da12ceb4dd0a94fad5b0f62adfb4a81d88e469b20d44e10e1e3af016
                                                                                                          • Opcode Fuzzy Hash: e4d193d4dfb2e1655f0df33cd48dbe0b0b0e98ea7e237ec49c3ac1abd6746116
                                                                                                          • Instruction Fuzzy Hash: C2E15A34A01319CFDB58EF74D864BADB7B2AF49304F1084A9D409AB3A5DB399D85CF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00A80438 Relevance: 4.1, Strings: 3, Instructions: 318COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 344 a80438-a8045c 349 a8045e-a80464 344->349 350 a80483-a8048a 344->350 349->350 351 a8048c-a80492 350->351 352 a804b1-a804b8 350->352 351->352 356 a804ba-a80524 352->356 357 a8052e-a8056b 352->357 356->357 365 a8056d 357->365 366 a80572 357->366 365->366 451 a80572 call bf0606 366->451 452 a80572 call a80b05 366->452 367 a80578-a8057f 368 a80581-a805ab 367->368 369 a805b6-a80603 367->369 368->369 379 a8066e-a806af 369->379 380 a80605-a80667 369->380 382 a806b1-a806e6 379->382 383 a80712-a80723 379->383 380->379 382->383 388 a8072e-a80739 383->388 389 a80725-a8072b 383->389 393 a8073f-a80746 388->393 394 a80ad3-a80b00 388->394 389->388 397 a80748-a8077a 393->397 398 a807a6-a807aa 393->398 394->383 397->398 399 a807ac-a807c9 398->399 400 a807ed-a807f4 398->400 399->400 415 a807cb-a807e5 399->415 404 a807fa-a808a8 400->404 405 a80ace 400->405 428 a80938-a80a12 404->428 429 a808ae-a80931 404->429 405->394 415->400 444 a80a18-a80a9b 428->444 445 a80aa2 428->445 429->428 444->445 445->405 451->367 452->367
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684927878.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_a80000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 2l$2l$Z8l^
                                                                                                          • API String ID: 0-2650419959
                                                                                                          • Opcode ID: 7aaf2218e190a7d3e9a0d5675dfc3caf52ffc0b03341cfc92f5236d1d6c54a98
                                                                                                          • Instruction ID: ec8e617545d192f5c609e0a51417ae1a2e5d61001ca67cfd35fd55f4bc91add6
                                                                                                          • Opcode Fuzzy Hash: 7aaf2218e190a7d3e9a0d5675dfc3caf52ffc0b03341cfc92f5236d1d6c54a98
                                                                                                          • Instruction Fuzzy Hash: 6CE16A34A01319CFDB58EF74D864BADB7B2AF49304F1084A9D409AB3A5DB399D85CF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00A80466 Relevance: 4.1, Strings: 3, Instructions: 314COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 453 a80466-a8048a 458 a8048c-a80492 453->458 459 a804b1-a804b8 453->459 458->459 462 a804ba-a80524 459->462 463 a8052e-a8056b 459->463 462->463 471 a8056d 463->471 472 a80572 463->472 471->472 557 a80572 call bf0606 472->557 558 a80572 call a80b05 472->558 473 a80578-a8057f 474 a80581-a805ab 473->474 475 a805b6-a80603 473->475 474->475 485 a8066e-a806af 475->485 486 a80605-a80667 475->486 488 a806b1-a806e6 485->488 489 a80712-a80723 485->489 486->485 488->489 494 a8072e-a80739 489->494 495 a80725-a8072b 489->495 499 a8073f-a80746 494->499 500 a80ad3-a80b00 494->500 495->494 503 a80748-a8077a 499->503 504 a807a6-a807aa 499->504 500->489 503->504 505 a807ac-a807c9 504->505 506 a807ed-a807f4 504->506 505->506 521 a807cb-a807e5 505->521 510 a807fa-a808a8 506->510 511 a80ace 506->511 534 a80938-a80a12 510->534 535 a808ae-a80931 510->535 511->500 521->506 550 a80a18-a80a9b 534->550 551 a80aa2 534->551 535->534 550->551 551->511 557->473 558->473
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684927878.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_a80000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 2l$2l$Z8l^
                                                                                                          • API String ID: 0-2650419959
                                                                                                          • Opcode ID: 20e08a2f148ace7114ec0e6cf03ad2d0bed1abe482ef3862522cb0c3fe052d1c
                                                                                                          • Instruction ID: 39f9be14f32809d5dc64776756af4959056d25b042a48b785f3b7287433a0d50
                                                                                                          • Opcode Fuzzy Hash: 20e08a2f148ace7114ec0e6cf03ad2d0bed1abe482ef3862522cb0c3fe052d1c
                                                                                                          • Instruction Fuzzy Hash: 65E16A34A01319CFDB58EF70D864BADB7B2AF89304F1084A9D409AB365DB399D85CF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00A80494 Relevance: 4.1, Strings: 3, Instructions: 310COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 559 a80494-a804b8 565 a804ba-a80524 559->565 566 a8052e-a8056b 559->566 565->566 574 a8056d 566->574 575 a80572 566->575 574->575 660 a80572 call bf0606 575->660 661 a80572 call a80b05 575->661 576 a80578-a8057f 577 a80581-a805ab 576->577 578 a805b6-a80603 576->578 577->578 588 a8066e-a806af 578->588 589 a80605-a80667 578->589 591 a806b1-a806e6 588->591 592 a80712-a80723 588->592 589->588 591->592 597 a8072e-a80739 592->597 598 a80725-a8072b 592->598 602 a8073f-a80746 597->602 603 a80ad3-a80b00 597->603 598->597 606 a80748-a8077a 602->606 607 a807a6-a807aa 602->607 603->592 606->607 608 a807ac-a807c9 607->608 609 a807ed-a807f4 607->609 608->609 624 a807cb-a807e5 608->624 613 a807fa-a808a8 609->613 614 a80ace 609->614 637 a80938-a80a12 613->637 638 a808ae-a80931 613->638 614->603 624->609 653 a80a18-a80a9b 637->653 654 a80aa2 637->654 638->637 653->654 654->614 660->576 661->576
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684927878.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_a80000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 2l$2l$Z8l^
                                                                                                          • API String ID: 0-2650419959
                                                                                                          • Opcode ID: c0da6b5fa1b9f329e6475c6bb7b720d763ca1f6bb61bcc52b6e1b99925499623
                                                                                                          • Instruction ID: d85580170598ccd850285cbab471aea2b48d45df9c711c3c5d2d077d7c60ff83
                                                                                                          • Opcode Fuzzy Hash: c0da6b5fa1b9f329e6475c6bb7b720d763ca1f6bb61bcc52b6e1b99925499623
                                                                                                          • Instruction Fuzzy Hash: 3EE16934A01309CFDB58EF70D864BADB7B2AF89308F5084A9D409AB365DB399D85CF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00A804F1 Relevance: 4.0, Strings: 3, Instructions: 299COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 662 a804f1-a8056b 673 a8056d 662->673 674 a80572 662->674 673->674 759 a80572 call bf0606 674->759 760 a80572 call a80b05 674->760 675 a80578-a8057f 676 a80581-a805ab 675->676 677 a805b6-a80603 675->677 676->677 687 a8066e-a806af 677->687 688 a80605-a80667 677->688 690 a806b1-a806e6 687->690 691 a80712-a80723 687->691 688->687 690->691 696 a8072e-a80739 691->696 697 a80725-a8072b 691->697 701 a8073f-a80746 696->701 702 a80ad3-a80b00 696->702 697->696 705 a80748-a8077a 701->705 706 a807a6-a807aa 701->706 702->691 705->706 707 a807ac-a807c9 706->707 708 a807ed-a807f4 706->708 707->708 723 a807cb-a807e5 707->723 712 a807fa-a808a8 708->712 713 a80ace 708->713 736 a80938-a80a12 712->736 737 a808ae-a80931 712->737 713->702 723->708 752 a80a18-a80a9b 736->752 753 a80aa2 736->753 737->736 752->753 753->713 759->675 760->675
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684927878.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_a80000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 2l$2l$Z8l^
                                                                                                          • API String ID: 0-2650419959
                                                                                                          • Opcode ID: e9a18070b7b10a3b3cb3024a9af47c9f9742b30564100778305e5f44aa94b6ba
                                                                                                          • Instruction ID: 1dc571014435add9ec4c5fda91da7862c4c6caafa0a20c2de160fd45db3146ce
                                                                                                          • Opcode Fuzzy Hash: e9a18070b7b10a3b3cb3024a9af47c9f9742b30564100778305e5f44aa94b6ba
                                                                                                          • Instruction Fuzzy Hash: DBE16834A01319CFDB58EF74C860BADB7B2AF89304F1084A9D409AB3A5DB399D85CF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0063A94F Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 761 63a94f-63a9de 765 63a9e3-63a9ef 761->765 766 63a9e0 761->766 767 63a9f1 765->767 768 63a9f4-63a9fd 765->768 766->765 767->768 769 63a9ff-63aa23 CreateFileW 768->769 770 63aa4e-63aa53 768->770 773 63aa55-63aa5a 769->773 774 63aa25-63aa4b 769->774 770->769 773->774
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0063AA05
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684463588.000000000063A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_63a000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 823142352-0
                                                                                                          • Opcode ID: 5412908d7177407f106cd5f8655d1ecdd8bcf7017ba4e4b089355fb2004fc1dd
                                                                                                          • Instruction ID: 5b7407ba07eb676bc58333b18e963ef510798b3891d70058942352600dbb2f65
                                                                                                          • Opcode Fuzzy Hash: 5412908d7177407f106cd5f8655d1ecdd8bcf7017ba4e4b089355fb2004fc1dd
                                                                                                          • Instruction Fuzzy Hash: 0C31ADB1504380AFE722CF65CD44FA2BFE8EF06314F08849AE9858B652D365E909DB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0063A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 777 63a612-63a695 781 63a697 777->781 782 63a69a-63a6a3 777->782 781->782 783 63a6a5 782->783 784 63a6a8-63a6b1 782->784 783->784 785 63a6b3-63a6d7 CreateMutexW 784->785 786 63a702-63a707 784->786 789 63a709-63a70e 785->789 790 63a6d9-63a6ff 785->790 786->785 789->790
                                                                                                          APIs
                                                                                                          • CreateMutexW.KERNELBASE(?,?), ref: 0063A6B9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684463588.000000000063A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_63a000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateMutex
                                                                                                          • String ID:
                                                                                                          • API String ID: 1964310414-0
                                                                                                          • Opcode ID: 44ed8b9267c01d776626ae484158a30d6b04b4ef4edef77ab02c29126a32bb58
                                                                                                          • Instruction ID: 56b86cc633536bc89daed41b2c542df8b49cf96b5508769d5650c567771aef13
                                                                                                          • Opcode Fuzzy Hash: 44ed8b9267c01d776626ae484158a30d6b04b4ef4edef77ab02c29126a32bb58
                                                                                                          • Instruction Fuzzy Hash: BB3193B55093805FE711CB65CC85B96BFF8EF06310F08849AE984CB292D375E909C762
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0063A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 793 63a361-63a3cf 796 63a3d1 793->796 797 63a3d4-63a3dd 793->797 796->797 798 63a3e2-63a3e8 797->798 799 63a3df 797->799 800 63a3ea 798->800 801 63a3ed-63a404 798->801 799->798 800->801 803 63a406-63a419 RegQueryValueExW 801->803 804 63a43b-63a440 801->804 805 63a442-63a447 803->805 806 63a41b-63a438 803->806 804->803 805->806
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,D4DD26F6,00000000,00000000,00000000,00000000), ref: 0063A40C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684463588.000000000063A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_63a000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 24de017dee30d289b8c754bcc599a069fee80a64b404aa0b923a062ad223c2e0
                                                                                                          • Instruction ID: 13c7503f85c53e50ca5fbf17981b7a37683c948e4e456a0309eec3b3067f91db
                                                                                                          • Opcode Fuzzy Hash: 24de017dee30d289b8c754bcc599a069fee80a64b404aa0b923a062ad223c2e0
                                                                                                          • Instruction Fuzzy Hash: 8D3164755057409FE721CF51CC84F92BBF8EF05710F08849AE985CB292D364E949CB72
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0063AA5C Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 810 63aa5c-63aae9 814 63aaeb-63aafe GetFileType 810->814 815 63ab1e-63ab23 810->815 816 63ab00-63ab1d 814->816 817 63ab25-63ab2a 814->817 815->814 817->816
                                                                                                          APIs
                                                                                                          • GetFileType.KERNELBASE(?,00000E24,D4DD26F6,00000000,00000000,00000000,00000000), ref: 0063AAF1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684463588.000000000063A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_63a000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileType
                                                                                                          • String ID:
                                                                                                          • API String ID: 3081899298-0
                                                                                                          • Opcode ID: 73399832f42d7e2a2036278350b1a87fcf433ce5a5e6089e553a745d2e182c0c
                                                                                                          • Instruction ID: cef903cdb75c14664333bb1fb9acdda8da0ac7e522d015ee7a5747723a051118
                                                                                                          • Opcode Fuzzy Hash: 73399832f42d7e2a2036278350b1a87fcf433ce5a5e6089e553a745d2e182c0c
                                                                                                          • Instruction Fuzzy Hash: 5B21F8754097806FD7128F21DC45BA2BFBCEF47720F0980DAE9808B293D264A94DC7B1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0063A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 821 63a462-63a4c3 824 63a4c5 821->824 825 63a4c8-63a4d4 821->825 824->825 826 63a4d6 825->826 827 63a4d9-63a4f0 825->827 826->827 829 63a4f2-63a505 RegSetValueExW 827->829 830 63a527-63a52c 827->830 831 63a507-63a524 829->831 832 63a52e-63a533 829->832 830->829 832->831
                                                                                                          APIs
                                                                                                          • RegSetValueExW.KERNELBASE(?,00000E24,D4DD26F6,00000000,00000000,00000000,00000000), ref: 0063A4F8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684463588.000000000063A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_63a000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value
                                                                                                          • String ID:
                                                                                                          • API String ID: 3702945584-0
                                                                                                          • Opcode ID: a8846ed51827d95915aecc8096dcb16c57a4e4606c63d25aec29d10c1123139b
                                                                                                          • Instruction ID: 3e48a0c69488039c1a6cfe9c2540dd0540054f408fe37e76c0cd29dec0fb16b0
                                                                                                          • Opcode Fuzzy Hash: a8846ed51827d95915aecc8096dcb16c57a4e4606c63d25aec29d10c1123139b
                                                                                                          • Instruction Fuzzy Hash: 482192765043806FD7228F51DC44FA7BFB8EF46220F08849AE985DB652D264E848C7B2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0063A986 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 836 63a986-63a9de 839 63a9e3-63a9ef 836->839 840 63a9e0 836->840 841 63a9f1 839->841 842 63a9f4-63a9fd 839->842 840->839 841->842 843 63a9ff-63aa07 CreateFileW 842->843 844 63aa4e-63aa53 842->844 845 63aa0d-63aa23 843->845 844->843 847 63aa55-63aa5a 845->847 848 63aa25-63aa4b 845->848 847->848
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0063AA05
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684463588.000000000063A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_63a000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 823142352-0
                                                                                                          • Opcode ID: 648c14f686a03c742fb019464463ee5e73d87439a68f99060d64091f1fa8808c
                                                                                                          • Instruction ID: aeb248ab2605cfc79149d16917f360e50e11d65d4794d7b40a11b2de658fe445
                                                                                                          • Opcode Fuzzy Hash: 648c14f686a03c742fb019464463ee5e73d87439a68f99060d64091f1fa8808c
                                                                                                          • Instruction Fuzzy Hash: D9218171500240AFEB20CFA5DD45FA6FBE8EF08324F048459E9859B752D375E848DBA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0063A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 851 63a646-63a695 854 63a697 851->854 855 63a69a-63a6a3 851->855 854->855 856 63a6a5 855->856 857 63a6a8-63a6b1 855->857 856->857 858 63a6b3-63a6bb CreateMutexW 857->858 859 63a702-63a707 857->859 860 63a6c1-63a6d7 858->860 859->858 862 63a709-63a70e 860->862 863 63a6d9-63a6ff 860->863 862->863
                                                                                                          APIs
                                                                                                          • CreateMutexW.KERNELBASE(?,?), ref: 0063A6B9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684463588.000000000063A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_63a000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateMutex
                                                                                                          • String ID:
                                                                                                          • API String ID: 1964310414-0
                                                                                                          • Opcode ID: 1b1854274f2482acd66c43758cb28066190243b74e66caba41fd735dcfb77cfc
                                                                                                          • Instruction ID: ccbcb0909bfc8cedba531cbe5982565224dc8161391c901ed29c04243e1ea8dd
                                                                                                          • Opcode Fuzzy Hash: 1b1854274f2482acd66c43758cb28066190243b74e66caba41fd735dcfb77cfc
                                                                                                          • Instruction Fuzzy Hash: DA21D4756002009FEB10CF65CD85BA6FBE8EF05320F18C469E984CB741D375E809CAB2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0063AC0E Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 866 63ac0e-63ac85 870 63ac87-63aca7 WriteFile 866->870 871 63acc9-63acce 866->871 874 63acd0-63acd5 870->874 875 63aca9-63acc6 870->875 871->870 874->875
                                                                                                          APIs
                                                                                                          • WriteFile.KERNELBASE(?,00000E24,D4DD26F6,00000000,00000000,00000000,00000000), ref: 0063AC8D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684463588.000000000063A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_63a000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3934441357-0
                                                                                                          • Opcode ID: d74126f9f64a4542fe6ba2bfd60804f93d29c628a335b7068077139601d68082
                                                                                                          • Instruction ID: 39b40a2ee5fc03fb8e8d5d5b83d1ba6f56c919c5db6fcc8ad802bfae6b22cc02
                                                                                                          • Opcode Fuzzy Hash: d74126f9f64a4542fe6ba2bfd60804f93d29c628a335b7068077139601d68082
                                                                                                          • Instruction Fuzzy Hash: 5821A171405380AFDB22CF51DC44FA7FFB8EF45310F08849AE9859B652C275A948CBB6
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0063A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,D4DD26F6,00000000,00000000,00000000,00000000), ref: 0063A40C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684463588.000000000063A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_63a000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 0a00dc4766600ee4c5868ca8a269692e099aeae9b3f6a94a204321b112f67158
                                                                                                          • Instruction ID: 6d19d51dcf9bcca84bb695aebc08d0873c1835ed7f790df3fdd4c84512fce2d1
                                                                                                          • Opcode Fuzzy Hash: 0a00dc4766600ee4c5868ca8a269692e099aeae9b3f6a94a204321b112f67158
                                                                                                          • Instruction Fuzzy Hash: C8218B766006009EEB20CE51CC84FA2F7E8AF14720F08845AE9858B652D364E849DAA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0063A710 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0063A780
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684463588.000000000063A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_63a000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: 1eb4ab54212b3705ff68c204cfd075f00e4cf35d6fd720ed7c19a31818bacb86
                                                                                                          • Instruction ID: b51fb7eb4917d780810ee8a06e34eaaaa440032dce97af3f8ce1fc97cce0934a
                                                                                                          • Opcode Fuzzy Hash: 1eb4ab54212b3705ff68c204cfd075f00e4cf35d6fd720ed7c19a31818bacb86
                                                                                                          • Instruction Fuzzy Hash: 3C2105B59083809FDB128F25DC85752BFB4EF02324F0884DBDD858F653D2759909DBA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0063A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegSetValueExW.KERNELBASE(?,00000E24,D4DD26F6,00000000,00000000,00000000,00000000), ref: 0063A4F8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684463588.000000000063A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_63a000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value
                                                                                                          • String ID:
                                                                                                          • API String ID: 3702945584-0
                                                                                                          • Opcode ID: aaa9a991af68cead93c7426a63bccbda570bbad713f833f03d5eefa4b5e815f2
                                                                                                          • Instruction ID: 2c49e1be9e97ea50006540b98fd2d9a92591f6f7b9a3edce3b74252a18963b23
                                                                                                          • Opcode Fuzzy Hash: aaa9a991af68cead93c7426a63bccbda570bbad713f833f03d5eefa4b5e815f2
                                                                                                          • Instruction Fuzzy Hash: 7B11BE76500600AFEB218F51DC44FA7FBECEF14724F08845AED859A742D360E848DAB2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0063A2D2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNELBASE(?), ref: 0063A330
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684463588.000000000063A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_63a000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode
                                                                                                          • String ID:
                                                                                                          • API String ID: 2340568224-0
                                                                                                          • Opcode ID: a03e2174df5557260f3396d80616aa96dc73ec03e9957d5693da6e7d62cb8f1a
                                                                                                          • Instruction ID: a96239f4c806eb89978a67e83e93d1a9f046f7c164ea662472b35c66c385b6ae
                                                                                                          • Opcode Fuzzy Hash: a03e2174df5557260f3396d80616aa96dc73ec03e9957d5693da6e7d62cb8f1a
                                                                                                          • Instruction Fuzzy Hash: B6212C7140D3C05FDB138B65DC54A52BFB49F47220F0D80DBDD848F2A3C269A808DB62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0063AC2E Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WriteFile.KERNELBASE(?,00000E24,D4DD26F6,00000000,00000000,00000000,00000000), ref: 0063AC8D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684463588.000000000063A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_63a000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3934441357-0
                                                                                                          • Opcode ID: 911214895c2217dc7e3d7994593c0858f36c02db0162d85e0fef7a53c5fc6240
                                                                                                          • Instruction ID: 01f2c3c2903d483d2bc39e1b537c5bb6031dcd1583f6b8a6d08bdb71d8e90f5c
                                                                                                          • Opcode Fuzzy Hash: 911214895c2217dc7e3d7994593c0858f36c02db0162d85e0fef7a53c5fc6240
                                                                                                          • Instruction Fuzzy Hash: 59110172500200AFEB21CF91DC40FA6FBE8EF04320F18C45AEA459B641C375E408DBB2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0063AE30 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ShellExecuteExW.SHELL32(?), ref: 0063AE8C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684463588.000000000063A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_63a000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExecuteShell
                                                                                                          • String ID:
                                                                                                          • API String ID: 587946157-0
                                                                                                          • Opcode ID: 64b19af35c7b28b67c2e299144491df0ce070caf3a951aea1f982040a5c94a45
                                                                                                          • Instruction ID: 1840cea6b047b142e593ade2486e40bbdac9f1ae8c6258c04e6e8aeac28a46f5
                                                                                                          • Opcode Fuzzy Hash: 64b19af35c7b28b67c2e299144491df0ce070caf3a951aea1f982040a5c94a45
                                                                                                          • Instruction Fuzzy Hash: 861182715093809FDB12CF25DC94B52BFB8EF46220F0884EAED85CF652D275E908DB62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0063AA9E Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileType.KERNELBASE(?,00000E24,D4DD26F6,00000000,00000000,00000000,00000000), ref: 0063AAF1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684463588.000000000063A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_63a000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileType
                                                                                                          • String ID:
                                                                                                          • API String ID: 3081899298-0
                                                                                                          • Opcode ID: f92fde1bb404063aa8ab1dd86ee6c301ba8d434022f8e01485e323663c350cd0
                                                                                                          • Instruction ID: a4fcadd5bb9f452ee588fe82ae7e347b193f056cccf79f6a2a9fd83cfbffa71e
                                                                                                          • Opcode Fuzzy Hash: f92fde1bb404063aa8ab1dd86ee6c301ba8d434022f8e01485e323663c350cd0
                                                                                                          • Instruction Fuzzy Hash: 2001C072500200AEE720CF52DD84FA6F7A8DF15724F18C09AEE459B741D378E84CCAA6
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0063AE52 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ShellExecuteExW.SHELL32(?), ref: 0063AE8C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684463588.000000000063A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_63a000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExecuteShell
                                                                                                          • String ID:
                                                                                                          • API String ID: 587946157-0
                                                                                                          • Opcode ID: 19900a7c4f732ad97b2807c47b96303f7f4ca4b4a53a27e8bcfec46ed73d35c6
                                                                                                          • Instruction ID: 5585d43e529473f5eb4b9e090d378469dfc67746487e3c21a745076f19cec320
                                                                                                          • Opcode Fuzzy Hash: 19900a7c4f732ad97b2807c47b96303f7f4ca4b4a53a27e8bcfec46ed73d35c6
                                                                                                          • Instruction Fuzzy Hash: E6019271A002448FDB50CF55D8847A6FBE8EF04720F08C4AADD49CB746D375E808EBA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0063A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0063A780
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684463588.000000000063A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_63a000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: eefa018bc43294b478da8f47dc44da9c37c95eb28a97cda6441bc8544f5a99bb
                                                                                                          • Instruction ID: 66e8edd8ecec99cc39b9ae3082c14e9b8a8a86be588c707f00c15199f7b66b0c
                                                                                                          • Opcode Fuzzy Hash: eefa018bc43294b478da8f47dc44da9c37c95eb28a97cda6441bc8544f5a99bb
                                                                                                          • Instruction Fuzzy Hash: CE01D4759002008FDB108F55D9847A6FBF4DF05320F08C4ABDD458B746D275E808DEA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0063A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNELBASE(?), ref: 0063A330
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684463588.000000000063A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0063A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_63a000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode
                                                                                                          • String ID:
                                                                                                          • API String ID: 2340568224-0
                                                                                                          • Opcode ID: f882d2d14fdf36e2791a30d581818e2afbf4456477232721369cff60d0ff6a12
                                                                                                          • Instruction ID: ed6e1e01c863b18ab48a1c1781d693641b9689c7b6af383e61b70a0baff3aaa1
                                                                                                          • Opcode Fuzzy Hash: f882d2d14fdf36e2791a30d581818e2afbf4456477232721369cff60d0ff6a12
                                                                                                          • Instruction Fuzzy Hash: 86F0AF35904640CFEB208F09D884761FBE4EF15320F18C09ADD898B752D3B9E808EEE2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00A80B05 Relevance: .4, Instructions: 441COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684927878.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_a80000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6f96a6916041739a40549025fb854278326d0a84153868687f22ed0cb00d4e6e
                                                                                                          • Instruction ID: b0c7fcc05db8074c65bd97e2415ac29398f22cd66d97439bac35a1867b002580
                                                                                                          • Opcode Fuzzy Hash: 6f96a6916041739a40549025fb854278326d0a84153868687f22ed0cb00d4e6e
                                                                                                          • Instruction Fuzzy Hash: 18123B34A00319DFDB64EB70D861BAD77B2EF89308F1084A9D509AB396DB39AC45CF51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00A80081 Relevance: .2, Instructions: 157COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684927878.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_a80000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 87908243c320eaf96930536602194d236b2770318b818cfb5191e25e0b6436fd
                                                                                                          • Instruction ID: 200552b1e1621467621a41c07c6081d4bb02bc8791f49845062595535a29f8f4
                                                                                                          • Opcode Fuzzy Hash: 87908243c320eaf96930536602194d236b2770318b818cfb5191e25e0b6436fd
                                                                                                          • Instruction Fuzzy Hash: F171627020AB86CFD344FF38E5A59CA7772AFA1209344C859D0045B36FDB38AD59CB91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00A80006 Relevance: .0, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684927878.0000000000A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_a80000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b36515de2beeecdc1bc82496c593d0c965500abaab069687bfe30e0634f53ac3
                                                                                                          • Instruction ID: deae2031b6985861e8760303a5c1a14d65f905fa1320dc9b78f75a07a683acb0
                                                                                                          • Opcode Fuzzy Hash: b36515de2beeecdc1bc82496c593d0c965500abaab069687bfe30e0634f53ac3
                                                                                                          • Instruction Fuzzy Hash: 2801099284E7C58FD30357705C3A6517FB06F23215B5E45DBC4C1CB1A7E65C484AC762
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00BF0606 Relevance: .0, Instructions: 27COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684996467.0000000000BF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_bf0000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c8b88073317315713427dc3a4ff0aa6becbd5c6edd79dae6451999980442536e
                                                                                                          • Instruction ID: cadbd51a8cab14da80615cae6f30cbd221a25ffd49a615350de9145dc248ed88
                                                                                                          • Opcode Fuzzy Hash: c8b88073317315713427dc3a4ff0aa6becbd5c6edd79dae6451999980442536e
                                                                                                          • Instruction Fuzzy Hash: AAE092B6A007044B9750CF0AEC81452F7D8EB88630708C07FDD0D8B701D675B909CEA5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 006323F4 Relevance: .0, Instructions: 15COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684450367.0000000000632000.00000040.00000800.00020000.00000000.sdmp, Offset: 00632000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_632000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c7423e358c32fa064d4928488b3ae558763b29e9b214798063ae37003aa89dae
                                                                                                          • Instruction ID: f62c782a76b403d12e2e8250279148a2fb9700448f4de9dc406cd7fdd77a21be
                                                                                                          • Opcode Fuzzy Hash: c7423e358c32fa064d4928488b3ae558763b29e9b214798063ae37003aa89dae
                                                                                                          • Instruction Fuzzy Hash: 0AD02E392006C24FD3168E0CC2A8BC537D4BB40708F0A00F9A8008B763C728E8C4C240
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 006323BC Relevance: .0, Instructions: 14COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684450367.0000000000632000.00000040.00000800.00020000.00000000.sdmp, Offset: 00632000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_632000_mhYCwt8wBz.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 1cb31ae7c1d05c0e1e4c9375e66aa7bff144c4e517dd4926a87186d774ecf90a
                                                                                                          • Instruction ID: 7cbc3ec69bdc2ee1220fec9bb6aff3c70503ccf7b99e7f07508a7f7047f8b80e
                                                                                                          • Opcode Fuzzy Hash: 1cb31ae7c1d05c0e1e4c9375e66aa7bff144c4e517dd4926a87186d774ecf90a
                                                                                                          • Instruction Fuzzy Hash: 49D05E353406824BD715DE0CD2E4F9977D5AF40B15F0644E8AC108B762C7A8DDC4CA40
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:20.1%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:9.4%
                                                                                                          Total number of Nodes:139
                                                                                                          Total number of Limit Nodes:5
                                                                                                          execution_graph 5072 109a98d 5074 109a9ce SendMessageTimeoutA 5072->5074 5075 109aa51 5074->5075 4930 5010486 4931 50104d6 GetComputerNameW 4930->4931 4932 50104e4 4931->4932 5076 5011d86 5077 5011db2 RegCreateKeyExW 5076->5077 5079 5011e5c 5077->5079 5080 109af82 5082 109af8e WriteFile 5080->5082 5083 109b015 5082->5083 5052 5011910 5053 501193f FormatMessageW 5052->5053 5055 50119ee 5053->5055 5108 109ac1f 5109 109ac56 CopyFileW 5108->5109 5111 109aca6 5109->5111 4957 109ad1e 4960 109ad56 CreateFileW 4957->4960 4959 109ada5 4960->4959 4964 109b49e 4965 109b4ca closesocket 4964->4965 4966 109b500 4964->4966 4967 109b4d8 4965->4967 4966->4965 5056 109a710 5057 109a74e FindCloseChangeNotification 5056->5057 5059 109a788 5057->5059 5112 109a612 5114 109a646 CreateMutexW 5112->5114 5115 109a6c1 5114->5115 5116 5011a1c 5117 5011a3e GetExitCodeProcess 5116->5117 5119 5011a9c 5117->5119 4990 109afae 4991 109afe3 WriteFile 4990->4991 4993 109b015 4991->4993 5060 109a120 5061 109a172 EnumWindows 5060->5061 5063 109a1ca 5061->5063 4998 501172a 4999 501178a 4998->4999 5000 501175f NtQuerySystemInformation 4998->5000 4999->5000 5001 5011774 5000->5001 5136 109a8a4 5139 109a8c6 RegOpenKeyExW 5136->5139 5138 109a954 5139->5138 5140 50100ae 5141 50100ce WSASocketW 5140->5141 5143 5010142 5141->5143 5144 50114b3 5145 50114bd AdjustTokenPrivileges 5144->5145 5147 501153b 5145->5147 5120 5011635 5122 5011666 K32EnumProcesses 5120->5122 5123 50116ae 5122->5123 5032 50107ba 5034 50107f2 MapViewOfFile 5032->5034 5035 5010841 5034->5035 5084 5010fc2 5087 5010ff2 WSAConnect 5084->5087 5086 5011046 5087->5086 4922 109a74e 4923 109a7b9 4922->4923 4924 109a77a FindCloseChangeNotification 4922->4924 4923->4924 4925 109a788 4924->4925 5064 5011348 5065 501136a LookupPrivilegeValueW 5064->5065 5067 50113ba 5065->5067 5148 109aec4 5151 109aef6 SetFileAttributesW 5148->5151 5150 109af3b 5151->5150 4937 109a646 4938 109a67e CreateMutexW 4937->4938 4940 109a6c1 4938->4940 5088 5011bdb 5090 5011bfe SetProcessWorkingSetSize 5088->5090 5091 5011c5f 5090->5091 5152 109b2d3 5154 109b2fa DuplicateHandle 5152->5154 5155 109b346 5154->5155 5124 501045a 5125 5010461 GetComputerNameW 5124->5125 5127 50104e4 5125->5127 5156 109a2d2 5158 109a2d6 SetErrorMode 5156->5158 5159 109a33f 5158->5159 4980 109ac56 4981 109ac7f CopyFileW 4980->4981 4983 109aca6 4981->4983 4984 4f51510 KiUserExceptionDispatcher 4985 4f51544 4984->4985 5092 50105e4 5095 501060a ConvertStringSecurityDescriptorToSecurityDescriptorW 5092->5095 5094 5010683 5095->5094 5128 109b46f 5129 109b49e closesocket 5128->5129 5131 109b4d8 5129->5131 5068 109a361 5069 109a392 RegQueryValueExW 5068->5069 5071 109a41b 5069->5071 5160 5010ce8 5162 5010cf5 GetProcessTimes 5160->5162 5163 5010d8d 5162->5163 5006 50114ea 5008 5011519 AdjustTokenPrivileges 5006->5008 5009 501153b 5008->5009 5132 109a462 5133 109a486 RegSetValueExW 5132->5133 5135 109a507 5133->5135 5164 50116ef 5165 5011701 NtQuerySystemInformation 5164->5165 5167 5011774 5165->5167 5168 109acf9 5170 109ad1e CreateFileW 5168->5170 5171 109ada5 5170->5171 5096 5010df0 5098 5010e12 getaddrinfo 5096->5098 5099 5010ebf 5098->5099 5021 109b2fa 5022 109b338 DuplicateHandle 5021->5022 5023 109b370 5021->5023 5024 109b346 5022->5024 5023->5022 5172 4f51500 5173 4f51510 KiUserExceptionDispatcher 5172->5173 5174 4f51544 5173->5174 5175 5011af7 5176 5011b1a GetProcessWorkingSetSize 5175->5176 5178 5011b7b 5176->5178 5025 109a2fe 5026 109a32a SetErrorMode 5025->5026 5027 109a353 5025->5027 5028 109a33f 5026->5028 5027->5026 5100 109adf4 5101 109ae36 GetFileType 5100->5101 5103 109ae98 5101->5103 5048 109aef6 5051 109af1f SetFileAttributesW 5048->5051 5050 109af3b 5051->5050

                                                                                                          Executed Functions

                                                                                                          Function 04F51B0A Relevance: 5.6, Strings: 4, Instructions: 602COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 0 4f51b0a-4f51b3f 1 4f51be5-4f51bec 0->1 2 4f51b45-4f51b60 0->2 3 4f51bf2-4f51c0b 1->3 4 4f51d3f-4f51d57 1->4 21 4f51b75-4f51b9d 2->21 22 4f51b62-4f51b73 2->22 6 4f51c79-4f51c83 3->6 10 4f51d84-4f51d8b 4->10 11 4f51d59-4f51d7d 4->11 12 4f51c85-4f51c8b 6->12 13 4f51c8d-4f51c97 6->13 14 4f51d93-4f51d9a 10->14 15 4f51d8d 10->15 11->10 12->13 19 4f51c0d-4f51c3c 12->19 27 4f51c9d-4f51cbc 13->27 28 4f51d3a 13->28 16 4f51da0-4f51e87 14->16 17 4f51ebc-4f51ed3 14->17 15->14 16->17 31 4f51ed5-4f51eea 17->31 32 4f51f1f-4f52050 17->32 19->6 48 4f51c74 19->48 35 4f51ba7-4f51bc2 21->35 22->35 37 4f52374-4f523ec 27->37 38 4f51cc2-4f51ce4 27->38 28->4 31->32 150 4f52057-4f5209f call 4f51698 32->150 35->1 63 4f51bc4-4f51be0 35->63 75 4f52402-4f52408 37->75 76 4f523ee-4f523f2 37->76 38->48 53 4f51ce6-4f51cee 38->53 48->6 55 4f51d30-4f51d36 53->55 58 4f51cf0-4f51cf7 55->58 59 4f51d38 55->59 58->37 64 4f51cfd-4f51d12 58->64 59->4 63->1 64->37 70 4f51d18-4f51d2a 64->70 70->48 70->55 81 4f52452-4f52458 75->81 82 4f5240a-4f5240d 75->82 79 4f523f4-4f523f9 76->79 80 4f523fb 76->80 79->75 80->75 85 4f52477-4f5247d 81->85 86 4f5245a-4f5245d 81->86 83 4f5242f-4f52435 82->83 84 4f5240f-4f52412 82->84 91 4f524c9-4f524cf 83->91 92 4f5243b-4f5243e 83->92 89 4f52494-4f524c4 84->89 90 4f52418-4f5241b 84->90 85->91 95 4f5247f-4f52485 85->95 86->89 94 4f5245f-4f52465 86->94 100 4f525ec-4f525f5 89->100 96 4f52421-4f52424 90->96 97 4f5250d-4f52513 90->97 91->100 98 4f524d4-4f524da 92->98 99 4f52444-4f52447 92->99 94->91 101 4f52467-4f52470 94->101 95->91 103 4f52487-4f5248d 95->103 105 4f524df-4f524f5 96->105 106 4f5242a 96->106 97->100 110 4f52518-4f5251c 97->110 98->100 99->91 107 4f5244d 99->107 101->91 109 4f52472 101->109 103->91 111 4f5248f 103->111 121 4f524f7-4f524fd 105->121 122 4f52502-4f52508 105->122 106->110 107->110 109->110 112 4f52560-4f52569 110->112 113 4f5251e-4f52527 110->113 111->110 116 4f52575-4f5258e 112->116 118 4f5256b 112->118 113->116 117 4f52529-4f5255b 113->117 137 4f52590-4f525bd 116->137 138 4f525bf-4f525e7 116->138 117->100 202 4f5256b call 4f52608 118->202 203 4f5256b call 4f525f8 118->203 121->100 122->100 126 4f52571-4f52573 126->100 137->100 138->100 162 4f520a1-4f520d6 150->162 163 4f520d8-4f52123 call 4f51698 150->163 169 4f52126-4f52350 162->169 163->169 201 4f52351 169->201 201->201 202->126 203->126
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082684721.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_4f50000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 2$:@k$:@k$f`k
                                                                                                          • API String ID: 0-2435725250
                                                                                                          • Opcode ID: 66aab015997ea02dcd08990a11fec33bfada472041a4648bac86664af5bac6f9
                                                                                                          • Instruction ID: 03b603d8c8793cf85353c5b3fc9d97ff15dfb2df6b718e59fcc75126f5febc25
                                                                                                          • Opcode Fuzzy Hash: 66aab015997ea02dcd08990a11fec33bfada472041a4648bac86664af5bac6f9
                                                                                                          • Instruction Fuzzy Hash: C3328E32E00204CFDB14EB74D8647AD77B2BF88308F5185A9D906AB7A5EB35AC46CF51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 050114B3 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05011533
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AdjustPrivilegesToken
                                                                                                          • String ID:
                                                                                                          • API String ID: 2874748243-0
                                                                                                          • Opcode ID: 7d30cfca7abf3eba262f511811f3529f903180c03e81240d02a364747f288304
                                                                                                          • Instruction ID: 7857c365792f0a3c7623f50425e27d262503ba00d7cf6438b7788f71ccb69319
                                                                                                          • Opcode Fuzzy Hash: 7d30cfca7abf3eba262f511811f3529f903180c03e81240d02a364747f288304
                                                                                                          • Instruction Fuzzy Hash: F6219F76509780AFEB228F25DC44B56BFF4EF06210F0884DAED858B563D275E908DB62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 050116EF Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • NtQuerySystemInformation.NTDLL ref: 05011765
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InformationQuerySystem
                                                                                                          • String ID:
                                                                                                          • API String ID: 3562636166-0
                                                                                                          • Opcode ID: 5976cff3a9e5d3341475295f9859218153d620bb795d2c11fbe7f8b311801cd8
                                                                                                          • Instruction ID: 478a75425afb315e175b61df4e8c556452e9b5d086b3cb4dfac9b3440c9d5067
                                                                                                          • Opcode Fuzzy Hash: 5976cff3a9e5d3341475295f9859218153d620bb795d2c11fbe7f8b311801cd8
                                                                                                          • Instruction Fuzzy Hash: 0821AE754097C09FDB238B20DC45A62FFB4EF17224F0980DBED844B1A3D265A909CB62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 050114EA Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05011533
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AdjustPrivilegesToken
                                                                                                          • String ID:
                                                                                                          • API String ID: 2874748243-0
                                                                                                          • Opcode ID: 9c5791d636f97778fba522920c24bab6361c5769107b9c96a058b28abdfb9575
                                                                                                          • Instruction ID: 3d3716e6fedebe4bf63aaf03428f8d6cff0d30f92ea00944cc3c2976433f2daf
                                                                                                          • Opcode Fuzzy Hash: 9c5791d636f97778fba522920c24bab6361c5769107b9c96a058b28abdfb9575
                                                                                                          • Instruction Fuzzy Hash: 46118276600600DFEB60CF55E844B6AFBE5FF04220F08C4AAEE468B651D375E418DF62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0501172A Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • NtQuerySystemInformation.NTDLL ref: 05011765
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InformationQuerySystem
                                                                                                          • String ID:
                                                                                                          • API String ID: 3562636166-0
                                                                                                          • Opcode ID: a3c2a1007b6bea934d3bf11b7f113ec69c60342639b24cb84971bc2caea34e60
                                                                                                          • Instruction ID: 6ef3a61d44c47cf5eabd9648738f97fec1f5041251f80e1cf5c9be2a65ded965
                                                                                                          • Opcode Fuzzy Hash: a3c2a1007b6bea934d3bf11b7f113ec69c60342639b24cb84971bc2caea34e60
                                                                                                          • Instruction Fuzzy Hash: 13017C364006409FEB608F05E944B65FBE1EF14220F08C49ADE450A752C275E418CF62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04F51510 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1202 4f51510-4f51555 KiUserExceptionDispatcher 1206 4f51558-4f5155e 1202->1206 1207 4f51564-4f51567 1206->1207 1208 4f5165c-4f51687 1206->1208 1209 4f51569 1207->1209 1239 4f5156b call 1150606 1209->1239 1240 4f5156b call 11505e0 1209->1240 1211 4f51570-4f5159d 1217 4f515e4-4f515e7 1211->1217 1218 4f5159f-4f515a1 1211->1218 1217->1208 1219 4f515e9-4f515ef 1217->1219 1241 4f515a3 call 1150606 1218->1241 1242 4f515a3 call 11505e0 1218->1242 1243 4f515a3 call 4f51c3e 1218->1243 1244 4f515a3 call 4f5236a 1218->1244 1245 4f515a3 call 4f51b0a 1218->1245 1219->1209 1221 4f515f5-4f515fc 1219->1221 1223 4f5164d 1221->1223 1224 4f515fe-4f51614 1221->1224 1222 4f515a9-4f515b0 1225 4f515e1 1222->1225 1226 4f515b2-4f515b7 call 4f526bf 1222->1226 1228 4f51657 1223->1228 1224->1208 1231 4f51616-4f5161e 1224->1231 1225->1217 1230 4f515bd-4f515d9 1226->1230 1228->1206 1230->1225 1233 4f51620-4f5162b 1231->1233 1234 4f5163f-4f51647 call 4f52b60 1231->1234 1233->1208 1235 4f5162d-4f51637 1233->1235 1234->1223 1235->1234 1239->1211 1240->1211 1241->1222 1242->1222 1243->1222 1244->1222 1245->1222
                                                                                                          APIs
                                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 04F51537
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082684721.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_4f50000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DispatcherExceptionUser
                                                                                                          • String ID:
                                                                                                          • API String ID: 6842923-0
                                                                                                          • Opcode ID: 9a0cf8a7b819a23e3b8e015d43f1dd727d10b0230d4387ee5ac070832ea51930
                                                                                                          • Instruction ID: 19ed00ca35aae8f4c333848f50e80110a9d689bd9a5e64a9d80218b6ec2e182a
                                                                                                          • Opcode Fuzzy Hash: 9a0cf8a7b819a23e3b8e015d43f1dd727d10b0230d4387ee5ac070832ea51930
                                                                                                          • Instruction Fuzzy Hash: 7C41A471E002008FCB04EF78D59469DB7A2EF88214B598469C909DB359DB35ED46CBE1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 050106DB Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1248 50106db-501070f 1249 5010711-5010718 1248->1249 1250 501077c-5010792 1248->1250 1249->1250
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 1fd710787998a928093760a3dd2fec7c1fa40b4e52d8e236f16413d1080dac8a
                                                                                                          • Instruction ID: 7239e58ddcbd5c89ebb8cec43174f80b10886dc91f19143ef0812993e19dc786
                                                                                                          • Opcode Fuzzy Hash: 1fd710787998a928093760a3dd2fec7c1fa40b4e52d8e236f16413d1080dac8a
                                                                                                          • Instruction Fuzzy Hash: DC41EF324093C05FE7138B259C59B96BFB4EF07224F0984DBE8C48B1A3D265A90DC7A2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04F51500 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1253 4f51500-4f5150e 1254 4f51510-4f5153d KiUserExceptionDispatcher 1253->1254 1255 4f51544-4f51555 1254->1255 1258 4f51558-4f5155e 1255->1258 1259 4f51564-4f51567 1258->1259 1260 4f5165c-4f51687 1258->1260 1261 4f51569 1259->1261 1291 4f5156b call 1150606 1261->1291 1292 4f5156b call 11505e0 1261->1292 1263 4f51570-4f5159d 1269 4f515e4-4f515e7 1263->1269 1270 4f5159f-4f515a1 1263->1270 1269->1260 1271 4f515e9-4f515ef 1269->1271 1293 4f515a3 call 1150606 1270->1293 1294 4f515a3 call 11505e0 1270->1294 1295 4f515a3 call 4f51c3e 1270->1295 1296 4f515a3 call 4f5236a 1270->1296 1297 4f515a3 call 4f51b0a 1270->1297 1271->1261 1273 4f515f5-4f515fc 1271->1273 1275 4f5164d 1273->1275 1276 4f515fe-4f51614 1273->1276 1274 4f515a9-4f515b0 1277 4f515e1 1274->1277 1278 4f515b2-4f515b7 call 4f526bf 1274->1278 1280 4f51657 1275->1280 1276->1260 1283 4f51616-4f5161e 1276->1283 1277->1269 1282 4f515bd-4f515d9 1278->1282 1280->1258 1282->1277 1285 4f51620-4f5162b 1283->1285 1286 4f5163f-4f51647 call 4f52b60 1283->1286 1285->1260 1287 4f5162d-4f51637 1285->1287 1286->1275 1287->1286 1291->1263 1292->1263 1293->1274 1294->1274 1295->1274 1296->1274 1297->1274
                                                                                                          APIs
                                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 04F51537
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082684721.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_4f50000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DispatcherExceptionUser
                                                                                                          • String ID:
                                                                                                          • API String ID: 6842923-0
                                                                                                          • Opcode ID: 7b1037731de2e6632a856269ff93923dfe7588b5c688c304ccb4b82a814cc78f
                                                                                                          • Instruction ID: b9f016d5270e0ad46e6aea2ae9ce4b1ea5941982be6559942d883b1332310703
                                                                                                          • Opcode Fuzzy Hash: 7b1037731de2e6632a856269ff93923dfe7588b5c688c304ccb4b82a814cc78f
                                                                                                          • Instruction Fuzzy Hash: ED416F71E006018FCB04EF78C69569DB7F2EF88304B588469D909DB369EB35ED46CBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05011910 Relevance: 1.6, APIs: 1, Instructions: 101windowCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1300 5011910-5011993 1303 5011996-50119e8 FormatMessageW 1300->1303 1305 50119ee-5011a17 1303->1305
                                                                                                          APIs
                                                                                                          • FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 050119E6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FormatMessage
                                                                                                          • String ID:
                                                                                                          • API String ID: 1306739567-0
                                                                                                          • Opcode ID: 574521a44307e6a870e33ab2b202380272d6b6a27575f46d42a855801effec27
                                                                                                          • Instruction ID: 81fae8f07f68e5f0985cd2cdd76c5c4d5d7f776e2434c07b6df09882d676e598
                                                                                                          • Opcode Fuzzy Hash: 574521a44307e6a870e33ab2b202380272d6b6a27575f46d42a855801effec27
                                                                                                          • Instruction Fuzzy Hash: 8C31686154E3C05FD7038B758C65A61BFB4EF47610B0E80CBD884CF2A3D6246919C7B2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05011D86 Relevance: 1.6, APIs: 1, Instructions: 99registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1307 5011d86-5011e0a 1311 5011e0c 1307->1311 1312 5011e0f-5011e1b 1307->1312 1311->1312 1313 5011e20-5011e29 1312->1313 1314 5011e1d 1312->1314 1315 5011e2b 1313->1315 1316 5011e2e-5011e45 1313->1316 1314->1313 1315->1316 1318 5011e87-5011e8c 1316->1318 1319 5011e47-5011e5a RegCreateKeyExW 1316->1319 1318->1319 1320 5011e5c-5011e84 1319->1320 1321 5011e8e-5011e93 1319->1321 1321->1320
                                                                                                          APIs
                                                                                                          • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 05011E4D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Create
                                                                                                          • String ID:
                                                                                                          • API String ID: 2289755597-0
                                                                                                          • Opcode ID: f4ec87477d024f56f066c202ec9e3387b81f266031e09b816fe85a769558fb6f
                                                                                                          • Instruction ID: 504d38c9cbbec05d93493e2fc71999d2693a2b4fcd6e7b024919a9c676306b22
                                                                                                          • Opcode Fuzzy Hash: f4ec87477d024f56f066c202ec9e3387b81f266031e09b816fe85a769558fb6f
                                                                                                          • Instruction Fuzzy Hash: A3319072504344AFE721CF61DC44FA7BBFCEF05210F08859AE985DB652D324E948CBA5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05010DF0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1326 5010df0-5010eaf 1332 5010f01-5010f06 1326->1332 1333 5010eb1-5010eb9 getaddrinfo 1326->1333 1332->1333 1335 5010ebf-5010ed1 1333->1335 1336 5010ed3-5010efe 1335->1336 1337 5010f08-5010f0d 1335->1337 1337->1336
                                                                                                          APIs
                                                                                                          • getaddrinfo.WS2_32(?,00000E24), ref: 05010EB7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: getaddrinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 300660673-0
                                                                                                          • Opcode ID: 5cdfb694f403ad644b7e54fb978d3fe30cb5f7572cc9ebb484e73ca9b96dde8c
                                                                                                          • Instruction ID: e750ba66af5e343b03012ea53e60fbc191214e01176e24717722b5f2a94494ea
                                                                                                          • Opcode Fuzzy Hash: 5cdfb694f403ad644b7e54fb978d3fe30cb5f7572cc9ebb484e73ca9b96dde8c
                                                                                                          • Instruction Fuzzy Hash: 8231C471504340AFE721CB50DD45FA6FBACEF04314F04889AFA449B682D374A94CCB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05010CE8 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetProcessTimes.KERNELBASE(?,00000E24,5258C8BA,00000000,00000000,00000000,00000000), ref: 05010D85
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProcessTimes
                                                                                                          • String ID:
                                                                                                          • API String ID: 1995159646-0
                                                                                                          • Opcode ID: 725c5080628fe1cdb40242112f0d1204d5bd70d3b2d177439d48b15524cfa1c2
                                                                                                          • Instruction ID: 203af5143a47d1a3700c1f31ef81720638b2243100dea69a2f2df1a4e36ad9de
                                                                                                          • Opcode Fuzzy Hash: 725c5080628fe1cdb40242112f0d1204d5bd70d3b2d177439d48b15524cfa1c2
                                                                                                          • Instruction Fuzzy Hash: 253129755097806FE7228F20DC44FA6BFB8EF06324F0884DBE8858F193D224A549C776
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 050105E4 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 0501067B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DescriptorSecurity$ConvertString
                                                                                                          • String ID:
                                                                                                          • API String ID: 3907675253-0
                                                                                                          • Opcode ID: 4bf1e159061f11f2ea3ba5b9849c3164c211c8ad68a16a7ab253bf16dc543c29
                                                                                                          • Instruction ID: 56c7912db43a57bc52340cdf99bfc6f89ace5092c34a36306ef254fb37e97925
                                                                                                          • Opcode Fuzzy Hash: 4bf1e159061f11f2ea3ba5b9849c3164c211c8ad68a16a7ab253bf16dc543c29
                                                                                                          • Instruction Fuzzy Hash: 2631D171504340AFE7218B25DC44FA7BBE8EF45210F08849AE984DB652D324A848CB61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateMutexW.KERNELBASE(?,?), ref: 0109A6B9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateMutex
                                                                                                          • String ID:
                                                                                                          • API String ID: 1964310414-0
                                                                                                          • Opcode ID: cd0ed44567d0cb47b6a62245ade2c151cdaa5f56d1d6cfdea7bd3a94356815c7
                                                                                                          • Instruction ID: 057008c85b81b03b4c310b4cf4f3b3bc5198ee83f3c6324c2a8384186f0b42f6
                                                                                                          • Opcode Fuzzy Hash: cd0ed44567d0cb47b6a62245ade2c151cdaa5f56d1d6cfdea7bd3a94356815c7
                                                                                                          • Instruction Fuzzy Hash: E33193755093809FE712CB65CC95B96FFF8EF06210F08849AE984CB293D375E909C761
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109A8A4 Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0109A945
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Open
                                                                                                          • String ID:
                                                                                                          • API String ID: 71445658-0
                                                                                                          • Opcode ID: a25f2f3992fc5658de1d93cc051c1fbb4ed7e191cc0526fc93c88df2c5f85503
                                                                                                          • Instruction ID: ba6b49f3e0e505f0fb127fb516834d3a729e3f044a42994db4b80476e6b40e60
                                                                                                          • Opcode Fuzzy Hash: a25f2f3992fc5658de1d93cc051c1fbb4ed7e191cc0526fc93c88df2c5f85503
                                                                                                          • Instruction Fuzzy Hash: 1921A0B2504344AFE7228B15CC44FA7FBECEF05220F08849AEA859B652D264E54DCB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05011DB2 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 05011E4D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Create
                                                                                                          • String ID:
                                                                                                          • API String ID: 2289755597-0
                                                                                                          • Opcode ID: 922607a7b699bb123f0379fcb1ebc45c4099ad1c7526b0eaeddb821db1bfae88
                                                                                                          • Instruction ID: 96a2237a01bace01ca14324ee1b8d84e10cfd8993d22ff0b24081e4d8c90a8ff
                                                                                                          • Opcode Fuzzy Hash: 922607a7b699bb123f0379fcb1ebc45c4099ad1c7526b0eaeddb821db1bfae88
                                                                                                          • Instruction Fuzzy Hash: 8021CC72600604AFEB20CF51DC44FABBBEDEF08214F08845AEE45D7651D330E408CAA6
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109A98D Relevance: 1.6, APIs: 1, Instructions: 86windowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageTimeoutA.USER32(?,00000E24), ref: 0109AA49
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSendTimeout
                                                                                                          • String ID:
                                                                                                          • API String ID: 1599653421-0
                                                                                                          • Opcode ID: 5f221ed03fcc34e24e03d3254105461a8bccdec0849243b175ba9e0005fde79d
                                                                                                          • Instruction ID: a4cb4984f487551c0162a1152be33f0a1119172ca6ae2a090f3560c4804d15d8
                                                                                                          • Opcode Fuzzy Hash: 5f221ed03fcc34e24e03d3254105461a8bccdec0849243b175ba9e0005fde79d
                                                                                                          • Instruction Fuzzy Hash: D231D471505380AFEB228F60CC45FA2FFB8EF46314F18849AE9858B553D275A54DCB61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109ACF9 Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0109AD9D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 823142352-0
                                                                                                          • Opcode ID: e3a824d3cb789d340c26bba87c644c017f6b1836f4f8dbb9304b193587cccba5
                                                                                                          • Instruction ID: 49fc21a27a85ae1a4a8974978fe0c2767209e0a84824a60497d80cfda04cfaae
                                                                                                          • Opcode Fuzzy Hash: e3a824d3cb789d340c26bba87c644c017f6b1836f4f8dbb9304b193587cccba5
                                                                                                          • Instruction Fuzzy Hash: 73319171505340AFEB21CF65CC84F96BBF8EF05210F08849EE9858B652D375E908CB61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,5258C8BA,00000000,00000000,00000000,00000000), ref: 0109A40C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 20b048eafa3cfe8c8783ba78c406f171969fd443931e329b8c3a349a4c1032d8
                                                                                                          • Instruction ID: 22d220302556c20a01d4b38e6c5325c5b8a5cc5d0af3f2a6c888e7d7b38edf91
                                                                                                          • Opcode Fuzzy Hash: 20b048eafa3cfe8c8783ba78c406f171969fd443931e329b8c3a349a4c1032d8
                                                                                                          • Instruction Fuzzy Hash: 22315E75505780AFEB62CF15CC84F92BBF8EF46610F08C4DAE9858B292D364E949CB61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05010E12 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • getaddrinfo.WS2_32(?,00000E24), ref: 05010EB7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: getaddrinfo
                                                                                                          • String ID:
                                                                                                          • API String ID: 300660673-0
                                                                                                          • Opcode ID: eea90672a2027f6af9cdfebb5603e3c06a769600e31d092dbfa71489c0a1f47f
                                                                                                          • Instruction ID: f1bed8028c39e21bd3b3b0d649a227f9f1d3061895d7726d0e15c75eca12ccf6
                                                                                                          • Opcode Fuzzy Hash: eea90672a2027f6af9cdfebb5603e3c06a769600e31d092dbfa71489c0a1f47f
                                                                                                          • Instruction Fuzzy Hash: A921A072500200AFEB209B61DD85FAAF7ACEB04314F04885AFA489A685D7B4A5488B75
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109A120 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • EnumWindows.USER32(?,00000E24,?,?), ref: 0109A1C2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: EnumWindows
                                                                                                          • String ID:
                                                                                                          • API String ID: 1129996299-0
                                                                                                          • Opcode ID: 58d9a797f61ce8ec915a462208688c7f5ee696c2f16bb67d402f817f131fc9d3
                                                                                                          • Instruction ID: caa471530193c20fc1f9e80f5e956361b67ec37088a89b90593b5cc1c5ca7db9
                                                                                                          • Opcode Fuzzy Hash: 58d9a797f61ce8ec915a462208688c7f5ee696c2f16bb67d402f817f131fc9d3
                                                                                                          • Instruction Fuzzy Hash: 1221B17150D3C05FD3128B258C61BA6BFB4EF87610F1984CBD8C4DF693D229A909C7A2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109ADF4 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileType.KERNELBASE(?,00000E24,5258C8BA,00000000,00000000,00000000,00000000), ref: 0109AE89
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileType
                                                                                                          • String ID:
                                                                                                          • API String ID: 3081899298-0
                                                                                                          • Opcode ID: bb0c135a75a4b179bfd0571b5e4b98ebafef44bf3593734ec1ce006c6d764921
                                                                                                          • Instruction ID: 86f1a8b66c7d39824406f1ea87366507bc6dcb5a3357428a47e5230475b52f23
                                                                                                          • Opcode Fuzzy Hash: bb0c135a75a4b179bfd0571b5e4b98ebafef44bf3593734ec1ce006c6d764921
                                                                                                          • Instruction Fuzzy Hash: 152128754097806FE7138B259C44BA2BFBCEF47320F08C0D6ED808B293D264A949C771
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 050100AE Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WSASocketW.WS2_32(?,?,?,?,?), ref: 0501013A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Socket
                                                                                                          • String ID:
                                                                                                          • API String ID: 38366605-0
                                                                                                          • Opcode ID: 22b7630a4bf00d81e6f6354931655b34b2bbb8d6ef922c5b88c862fdab2020b1
                                                                                                          • Instruction ID: 61f8dce090aadd023971945af8e0df0e2cad276fb93d25f6efccb71df34b9afe
                                                                                                          • Opcode Fuzzy Hash: 22b7630a4bf00d81e6f6354931655b34b2bbb8d6ef922c5b88c862fdab2020b1
                                                                                                          • Instruction Fuzzy Hash: 8B21A071505380AFE721CF51DC44FA6FFF8EF05220F08889EE9858B652C375A548CB62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109AF82 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WriteFile.KERNELBASE(?,00000E24,5258C8BA,00000000,00000000,00000000,00000000), ref: 0109B00D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3934441357-0
                                                                                                          • Opcode ID: 3f151ac350a8d8045692da6f2ae339e6287e1c54359346107654158d6b86672a
                                                                                                          • Instruction ID: 7d0044d71bc84d349d492c7580b72e08921cba7188d2285811447309168e7279
                                                                                                          • Opcode Fuzzy Hash: 3f151ac350a8d8045692da6f2ae339e6287e1c54359346107654158d6b86672a
                                                                                                          • Instruction Fuzzy Hash: 0521F2B2404340AFEB228F51DC44FA7FBF8EF45320F08849AF9859B552D275A948CBB1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegSetValueExW.KERNELBASE(?,00000E24,5258C8BA,00000000,00000000,00000000,00000000), ref: 0109A4F8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value
                                                                                                          • String ID:
                                                                                                          • API String ID: 3702945584-0
                                                                                                          • Opcode ID: cd71c8fd4ef10d2b4dca6757661dfe333d92e468bf5ee9b13bbbafd5c47e9023
                                                                                                          • Instruction ID: fd00ce31c708b48a0f888195e3cff6bd1fe9567d331e343733a7b289bace89ff
                                                                                                          • Opcode Fuzzy Hash: cd71c8fd4ef10d2b4dca6757661dfe333d92e468bf5ee9b13bbbafd5c47e9023
                                                                                                          • Instruction Fuzzy Hash: 14219276504380AFEB228F15DC44FA7BFF8EF46220F08849AE985DB652D364E848C771
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0501060A Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 0501067B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DescriptorSecurity$ConvertString
                                                                                                          • String ID:
                                                                                                          • API String ID: 3907675253-0
                                                                                                          • Opcode ID: fc88af032961384e58bd45581ab9af24b688a6a876cf4e3a0cf870fd6871fedf
                                                                                                          • Instruction ID: e2edcdc6e5bfd9ebbc934b460ed46092208ab0e799ed34e942596875f10a3b2c
                                                                                                          • Opcode Fuzzy Hash: fc88af032961384e58bd45581ab9af24b688a6a876cf4e3a0cf870fd6871fedf
                                                                                                          • Instruction Fuzzy Hash: 7021C272600204AFEB20DF25DD45FAABBECEF44224F04845AED85DB641D374E5488A76
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109AD1E Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0109AD9D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 823142352-0
                                                                                                          • Opcode ID: a72e561744b22dd983f2b0a4ef5254b3ebc577a083fad420db14ff31d99d2aaf
                                                                                                          • Instruction ID: f5779a26a216f042bf294ae434a7d4a421a8552f91f07146f5da97f1671b49f6
                                                                                                          • Opcode Fuzzy Hash: a72e561744b22dd983f2b0a4ef5254b3ebc577a083fad420db14ff31d99d2aaf
                                                                                                          • Instruction Fuzzy Hash: DF21C171601200AFEB21DF65CD84FA6FBE8EF08224F0484A9E9868B752D375E408CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 050104FE Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,5258C8BA,00000000,00000000,00000000,00000000), ref: 05010590
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: d52e170334e30a545e870e02aebd4c75732098517a205c4d91bb55a219731212
                                                                                                          • Instruction ID: 6153b0c198ba418616ce92ea339f2feb2237c7edef0f6c9bbee3c84dde087901
                                                                                                          • Opcode Fuzzy Hash: d52e170334e30a545e870e02aebd4c75732098517a205c4d91bb55a219731212
                                                                                                          • Instruction Fuzzy Hash: C221AF76504340AFE722CF11DC44FA7FBF8EF05210F08849AE9858B252D364E948CB76
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109A8C6 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0109A945
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Open
                                                                                                          • String ID:
                                                                                                          • API String ID: 71445658-0
                                                                                                          • Opcode ID: c8a21c1b137fed586dac5f46ad18bc6d02d3d36195e91ba91d3308bb5090cd10
                                                                                                          • Instruction ID: cffd42971418b177eb17c7f4cac668930dd5c69db45c273c2907ef2f301b2262
                                                                                                          • Opcode Fuzzy Hash: c8a21c1b137fed586dac5f46ad18bc6d02d3d36195e91ba91d3308bb5090cd10
                                                                                                          • Instruction Fuzzy Hash: F221AE76500204AEEB219F15DD44FABFBECEF04324F04845AEE859B652D774E54C8AB2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05011BDB Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetProcessWorkingSetSize.KERNEL32(?,00000E24,5258C8BA,00000000,00000000,00000000,00000000), ref: 05011C57
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProcessSizeWorking
                                                                                                          • String ID:
                                                                                                          • API String ID: 3584180929-0
                                                                                                          • Opcode ID: a0dcc22fc9ab02e8892afa7a687b670ceba2957ead2c719502f167f04f0036d7
                                                                                                          • Instruction ID: 3ebad5652f3324b92aa9c296af2f70a350f24dab7713c86d9db293583c93ed78
                                                                                                          • Opcode Fuzzy Hash: a0dcc22fc9ab02e8892afa7a687b670ceba2957ead2c719502f167f04f0036d7
                                                                                                          • Instruction Fuzzy Hash: EF2192715093846FE712CF21DC44FA6BFA8EF45224F08C4AAE945DB152D264A948CB76
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05011AF7 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetProcessWorkingSetSize.KERNEL32(?,00000E24,5258C8BA,00000000,00000000,00000000,00000000), ref: 05011B73
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProcessSizeWorking
                                                                                                          • String ID:
                                                                                                          • API String ID: 3584180929-0
                                                                                                          • Opcode ID: a0dcc22fc9ab02e8892afa7a687b670ceba2957ead2c719502f167f04f0036d7
                                                                                                          • Instruction ID: 221facd3ab79fdd6f42e3cb9bdc547754a921e39e3a0b94ae7e7c89284531595
                                                                                                          • Opcode Fuzzy Hash: a0dcc22fc9ab02e8892afa7a687b670ceba2957ead2c719502f167f04f0036d7
                                                                                                          • Instruction Fuzzy Hash: 662195715093806FE712CF11DC44FA6BFA8EF45210F08C49AE945DB652D264A548CB76
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05011A1C Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetExitCodeProcess.KERNELBASE(?,00000E24,5258C8BA,00000000,00000000,00000000,00000000), ref: 05011A94
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CodeExitProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 3861947596-0
                                                                                                          • Opcode ID: 1c5f621a46ab0407e3d4bdb0f8dfe480a161817556934dca897e93e12ed5bd53
                                                                                                          • Instruction ID: b805786a0baac1d6a1f3501c9a30901f4ecf5ea8c889d4df75a742a2f4874a46
                                                                                                          • Opcode Fuzzy Hash: 1c5f621a46ab0407e3d4bdb0f8dfe480a161817556934dca897e93e12ed5bd53
                                                                                                          • Instruction Fuzzy Hash: F02105715053846FEB11CF51DC44FA6FFF8EF46220F0884ABE944DB692C268A948CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109AC1F Relevance: 1.6, APIs: 1, Instructions: 72fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CopyFileW.KERNELBASE(?,?,?), ref: 0109AC9E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CopyFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 1304948518-0
                                                                                                          • Opcode ID: 3ce03f89e425d7e313de3a479f87d8ccff03ddd315f9e28b8f9fab9e917e39ef
                                                                                                          • Instruction ID: 1a1b7edcebc26ff0e5efcd242ea8f42bc256e4f00882daea8dc66bbff8e4aef8
                                                                                                          • Opcode Fuzzy Hash: 3ce03f89e425d7e313de3a479f87d8ccff03ddd315f9e28b8f9fab9e917e39ef
                                                                                                          • Instruction Fuzzy Hash: D02190B26043809FEB52CF29DC45B52BFE8EF06214F0984EAE985CF163D234D908DB61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateMutexW.KERNELBASE(?,?), ref: 0109A6B9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateMutex
                                                                                                          • String ID:
                                                                                                          • API String ID: 1964310414-0
                                                                                                          • Opcode ID: 53660f318742698aceaf6be582c4f049c7149ee9efb5e772c598cc440e486c73
                                                                                                          • Instruction ID: b89291d474d07490c7c4bae9156ee18bc08a539f52c4e9e5047fb7ab13c82b39
                                                                                                          • Opcode Fuzzy Hash: 53660f318742698aceaf6be582c4f049c7149ee9efb5e772c598cc440e486c73
                                                                                                          • Instruction Fuzzy Hash: 2B21D4716002009FFB50CF65CD85BA6FBE8EF08220F04C4AAE985CB742D374E809CAB1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,5258C8BA,00000000,00000000,00000000,00000000), ref: 0109A40C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 921801fec76b66f48308ec8fc5e5d6ff80fcf4ebb3c5f3455b46d6ba879a96cf
                                                                                                          • Instruction ID: 18ea424ed85c476b54e58c502d0caa9029667d7a158ff9bcb0ace30d61002b96
                                                                                                          • Opcode Fuzzy Hash: 921801fec76b66f48308ec8fc5e5d6ff80fcf4ebb3c5f3455b46d6ba879a96cf
                                                                                                          • Instruction Fuzzy Hash: A321C076600600DFEB61CF15CC84FA6F7ECEF04620F18C49AE9868B651D764E849DA71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05011635 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • K32EnumProcesses.KERNEL32(?,?,?,5258C8BA,00000000,?,?,?,?,?,?,?,?,6C9D3C58), ref: 050116A6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: EnumProcesses
                                                                                                          • String ID:
                                                                                                          • API String ID: 84517404-0
                                                                                                          • Opcode ID: 7e8ca379a6d12a2f1f4b7fa33c69dade454d9c537996a8b25fc2b9617fb38027
                                                                                                          • Instruction ID: d97437da496b29acd874a9b73fa3cafc5f7fca8198640ba28c6a1bc7ce104b96
                                                                                                          • Opcode Fuzzy Hash: 7e8ca379a6d12a2f1f4b7fa33c69dade454d9c537996a8b25fc2b9617fb38027
                                                                                                          • Instruction Fuzzy Hash: 1C2180715093809FD752CB65DC44B96BFF8EF06210F0984EAED85CB162D275A908CB62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 050107BA Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileView
                                                                                                          • String ID:
                                                                                                          • API String ID: 3314676101-0
                                                                                                          • Opcode ID: 6e6a9f343e8469993102ae1a64d64b7a7f2919cfa9fb877ea18e8bcee04e8087
                                                                                                          • Instruction ID: b787c13182f480c4704621d30f991f343accb5a045c31f58ad392f45427f3d18
                                                                                                          • Opcode Fuzzy Hash: 6e6a9f343e8469993102ae1a64d64b7a7f2919cfa9fb877ea18e8bcee04e8087
                                                                                                          • Instruction Fuzzy Hash: 2B21F372504200AFEB21CF55DD85FAAFBE8EF08324F04845DE9858B641D775F448CBA6
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05010FC2 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 0501103E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Connect
                                                                                                          • String ID:
                                                                                                          • API String ID: 3144859779-0
                                                                                                          • Opcode ID: 93be8987b51c2a2bc441d6282b88e82e7836a588a440ce986d5baf84b6f275f7
                                                                                                          • Instruction ID: 390e95d851cc54351c5a0d46d0ec13abcd2abe176b1e035e0dfbfa0eaac60646
                                                                                                          • Opcode Fuzzy Hash: 93be8987b51c2a2bc441d6282b88e82e7836a588a440ce986d5baf84b6f275f7
                                                                                                          • Instruction Fuzzy Hash: D0219F71508780AFDB228F61DC44B62BFF4FF06310F08849AED858B562D275A818DB62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 050100CE Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WSASocketW.WS2_32(?,?,?,?,?), ref: 0501013A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Socket
                                                                                                          • String ID:
                                                                                                          • API String ID: 38366605-0
                                                                                                          • Opcode ID: bea9a53a05f53767d6c85083305a9a5dee9008ac7061392f4240517f88060b71
                                                                                                          • Instruction ID: 12ed3cc8d0042d1c1e929e3be63a74d796d65d0dce2c9d98b66f48b0371f2f30
                                                                                                          • Opcode Fuzzy Hash: bea9a53a05f53767d6c85083305a9a5dee9008ac7061392f4240517f88060b71
                                                                                                          • Instruction Fuzzy Hash: E921CF72500200AFEB21CF51DD44FAAFBE9EF08324F08C89AED858A651C375E548CB72
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109A710 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0109A780
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: 5db14473174c5952fa12cc6fd63e0992385fa1c81347be99a4c2a87798058928
                                                                                                          • Instruction ID: 4910fd5a8301317b03422f5da2e1daefddc42ff4b7a5a737459463e15a38053d
                                                                                                          • Opcode Fuzzy Hash: 5db14473174c5952fa12cc6fd63e0992385fa1c81347be99a4c2a87798058928
                                                                                                          • Instruction Fuzzy Hash: D421D2B59043809FDB128F25DC85B52BFB4FF02224F0884EAEC858B653D275A905DBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109A9CE Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageTimeoutA.USER32(?,00000E24), ref: 0109AA49
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSendTimeout
                                                                                                          • String ID:
                                                                                                          • API String ID: 1599653421-0
                                                                                                          • Opcode ID: 5c74d0c9a518bde303058a702baa69063833aab0f5b9f462dde7d718ee0c2a4c
                                                                                                          • Instruction ID: 1e5586c8237e1ff0b5f1bb20d276951f770b5f497cb1a4e1f84ee17c516280ae
                                                                                                          • Opcode Fuzzy Hash: 5c74d0c9a518bde303058a702baa69063833aab0f5b9f462dde7d718ee0c2a4c
                                                                                                          • Instruction Fuzzy Hash: 7821D272500200AFEB218F55DD40FA6FBE8EF04320F14845AFD859B651D379E508DB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0501051E Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,5258C8BA,00000000,00000000,00000000,00000000), ref: 05010590
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 58925e130c3f07bb53cf3c0d1a6da6b7459aebe185124f05a8d69dce022f64cb
                                                                                                          • Instruction ID: e0977d4b3d34342afdb2b10b7598a812bb60665f4507b412ba1f0e07837f845e
                                                                                                          • Opcode Fuzzy Hash: 58925e130c3f07bb53cf3c0d1a6da6b7459aebe185124f05a8d69dce022f64cb
                                                                                                          • Instruction Fuzzy Hash: FC119D76500600AFE761CF15DC44FABF7E9EF08620F08C45AED459A651D364E5488AB6
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegSetValueExW.KERNELBASE(?,00000E24,5258C8BA,00000000,00000000,00000000,00000000), ref: 0109A4F8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value
                                                                                                          • String ID:
                                                                                                          • API String ID: 3702945584-0
                                                                                                          • Opcode ID: 5fbbca07132fcf74db0c8cb03ee7b2cabbe92f6825696f99fd46a67cfdc5894b
                                                                                                          • Instruction ID: b3d23daf970f8a480b983eb0e5641c30a9f0c1d81dd3cd11cd92beb27cae1658
                                                                                                          • Opcode Fuzzy Hash: 5fbbca07132fcf74db0c8cb03ee7b2cabbe92f6825696f99fd46a67cfdc5894b
                                                                                                          • Instruction Fuzzy Hash: 8A11B176600600AFEB618F15DC44FA7FBECEF04724F08C49AED859B651D764E448DA72
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05010D26 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetProcessTimes.KERNELBASE(?,00000E24,5258C8BA,00000000,00000000,00000000,00000000), ref: 05010D85
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProcessTimes
                                                                                                          • String ID:
                                                                                                          • API String ID: 1995159646-0
                                                                                                          • Opcode ID: 313907482b14bad5f662ce1990305d4f45cda50edf2a63dc3f519d81cef5d1b9
                                                                                                          • Instruction ID: 6304e9344fc6674ef4730ab28087db70f4056c6ab89294b528cac8a82d92203a
                                                                                                          • Opcode Fuzzy Hash: 313907482b14bad5f662ce1990305d4f45cda50edf2a63dc3f519d81cef5d1b9
                                                                                                          • Instruction Fuzzy Hash: 9011B176500600AFEB61CF55DC44FAAF7E8EF04224F14C46AED459B651D274E4488BA6
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05011348 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 050113B2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LookupPrivilegeValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3899507212-0
                                                                                                          • Opcode ID: c921023932879daf19dfb1a2c746a6af0204723570f1ce404bca11176450eea8
                                                                                                          • Instruction ID: 8a35a665216961223718d99311a28e3874a5c3475fde4666b70fed5c075a56bd
                                                                                                          • Opcode Fuzzy Hash: c921023932879daf19dfb1a2c746a6af0204723570f1ce404bca11176450eea8
                                                                                                          • Instruction Fuzzy Hash: 3D1184719053805FD761CF25DC85B67BFE8EF45220F0884AAED85CB656D274E804CB62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109AEC4 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetFileAttributesW.KERNELBASE(?,?), ref: 0109AF33
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AttributesFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 3188754299-0
                                                                                                          • Opcode ID: 119843301730719007f4f0d0b93763a7f21f4a8eb5688f70d3585ae44e81afd7
                                                                                                          • Instruction ID: 37bcd5866cf7d9d92d7ec1ec7f61dec5818a5ae229c193ab7f06b840eb52f17c
                                                                                                          • Opcode Fuzzy Hash: 119843301730719007f4f0d0b93763a7f21f4a8eb5688f70d3585ae44e81afd7
                                                                                                          • Instruction Fuzzy Hash: 2721A2716093809FDB528F25DC54B52BFF4EF06210F0984EBEC85CB2A3D225A949CB61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05011B1A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetProcessWorkingSetSize.KERNEL32(?,00000E24,5258C8BA,00000000,00000000,00000000,00000000), ref: 05011B73
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProcessSizeWorking
                                                                                                          • String ID:
                                                                                                          • API String ID: 3584180929-0
                                                                                                          • Opcode ID: 0ebe6372dba5ea75839c80d3fb7731c1f41749c39cb76603e2ce45b49ad4925e
                                                                                                          • Instruction ID: 61144baa5b30621a0684a19dea8fa5c02556e223c643d8a350ee3f0959eeccd8
                                                                                                          • Opcode Fuzzy Hash: 0ebe6372dba5ea75839c80d3fb7731c1f41749c39cb76603e2ce45b49ad4925e
                                                                                                          • Instruction Fuzzy Hash: 2E11B2725002009FEB51CF15DD84BAAF7E8EF45224F18C4AAEE459B641D274E548CAB6
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05011BFE Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetProcessWorkingSetSize.KERNEL32(?,00000E24,5258C8BA,00000000,00000000,00000000,00000000), ref: 05011C57
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProcessSizeWorking
                                                                                                          • String ID:
                                                                                                          • API String ID: 3584180929-0
                                                                                                          • Opcode ID: 0ebe6372dba5ea75839c80d3fb7731c1f41749c39cb76603e2ce45b49ad4925e
                                                                                                          • Instruction ID: 2abe7afb78f69d46e852ea08797c360b73783c6d734eb847fab7f0e5411e6a4b
                                                                                                          • Opcode Fuzzy Hash: 0ebe6372dba5ea75839c80d3fb7731c1f41749c39cb76603e2ce45b49ad4925e
                                                                                                          • Instruction Fuzzy Hash: CF11BF72600604AFEB61CF15EC45BAAF7E8EF44224F18C46AEE059B641D274E548CAB6
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05010007 Relevance: 1.6, APIs: 1, Instructions: 61registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 05010082
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 1e79920133fa3e095bf376e2b16a7f9ee3bf5352bb4109b5a0615baa9a6d4610
                                                                                                          • Instruction ID: 7df96c83075fa092e9ea345ae27e807e6a3b04a43c7d5293221aa70426f3d558
                                                                                                          • Opcode Fuzzy Hash: 1e79920133fa3e095bf376e2b16a7f9ee3bf5352bb4109b5a0615baa9a6d4610
                                                                                                          • Instruction Fuzzy Hash: 5C11C172544340AFD3118B15DC45F72BBF8EF8AA20F05819AFC489BA42D274B959CBA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05011A3E Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetExitCodeProcess.KERNELBASE(?,00000E24,5258C8BA,00000000,00000000,00000000,00000000), ref: 05011A94
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CodeExitProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 3861947596-0
                                                                                                          • Opcode ID: 6298954b0a6e2ff256c8383d0fe589fde53fb574e1500d09dfab1140f30b87d3
                                                                                                          • Instruction ID: 6925a9e66b7751f9d878410e048572f8c61ef30ea746c3a96d811cd9301d190e
                                                                                                          • Opcode Fuzzy Hash: 6298954b0a6e2ff256c8383d0fe589fde53fb574e1500d09dfab1140f30b87d3
                                                                                                          • Instruction Fuzzy Hash: 6911E771600644AFEB50CF55EC44FAAFBD8EF05224F14C46AEE05DB641D274E548CBB6
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109B2D3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0109B33E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DuplicateHandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 3793708945-0
                                                                                                          • Opcode ID: f2cf208646961cfff233180da6eddc3a898f64fca24fb90885ed135b6d1bd264
                                                                                                          • Instruction ID: c407e5ed47a233626016f07674050128eae839202f75bff6f68cde9ada7ff401
                                                                                                          • Opcode Fuzzy Hash: f2cf208646961cfff233180da6eddc3a898f64fca24fb90885ed135b6d1bd264
                                                                                                          • Instruction Fuzzy Hash: 04117F72409780AFDB228F55DC44A62FFF4EF4A220F08C8DAED858B562C275A518DB61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109AFAE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WriteFile.KERNELBASE(?,00000E24,5258C8BA,00000000,00000000,00000000,00000000), ref: 0109B00D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3934441357-0
                                                                                                          • Opcode ID: b914ea50abc0d6b20b85fa17588e0bd0a77d7a95dc76869f924c95dc335ba660
                                                                                                          • Instruction ID: a7e9254f6d71535cdb42d45d9866069544a9be8b405851d05ce4a7236d79bf68
                                                                                                          • Opcode Fuzzy Hash: b914ea50abc0d6b20b85fa17588e0bd0a77d7a95dc76869f924c95dc335ba660
                                                                                                          • Instruction Fuzzy Hash: A411B272500200AFEB218F55DC44FAAFBE8EF44724F14C4AAF9459B651D375A548CBB1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0501045A Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 050104D6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ComputerName
                                                                                                          • String ID:
                                                                                                          • API String ID: 3545744682-0
                                                                                                          • Opcode ID: 7296eb0cc4d3bc64d70acb176d3e87afefc903338ed1bde749676b5997b51637
                                                                                                          • Instruction ID: 5ef49c23fc420c7e8d9e79e354f97928771e930d933228fe93e79d551b822790
                                                                                                          • Opcode Fuzzy Hash: 7296eb0cc4d3bc64d70acb176d3e87afefc903338ed1bde749676b5997b51637
                                                                                                          • Instruction Fuzzy Hash: D111C871509380AFD315CB25CC45F66FFB4EF86620F09818FE8449B692D225B959CBA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109A2D2 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNELBASE(?), ref: 0109A330
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode
                                                                                                          • String ID:
                                                                                                          • API String ID: 2340568224-0
                                                                                                          • Opcode ID: b3f9c9be81ffc154da49760513f27349f5ee4316082ade643c6d5cc01035f819
                                                                                                          • Instruction ID: 7f1aa6d7cdafefc07882bcdb642c57b76da6ab25d94d01b382942647cb9c9cd1
                                                                                                          • Opcode Fuzzy Hash: b3f9c9be81ffc154da49760513f27349f5ee4316082ade643c6d5cc01035f819
                                                                                                          • Instruction Fuzzy Hash: 49119171909380AFEB128B15DC54B62BFB4EF46224F09C0DAED858B253C265A808DB62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0501136A Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 050113B2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LookupPrivilegeValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3899507212-0
                                                                                                          • Opcode ID: e453ef01a6ce149c468cafce90a63ea786084a241bac1fbb4cb5ec8a6a552ca5
                                                                                                          • Instruction ID: 5f8441a88e1c6a0d4516c04447219c3debd53ecb48ddf883817944cc6a9f45ba
                                                                                                          • Opcode Fuzzy Hash: e453ef01a6ce149c468cafce90a63ea786084a241bac1fbb4cb5ec8a6a552ca5
                                                                                                          • Instruction Fuzzy Hash: 42116576A046008FEB64CF19E885B6AFBD8EF14220F08C4AAED45DBB45D275E404CA76
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109AC56 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CopyFileW.KERNELBASE(?,?,?), ref: 0109AC9E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CopyFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 1304948518-0
                                                                                                          • Opcode ID: 2ffb3c34ca0b2957e3a9b2cbb0484bb3aec8366bc3fe5c4c00d6e8ee647d1fec
                                                                                                          • Instruction ID: be768b9df1394426a05a3cfc2e7efe2b4f6394fc048ba0cbca66fb06db0d5be4
                                                                                                          • Opcode Fuzzy Hash: 2ffb3c34ca0b2957e3a9b2cbb0484bb3aec8366bc3fe5c4c00d6e8ee647d1fec
                                                                                                          • Instruction Fuzzy Hash: B81152B6600244CFEB50CF19D845B56FBD8EF54220F08C4AADD85DF642D275E404DB61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109AE36 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileType.KERNELBASE(?,00000E24,5258C8BA,00000000,00000000,00000000,00000000), ref: 0109AE89
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileType
                                                                                                          • String ID:
                                                                                                          • API String ID: 3081899298-0
                                                                                                          • Opcode ID: 4cf43ea62c0681fd6d824b13f2ef4477aba08f51e7d0ac3a9ffd6582aa491940
                                                                                                          • Instruction ID: 1c29b7ab7a0595e2b099b4f2208e5fd6e806975d7a1e810dbdedf9153bd5e1ea
                                                                                                          • Opcode Fuzzy Hash: 4cf43ea62c0681fd6d824b13f2ef4477aba08f51e7d0ac3a9ffd6582aa491940
                                                                                                          • Instruction Fuzzy Hash: 2101D272A00204EFEB61CB06DD84FA6F7E8DF55724F18C096ED459B741D378E4488AB2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109B46F Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: closesocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 2781271927-0
                                                                                                          • Opcode ID: e116dfacb96a7d9d4a90662345f93f24e924938803f13b5856678dde231d716f
                                                                                                          • Instruction ID: d42eac1c8090016f4a986e45ebe675d6240c86a3f8158c2c696710a1e8391ed1
                                                                                                          • Opcode Fuzzy Hash: e116dfacb96a7d9d4a90662345f93f24e924938803f13b5856678dde231d716f
                                                                                                          • Instruction Fuzzy Hash: 9111A0715483849FDB52CF15DC84B52BFB4EF46321F0884DAED899F253D279A508CBA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05011666 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • K32EnumProcesses.KERNEL32(?,?,?,5258C8BA,00000000,?,?,?,?,?,?,?,?,6C9D3C58), ref: 050116A6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: EnumProcesses
                                                                                                          • String ID:
                                                                                                          • API String ID: 84517404-0
                                                                                                          • Opcode ID: 7ac4a07a7bd9def04638a7dc68abfbe54191b58bdeca76b60c4acadd28331bd3
                                                                                                          • Instruction ID: 76f4bd8b6dfdbe0e045a5598c04992b871d7a5bb11aebe147925af311515aa6b
                                                                                                          • Opcode Fuzzy Hash: 7ac4a07a7bd9def04638a7dc68abfbe54191b58bdeca76b60c4acadd28331bd3
                                                                                                          • Instruction Fuzzy Hash: 3511C4766002048FEB50CF55E884BAAFBE8EF04220F0CC4AADE49CB651D375E404CF62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05010FF2 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 0501103E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Connect
                                                                                                          • String ID:
                                                                                                          • API String ID: 3144859779-0
                                                                                                          • Opcode ID: abda6fe3cf2bffdc8b8b5b9161858cdcb4159ee09860f84b8685512d5070a5f5
                                                                                                          • Instruction ID: 5620e94a54b556a10da938b40d715dad2058331977d0b7e2a3728aba90bbd1c2
                                                                                                          • Opcode Fuzzy Hash: abda6fe3cf2bffdc8b8b5b9161858cdcb4159ee09860f84b8685512d5070a5f5
                                                                                                          • Instruction Fuzzy Hash: E51170369006409FEB61CF55D844B66FBE5FF08320F08C5AAEE858B661D375E458CF62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109AEF6 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetFileAttributesW.KERNELBASE(?,?), ref: 0109AF33
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AttributesFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 3188754299-0
                                                                                                          • Opcode ID: 19b039bfe19f00c4740743ef274adbd7e47cff86fcb35e93cc1492b822b27be1
                                                                                                          • Instruction ID: 70e1e1868c26f3a0f3b4a8f0233e764a9620833de1216b4d072f9c33565ce8b7
                                                                                                          • Opcode Fuzzy Hash: 19b039bfe19f00c4740743ef274adbd7e47cff86fcb35e93cc1492b822b27be1
                                                                                                          • Instruction Fuzzy Hash: 640184B16002009FEF50CF59D855756FBD4EF14620F08C4AADD45DB692D275E504DA61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05011996 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 050119E6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FormatMessage
                                                                                                          • String ID:
                                                                                                          • API String ID: 1306739567-0
                                                                                                          • Opcode ID: a47ff853c302c85646e528527b963cbb2b2e14431643c00122f2930ba49f2eec
                                                                                                          • Instruction ID: be211798035ff7b2944382c2fd5639676941127e33ba7ca4502918231fa9fe5d
                                                                                                          • Opcode Fuzzy Hash: a47ff853c302c85646e528527b963cbb2b2e14431643c00122f2930ba49f2eec
                                                                                                          • Instruction Fuzzy Hash: 3601B171A00200ABE310DF16CD85B66FBE8EB88A20F14811AEC089BB41D731B955CBE1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109A172 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • EnumWindows.USER32(?,00000E24,?,?), ref: 0109A1C2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: EnumWindows
                                                                                                          • String ID:
                                                                                                          • API String ID: 1129996299-0
                                                                                                          • Opcode ID: 03e438861e33fcdc8f942991e8f80e915cb93585752988388c20cd5175a12b00
                                                                                                          • Instruction ID: 953a3dadd0a8b3855f142112203e7f49b5939ee3573cdfaa4a88180c14a20337
                                                                                                          • Opcode Fuzzy Hash: 03e438861e33fcdc8f942991e8f80e915cb93585752988388c20cd5175a12b00
                                                                                                          • Instruction Fuzzy Hash: 0501B171A00200ABE310DF16CD85B66FBE8EB88A20F14815AEC089BB41D735B955CBE1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109B2FA Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0109B33E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DuplicateHandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 3793708945-0
                                                                                                          • Opcode ID: 0db1c3d1d503707f8afaf4352cdddb17f0482a37bfee7cfdc753ca3bef4decbd
                                                                                                          • Instruction ID: e31f8121f32ce05582bfc8f93579ec9370cc9053dfea2e68516e2723839d1fe7
                                                                                                          • Opcode Fuzzy Hash: 0db1c3d1d503707f8afaf4352cdddb17f0482a37bfee7cfdc753ca3bef4decbd
                                                                                                          • Instruction Fuzzy Hash: A4015B72500600DFEF61CF55E884B56FBE4EF48720F08C9AAED8A4A652C275E418DF61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05010486 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 050104D6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ComputerName
                                                                                                          • String ID:
                                                                                                          • API String ID: 3545744682-0
                                                                                                          • Opcode ID: e414f2c174b0f0594b642a22459e68676a03a10af8bc7d9627ce82ff190596f3
                                                                                                          • Instruction ID: a95384adf9a96eb81921b3d53351873f67c610b676fc315dedf68669875e827d
                                                                                                          • Opcode Fuzzy Hash: e414f2c174b0f0594b642a22459e68676a03a10af8bc7d9627ce82ff190596f3
                                                                                                          • Instruction Fuzzy Hash: 3901A271500200ABD214DF16CD86B66FBE8FB88A20F14815AEC089BB41D771F955CBE5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05010032 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 05010082
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4082771063.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_5010000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 3925e61e317f534815430dcec19206f7d505d445006f8f28c5978bdfc72210b7
                                                                                                          • Instruction ID: 27a95de8c9418c9e21704e94fc3a7bb246e6b9e2d236a18f5face291e83f307d
                                                                                                          • Opcode Fuzzy Hash: 3925e61e317f534815430dcec19206f7d505d445006f8f28c5978bdfc72210b7
                                                                                                          • Instruction Fuzzy Hash: 3701A271500200ABD214DF16CD86B66FBE8FB88A20F14C11AEC089BB41D771F955CBE5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0109A780
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: 32c86e56f5f6df6090431485b114074ae1d52a073b966caeff7506c3cbc95d84
                                                                                                          • Instruction ID: 1b56817c36d78ef95c1b5e4ec0cc01678b82627d5602ff2a3db6c82306f7bb16
                                                                                                          • Opcode Fuzzy Hash: 32c86e56f5f6df6090431485b114074ae1d52a073b966caeff7506c3cbc95d84
                                                                                                          • Instruction Fuzzy Hash: EA018475600240CFEF508F15DD8576AFBE4EF45220F08C4ABDD869B756D279E404DEA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109B49E Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: closesocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 2781271927-0
                                                                                                          • Opcode ID: d2a5f500731683131d7e484c61d3a2046a94df74174ba399086cf98d2a467463
                                                                                                          • Instruction ID: 85245e3b74470805535fa1ca77dbd8df4c1d532af1651d1ae28663389b18dbce
                                                                                                          • Opcode Fuzzy Hash: d2a5f500731683131d7e484c61d3a2046a94df74174ba399086cf98d2a467463
                                                                                                          • Instruction Fuzzy Hash: 7E01AD719002448FEB50DF15E884BA6FBE4EF04730F08C4EADD899F656D279E408DAA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0109A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNELBASE(?), ref: 0109A330
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080627744.000000000109A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_109a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode
                                                                                                          • String ID:
                                                                                                          • API String ID: 2340568224-0
                                                                                                          • Opcode ID: afcaa48429da43aa6a9645455421b12a6c63ecd2bcfce264e9ed2ddd9c7e0e0e
                                                                                                          • Instruction ID: 5dec7a8c7db2166bf2b15adaa909e40f7a67701b70930a957605c6bfa1a538f9
                                                                                                          • Opcode Fuzzy Hash: afcaa48429da43aa6a9645455421b12a6c63ecd2bcfce264e9ed2ddd9c7e0e0e
                                                                                                          • Instruction Fuzzy Hash: 95F0AF36A04640CFEF508F09D888765FBE4EF15321F08C0DAED894B752D2B9E408DEA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 01150814 Relevance: .1, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080841125.0000000001150000.00000040.00000020.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_1150000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 75803a3253516417aed95dfa6d19b72e4633576a0444140bd7e73e5201aeb89b
                                                                                                          • Instruction ID: 60c28424fc0af72e738ab9f2200e51a43b4780ae78dc118fa0cccf20b8018629
                                                                                                          • Opcode Fuzzy Hash: 75803a3253516417aed95dfa6d19b72e4633576a0444140bd7e73e5201aeb89b
                                                                                                          • Instruction Fuzzy Hash: 6E11E431A04680DFD759CB54D540F25BBA5AB8D718F24C9ACF8491B743C77BD813CA81
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 011507E4 Relevance: .1, Instructions: 53COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080841125.0000000001150000.00000040.00000020.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_1150000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c9abaca8ece3c80d19c13eacb2b344a05b9d578bdfe7e77433bf75069979b46e
                                                                                                          • Instruction ID: 7b0584b4cfb0aebe9bc8076f9925c5438d6f6cdeb38e9801ae4f6b54062b7421
                                                                                                          • Opcode Fuzzy Hash: c9abaca8ece3c80d19c13eacb2b344a05b9d578bdfe7e77433bf75069979b46e
                                                                                                          • Instruction Fuzzy Hash: 2B216D355093C0DFD717CB50D990B15BFB1AF8A314F1986EEE8888B6A3D33A8846CB51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 011505E0 Relevance: .0, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080841125.0000000001150000.00000040.00000020.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_1150000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 7f94d4d9be7ad60eb4c11885dac1a0370a6265e186d7c8c7a14d03099f5b2641
                                                                                                          • Instruction ID: d8f07b1bc2c7abd70a2cb9efca431b69cf1f4232b9332fcb9140538065a41eff
                                                                                                          • Opcode Fuzzy Hash: 7f94d4d9be7ad60eb4c11885dac1a0370a6265e186d7c8c7a14d03099f5b2641
                                                                                                          • Instruction Fuzzy Hash: C601D6750497806FD3018F15EC41893FFF8EF8623070984AFEC498B612C269B949CB61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 011507C4 Relevance: .0, Instructions: 39COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080841125.0000000001150000.00000040.00000020.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_1150000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5a0e11ed804b1083f195b2aa2916cff4e752fc0a46aa298f30b4858f484bd1c5
                                                                                                          • Instruction ID: 35797c55c8a88b85fa0c60128f55ea2e313038fa2997ed0f54569ecd23e1e8bf
                                                                                                          • Opcode Fuzzy Hash: 5a0e11ed804b1083f195b2aa2916cff4e752fc0a46aa298f30b4858f484bd1c5
                                                                                                          • Instruction Fuzzy Hash: 78014035509680DFC307CB50D940B51BBB1FB8A718F15C6D9E8845B763C3369816CF91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 011508D0 Relevance: .0, Instructions: 31COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080841125.0000000001150000.00000040.00000020.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_1150000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 04600195a8a0699fd4b81d29264c43655e369728a748b9fc922c81a7726b4acd
                                                                                                          • Instruction ID: 963dea076a897602cd2fe496e6cd8a6f6bc1ff2e8da4405ea2c821311cad239b
                                                                                                          • Opcode Fuzzy Hash: 04600195a8a0699fd4b81d29264c43655e369728a748b9fc922c81a7726b4acd
                                                                                                          • Instruction Fuzzy Hash: E1F0F635508684DFC706CB44D980F15FBA2EB89718F24CAA9E9491BB62C737A812DA81
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 01150606 Relevance: .0, Instructions: 27COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080841125.0000000001150000.00000040.00000020.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_1150000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 7e6e579a1302d06f98542f5a9136d97d9618cee76b0fa1d109a975679b97246d
                                                                                                          • Instruction ID: ca78f3b651ddeb3e6f969851a6e3e9d3410ce641328957758df0ff4f9020c5c8
                                                                                                          • Opcode Fuzzy Hash: 7e6e579a1302d06f98542f5a9136d97d9618cee76b0fa1d109a975679b97246d
                                                                                                          • Instruction Fuzzy Hash: EFE092B66006044BA750CF0AEC45452F7D8EF98631718C07FDC0E8B701D679B509CEA5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 010923F4 Relevance: .0, Instructions: 15COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080615408.0000000001092000.00000040.00000800.00020000.00000000.sdmp, Offset: 01092000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_1092000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 34759e47b188b0df3a79b1f63e85589316f02038320e30142c2286e04a206e3f
                                                                                                          • Instruction ID: 2212867ed21ae3fd9c34c443af241294fbe18456fcd153a268c4d47ca01b260a
                                                                                                          • Opcode Fuzzy Hash: 34759e47b188b0df3a79b1f63e85589316f02038320e30142c2286e04a206e3f
                                                                                                          • Instruction Fuzzy Hash: C6D02E392086C04FE7168E0CC2A8B853BE4BB60708F0A00F9A8808B763CB28D4C4E200
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 010923BC Relevance: .0, Instructions: 14COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000001.00000002.4080615408.0000000001092000.00000040.00000800.00020000.00000000.sdmp, Offset: 01092000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_1_2_1092000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 3f912c3407f3b86663f005e28616bd7e222851fee34c04b5119a38ace9ebb953
                                                                                                          • Instruction ID: 1482b64f14d010f863ee9dc9036e3eabb4e10c43e26b63198f531f07b3323e40
                                                                                                          • Opcode Fuzzy Hash: 3f912c3407f3b86663f005e28616bd7e222851fee34c04b5119a38ace9ebb953
                                                                                                          • Instruction Fuzzy Hash: 83D05E343406814BDB15DE0CD2E4F593BD4AB40B15F06C4E8AC508B762C7A8D9C4DA00
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:10.5%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:19
                                                                                                          Total number of Limit Nodes:1
                                                                                                          execution_graph 655 115a646 658 115a67e CreateMutexW 655->658 657 115a6c1 658->657 675 115a361 677 115a392 RegQueryValueExW 675->677 678 115a41b 677->678 667 115a710 670 115a74e FindCloseChangeNotification 667->670 669 115a788 670->669 671 115a612 673 115a646 CreateMutexW 671->673 674 115a6c1 673->674 679 115a462 680 115a486 RegSetValueExW 679->680 682 115a507 680->682 663 115a74e 664 115a7b9 663->664 665 115a77a FindCloseChangeNotification 663->665 664->665 666 115a788 665->666

                                                                                                          Callgraph

                                                                                                          Executed Functions

                                                                                                          Function 014703A8 Relevance: 2.9, Strings: 2, Instructions: 356COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 0 14703a8-14703f6 4 147041d-1470424 0->4 5 14703f8-14703fe 0->5 6 1470426-1470436 4->6 7 1470455-147045c 4->7 5->4 6->7 9 1470483-147048a 7->9 10 147045e-1470464 7->10 12 14704b1-14704b8 9->12 13 147048c-1470492 9->13 10->9 18 147052e-147056b 12->18 19 14704ba-1470524 12->19 13->12 26 1470572-147057f 18->26 27 147056d 18->27 19->18 30 14705b6-1470603 26->30 31 1470581-14705ab 26->31 27->26 41 1470605-1470667 30->41 42 147066e-14706af 30->42 31->30 41->42 45 1470712-1470723 42->45 46 14706b1-14706e6 42->46 50 1470725-147072b 45->50 51 147072e-1470739 45->51 46->45 50->51 55 1470ad3-1470b00 51->55 56 147073f-1470746 51->56 55->45 59 14707a6-14707aa 56->59 60 1470748-147077a 56->60 63 14707ed-14707f4 59->63 64 14707ac-14707c9 59->64 60->59 67 1470ace 63->67 68 14707fa-14708a8 63->68 64->63 79 14707cb-14707e5 64->79 67->55 90 14708ae-1470931 68->90 91 1470938-1470a12 68->91 79->63 90->91 106 1470aa2 91->106 107 1470a18-1470a9b 91->107 106->67 107->106
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1920999636.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_1470000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 2l$2l
                                                                                                          • API String ID: 0-1392491997
                                                                                                          • Opcode ID: aabb67c652fa7d0327afbf4a4a8d185942ba27844f5e9b31fe4a1aea18e8adae
                                                                                                          • Instruction ID: 848d1a0fb466f1b87b8205be196e5f1389d13957b9d293597c7f9b898dc07fc8
                                                                                                          • Opcode Fuzzy Hash: aabb67c652fa7d0327afbf4a4a8d185942ba27844f5e9b31fe4a1aea18e8adae
                                                                                                          • Instruction Fuzzy Hash: A1F11930A01309CFDB28DB78D858BADB7B2EF85308F1044AAD419A7365DB7A9D85CF51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 01470397 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 113 1470397-14703f6 117 147041d-1470424 113->117 118 14703f8-14703fe 113->118 119 1470426-1470436 117->119 120 1470455-147045c 117->120 118->117 119->120 122 1470483-147048a 120->122 123 147045e-1470464 120->123 125 14704b1-14704b8 122->125 126 147048c-1470492 122->126 123->122 131 147052e-147055a 125->131 132 14704ba-1470524 125->132 126->125 137 1470565-147056b 131->137 132->131 139 1470572-147057f 137->139 140 147056d 137->140 143 14705b6-1470603 139->143 144 1470581-14705ab 139->144 140->139 154 1470605-1470667 143->154 155 147066e-14706af 143->155 144->143 154->155 158 1470712-1470723 155->158 159 14706b1-14706e6 155->159 163 1470725-147072b 158->163 164 147072e-1470739 158->164 159->158 163->164 168 1470ad3-1470b00 164->168 169 147073f-1470746 164->169 168->158 172 14707a6-14707aa 169->172 173 1470748-147077a 169->173 176 14707ed-14707f4 172->176 177 14707ac-14707c9 172->177 173->172 180 1470ace 176->180 181 14707fa-14708a8 176->181 177->176 192 14707cb-14707e5 177->192 180->168 203 14708ae-1470931 181->203 204 1470938-1470a12 181->204 192->176 203->204 219 1470aa2 204->219 220 1470a18-1470a9b 204->220 219->180 220->219
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1920999636.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_1470000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 2l$2l
                                                                                                          • API String ID: 0-1392491997
                                                                                                          • Opcode ID: c9427cd6324759b76ec99f747503d279b3bfd03192be3259ffbf819b61b4eb91
                                                                                                          • Instruction ID: 8d8594ad97f1f3c25c0913e68e8af5e935f5108a1e48448fccefd058d847eeb1
                                                                                                          • Opcode Fuzzy Hash: c9427cd6324759b76ec99f747503d279b3bfd03192be3259ffbf819b61b4eb91
                                                                                                          • Instruction Fuzzy Hash: 7CF11930A01309CFDB28DB78D858BADB7B2FB85308F1044AAD509A7365DB7A9D85CF51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0115A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 226 115a612-115a695 230 115a697 226->230 231 115a69a-115a6a3 226->231 230->231 232 115a6a5 231->232 233 115a6a8-115a6b1 231->233 232->233 234 115a6b3-115a6d7 CreateMutexW 233->234 235 115a702-115a707 233->235 238 115a709-115a70e 234->238 239 115a6d9-115a6ff 234->239 235->234 238->239
                                                                                                          APIs
                                                                                                          • CreateMutexW.KERNELBASE(?,?), ref: 0115A6B9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1920650734.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_115a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateMutex
                                                                                                          • String ID:
                                                                                                          • API String ID: 1964310414-0
                                                                                                          • Opcode ID: 9194d6e8cbdff07175eff365904d261bbe8d855fd4ec57b665e1359f31219706
                                                                                                          • Instruction ID: ef6217efa5d4a42a74c65d7be4a397526a87369175c94fc0a856604cc262769d
                                                                                                          • Opcode Fuzzy Hash: 9194d6e8cbdff07175eff365904d261bbe8d855fd4ec57b665e1359f31219706
                                                                                                          • Instruction Fuzzy Hash: BD3170755097809FE712CB65DC45B96BFF8EF06210F08849AE9848B292D375E909CB61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0115A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 242 115a361-115a3cf 245 115a3d4-115a3dd 242->245 246 115a3d1 242->246 247 115a3e2-115a3e8 245->247 248 115a3df 245->248 246->245 249 115a3ed-115a404 247->249 250 115a3ea 247->250 248->247 252 115a406-115a419 RegQueryValueExW 249->252 253 115a43b-115a440 249->253 250->249 254 115a442-115a447 252->254 255 115a41b-115a438 252->255 253->252 254->255
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,78F83F35,00000000,00000000,00000000,00000000), ref: 0115A40C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1920650734.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_115a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 4b25661e635ce8ca7d7f6b121dc2f2b3caeb1072f6bebd1080568e2ec90be5da
                                                                                                          • Instruction ID: 4904982da32f36706e43633ac4d456074ee32da01b7a36e456b85d8e9759e8d7
                                                                                                          • Opcode Fuzzy Hash: 4b25661e635ce8ca7d7f6b121dc2f2b3caeb1072f6bebd1080568e2ec90be5da
                                                                                                          • Instruction Fuzzy Hash: 86318F75508780AFE762CF15DC84F92BFF8EF06214F08859AE9858B293D364E949CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0115A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 259 115a462-115a4c3 262 115a4c5 259->262 263 115a4c8-115a4d4 259->263 262->263 264 115a4d6 263->264 265 115a4d9-115a4f0 263->265 264->265 267 115a527-115a52c 265->267 268 115a4f2-115a505 RegSetValueExW 265->268 267->268 269 115a507-115a524 268->269 270 115a52e-115a533 268->270 270->269
                                                                                                          APIs
                                                                                                          • RegSetValueExW.KERNELBASE(?,00000E24,78F83F35,00000000,00000000,00000000,00000000), ref: 0115A4F8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1920650734.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_115a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value
                                                                                                          • String ID:
                                                                                                          • API String ID: 3702945584-0
                                                                                                          • Opcode ID: 76660cc3ae0decfce7d8edf9950f2ebbb53b639f91404135427adbecb6128391
                                                                                                          • Instruction ID: f184d59a88110b79cd29484e7fb2e2632b614f331855662965ebaa673450a08c
                                                                                                          • Opcode Fuzzy Hash: 76660cc3ae0decfce7d8edf9950f2ebbb53b639f91404135427adbecb6128391
                                                                                                          • Instruction Fuzzy Hash: 0E21B072504380AFE7228F15DC44FA7BFB8EF46210F08859AE985CB652D364E848C7B1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0115A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 274 115a646-115a695 277 115a697 274->277 278 115a69a-115a6a3 274->278 277->278 279 115a6a5 278->279 280 115a6a8-115a6b1 278->280 279->280 281 115a6b3-115a6bb CreateMutexW 280->281 282 115a702-115a707 280->282 283 115a6c1-115a6d7 281->283 282->281 285 115a709-115a70e 283->285 286 115a6d9-115a6ff 283->286 285->286
                                                                                                          APIs
                                                                                                          • CreateMutexW.KERNELBASE(?,?), ref: 0115A6B9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1920650734.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_115a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateMutex
                                                                                                          • String ID:
                                                                                                          • API String ID: 1964310414-0
                                                                                                          • Opcode ID: 7681f8aa9672056db060b5c5b88331f104072aa2f50121b9a4ae5136f071f35a
                                                                                                          • Instruction ID: c9874bb635c3e0ae8071209ded1a1c10fd0c42e5accef31bd1149727e54e71fa
                                                                                                          • Opcode Fuzzy Hash: 7681f8aa9672056db060b5c5b88331f104072aa2f50121b9a4ae5136f071f35a
                                                                                                          • Instruction Fuzzy Hash: 9F21C2756002409FE754CF65DD45BA6FBE8EF04220F04C469ED498B742D375E809CA71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0115A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 289 115a392-115a3cf 291 115a3d4-115a3dd 289->291 292 115a3d1 289->292 293 115a3e2-115a3e8 291->293 294 115a3df 291->294 292->291 295 115a3ed-115a404 293->295 296 115a3ea 293->296 294->293 298 115a406-115a419 RegQueryValueExW 295->298 299 115a43b-115a440 295->299 296->295 300 115a442-115a447 298->300 301 115a41b-115a438 298->301 299->298 300->301
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,78F83F35,00000000,00000000,00000000,00000000), ref: 0115A40C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1920650734.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_115a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 1fb7e0ec1f93aba1575367920426ede80eabbcba2026be23ebafe5b41bceccb1
                                                                                                          • Instruction ID: 141a6a6b5a62d8824cd67747845ec7247350e7c62c1bf9563909d606b9475c6d
                                                                                                          • Opcode Fuzzy Hash: 1fb7e0ec1f93aba1575367920426ede80eabbcba2026be23ebafe5b41bceccb1
                                                                                                          • Instruction Fuzzy Hash: FF21C076600600DFE761CF55DC84FA6FBECEF04624F08C55AEE458B652D360E848CAB1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0115A710 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 305 115a710-115a778 307 115a7b9-115a7be 305->307 308 115a77a-115a782 FindCloseChangeNotification 305->308 307->308 309 115a788-115a79a 308->309 311 115a7c0-115a7c5 309->311 312 115a79c-115a7b8 309->312 311->312
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0115A780
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1920650734.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_115a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: 558d00494414e0279b684108e24aa3c81e4c86cd5f14bb99232ec4c4ac44de11
                                                                                                          • Instruction ID: 8aa7bf379a7256e23e017418caf51aee2a957d9ca5220725468afbc826331d69
                                                                                                          • Opcode Fuzzy Hash: 558d00494414e0279b684108e24aa3c81e4c86cd5f14bb99232ec4c4ac44de11
                                                                                                          • Instruction Fuzzy Hash: C22105B19087809FDB128F25EC85752BFB4EF02224F0884DBDC858F653D3759905CBA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0115A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 314 115a486-115a4c3 316 115a4c5 314->316 317 115a4c8-115a4d4 314->317 316->317 318 115a4d6 317->318 319 115a4d9-115a4f0 317->319 318->319 321 115a527-115a52c 319->321 322 115a4f2-115a505 RegSetValueExW 319->322 321->322 323 115a507-115a524 322->323 324 115a52e-115a533 322->324 324->323
                                                                                                          APIs
                                                                                                          • RegSetValueExW.KERNELBASE(?,00000E24,78F83F35,00000000,00000000,00000000,00000000), ref: 0115A4F8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1920650734.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_115a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value
                                                                                                          • String ID:
                                                                                                          • API String ID: 3702945584-0
                                                                                                          • Opcode ID: 3c7f1405d8e5090c11e0e616721d1310a609e68464eabaca5baac18ec8ba5716
                                                                                                          • Instruction ID: bec5c9a1c0d6ac36e0f5dabe45e6c66c00649e47536e25025173a1bb7f665cf7
                                                                                                          • Opcode Fuzzy Hash: 3c7f1405d8e5090c11e0e616721d1310a609e68464eabaca5baac18ec8ba5716
                                                                                                          • Instruction Fuzzy Hash: 4E11BE76640600AFEB618F15EC44FA6FBECEF04624F08855AED459B652D370E448CAB2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0115A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 328 115a74e-115a778 329 115a7b9-115a7be 328->329 330 115a77a-115a782 FindCloseChangeNotification 328->330 329->330 331 115a788-115a79a 330->331 333 115a7c0-115a7c5 331->333 334 115a79c-115a7b8 331->334 333->334
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0115A780
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1920650734.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_115a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: 701c165782dce9634cd7af34fe96e17b1a85d3ed02a45601ebe0ee03fc1cab29
                                                                                                          • Instruction ID: 388c2fcd502389fe5863bb592d56eb7628268190a314d74e75d800536c900ee0
                                                                                                          • Opcode Fuzzy Hash: 701c165782dce9634cd7af34fe96e17b1a85d3ed02a45601ebe0ee03fc1cab29
                                                                                                          • Instruction Fuzzy Hash: 9A01DF75A00640CFEB548F19E884766FBE4DF04220F08C4ABDD4A8F752D37AE408CEA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 01470006 Relevance: .1, Instructions: 53COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 336 1470006-1470076
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1920999636.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_1470000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 82e3ef7b1c8038f0414432a351d5deeca7ae2c439559f0eadbc5e874074927bb
                                                                                                          • Instruction ID: 2df4c2576eea0cc785a1564b81ad76dae296bdb2fc7c1ea2f03dc6652ca99ba8
                                                                                                          • Opcode Fuzzy Hash: 82e3ef7b1c8038f0414432a351d5deeca7ae2c439559f0eadbc5e874074927bb
                                                                                                          • Instruction Fuzzy Hash: AC116C2118F7C25FC7178B744874295BFB2AE5322471E82DBC0D4CE8A7D22E585EC762
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 011005E4 Relevance: .0, Instructions: 43COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 337 11005e4-1100603 338 1100606-1100620 337->338 339 1100626-1100643 338->339
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1920596328.0000000001100000.00000040.00000020.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_1100000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5db75ae176b5160ad047a1b0a69c66e4aa8ddbd725a65da950a075c762ffbe1e
                                                                                                          • Instruction ID: 1ccb33d9aebf51dcdbd4f1f95ad33d3a57c8d9bb058c92b8460dbbcbfae2fee4
                                                                                                          • Opcode Fuzzy Hash: 5db75ae176b5160ad047a1b0a69c66e4aa8ddbd725a65da950a075c762ffbe1e
                                                                                                          • Instruction Fuzzy Hash: E2F0A97550D7806FD7128F15AC45862FFB8DF86630709C49FEC498B652D229B809CB72
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 01100606 Relevance: .0, Instructions: 27COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 340 1100606-1100620 341 1100626-1100643 340->341
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1920596328.0000000001100000.00000040.00000020.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_1100000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 848b53f3b69d65e48c8ece1d710eb7de12837c42312b7dc963819257b193277f
                                                                                                          • Instruction ID: 8693a47f4ea410ebbb0cb1547c93aeab7eb84123c3d6a30af9833158ae873fb0
                                                                                                          • Opcode Fuzzy Hash: 848b53f3b69d65e48c8ece1d710eb7de12837c42312b7dc963819257b193277f
                                                                                                          • Instruction Fuzzy Hash: 59E092B66046448B9750CF0AEC45452F7E8EB98630B08C07FDC0D8B711E636B508CAA5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 011523F4 Relevance: .0, Instructions: 15COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 342 11523f4-11523ff 343 1152401-115240e 342->343 344 1152412-1152417 342->344 343->344 345 1152419 344->345 346 115241a 344->346 347 1152420-1152421 346->347
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1920636163.0000000001152000.00000040.00000800.00020000.00000000.sdmp, Offset: 01152000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_1152000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 1a3c2a76a3356332c0857d894ebcc27fa959f2fc615b6169a205a967f0a6eb5d
                                                                                                          • Instruction ID: c2ea04159ca707772b118f5eae715d2e7be8d987ec027d48ad7ba6780b97acc0
                                                                                                          • Opcode Fuzzy Hash: 1a3c2a76a3356332c0857d894ebcc27fa959f2fc615b6169a205a967f0a6eb5d
                                                                                                          • Instruction Fuzzy Hash: 70D0177A3056818FE31A9A1CD2A8B953BA4AB51718F5A44B9AC408B762C768D585D600
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 011523BC Relevance: .0, Instructions: 14COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 348 11523bc-11523c3 349 11523c5-11523d2 348->349 350 11523d6-11523db 348->350 349->350 351 11523e1 350->351 352 11523dd-11523e0 350->352 353 11523e7-11523e8 351->353
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1920636163.0000000001152000.00000040.00000800.00020000.00000000.sdmp, Offset: 01152000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_1152000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 577881dc877cb1e1743a7ae53583e267b2d5c643d599a83ffbaa4cb7af4178d2
                                                                                                          • Instruction ID: 61098aa09a6a9d2064c2c9745de2449e49df80498dd566059c929ff1cf2c6bbe
                                                                                                          • Opcode Fuzzy Hash: 577881dc877cb1e1743a7ae53583e267b2d5c643d599a83ffbaa4cb7af4178d2
                                                                                                          • Instruction Fuzzy Hash: 2ED05E35344681CFD759DE0CD2D4F593BD4AB44B15F0644E8AC208B762C7B8D9C4CA00
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:10.2%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:19
                                                                                                          Total number of Limit Nodes:1
                                                                                                          execution_graph 668 108a74e 669 108a77a FindCloseChangeNotification 668->669 671 108a7b9 668->671 670 108a788 669->670 671->669 684 108a710 685 108a74e FindCloseChangeNotification 684->685 687 108a788 685->687 692 108a361 693 108a392 RegQueryValueExW 692->693 695 108a41b 693->695 688 108a612 690 108a646 CreateMutexW 688->690 691 108a6c1 690->691 696 108a462 698 108a486 RegSetValueExW 696->698 699 108a507 698->699 680 108a646 682 108a67e CreateMutexW 680->682 683 108a6c1 682->683

                                                                                                          Callgraph

                                                                                                          Executed Functions

                                                                                                          Function 016703A8 Relevance: 2.9, Strings: 2, Instructions: 356COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 0 16703a8-16703f6 4 167041d-1670424 0->4 5 16703f8-16703fe 0->5 6 1670426-1670436 4->6 7 1670455-167045c 4->7 5->4 6->7 9 1670483-167048a 7->9 10 167045e-1670464 7->10 11 16704b1-16704b8 9->11 12 167048c-1670492 9->12 10->9 18 167052e-167056b 11->18 19 16704ba-1670524 11->19 12->11 26 1670572-167057f 18->26 27 167056d 18->27 19->18 30 16705b6-1670603 26->30 31 1670581-16705ab 26->31 27->26 41 1670605-1670667 30->41 42 167066e-16706af 30->42 31->30 41->42 45 1670712-1670723 42->45 46 16706b1-16706e6 42->46 50 1670725-167072b 45->50 51 167072e-1670739 45->51 46->45 50->51 55 1670ad3-1670b00 51->55 56 167073f-1670746 51->56 55->45 59 16707a6-16707aa 56->59 60 1670748-167077a 56->60 64 16707ed-16707f4 59->64 65 16707ac-16707c9 59->65 60->59 67 1670ace 64->67 68 16707fa-16708a8 64->68 65->64 77 16707cb-16707e5 65->77 67->55 90 16708ae-1670931 68->90 91 1670938-1670a12 68->91 77->64 90->91 106 1670aa2 91->106 107 1670a18-1670a9b 91->107 106->67 107->106
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.2003818501.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_1670000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 2l$2l
                                                                                                          • API String ID: 0-1392491997
                                                                                                          • Opcode ID: 8eac3882560ace11a8916ff46beb491f2733228fa903ad46160dd8d9bc5f8d61
                                                                                                          • Instruction ID: 34793ae7f48e8b924e13f957d62a0537e4f7ccbac6fd91f13ced7e1b2a4a059d
                                                                                                          • Opcode Fuzzy Hash: 8eac3882560ace11a8916ff46beb491f2733228fa903ad46160dd8d9bc5f8d61
                                                                                                          • Instruction Fuzzy Hash: 5DF11770A00209DFEB24DF79E854BADB7B2FB85308F1044A9D409AB355DB399D85CF61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 01670397 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 113 1670397-16703f6 117 167041d-1670424 113->117 118 16703f8-16703fe 113->118 119 1670426-1670436 117->119 120 1670455-167045c 117->120 118->117 119->120 122 1670483-167048a 120->122 123 167045e-1670464 120->123 124 16704b1-16704b8 122->124 125 167048c-1670492 122->125 123->122 131 167052e-167055a 124->131 132 16704ba-1670524 124->132 125->124 137 1670565-167056b 131->137 132->131 139 1670572-167057f 137->139 140 167056d 137->140 143 16705b6-1670603 139->143 144 1670581-16705ab 139->144 140->139 154 1670605-1670667 143->154 155 167066e-16706af 143->155 144->143 154->155 158 1670712-1670723 155->158 159 16706b1-16706e6 155->159 163 1670725-167072b 158->163 164 167072e-1670739 158->164 159->158 163->164 168 1670ad3-1670b00 164->168 169 167073f-1670746 164->169 168->158 172 16707a6-16707aa 169->172 173 1670748-167077a 169->173 177 16707ed-16707f4 172->177 178 16707ac-16707c9 172->178 173->172 180 1670ace 177->180 181 16707fa-16708a8 177->181 178->177 190 16707cb-16707e5 178->190 180->168 203 16708ae-1670931 181->203 204 1670938-1670a12 181->204 190->177 203->204 219 1670aa2 204->219 220 1670a18-1670a9b 204->220 219->180 220->219
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.2003818501.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_1670000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 2l$2l
                                                                                                          • API String ID: 0-1392491997
                                                                                                          • Opcode ID: be7c5b9c49ce638ee7dfb63a200bb54d18e24fdb0f173b33825ac83644cda178
                                                                                                          • Instruction ID: 34cc1c71d7ceb8134598af387c2af8f373d0f11a4dcca8596122de84a38a0052
                                                                                                          • Opcode Fuzzy Hash: be7c5b9c49ce638ee7dfb63a200bb54d18e24fdb0f173b33825ac83644cda178
                                                                                                          • Instruction Fuzzy Hash: BEF11870A00209DFEB24DF79D854BADB7B2FB85308F1044A9D409AB355DB3A9D85CF61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0108A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 226 108a612-108a695 230 108a69a-108a6a3 226->230 231 108a697 226->231 232 108a6a8-108a6b1 230->232 233 108a6a5 230->233 231->230 234 108a702-108a707 232->234 235 108a6b3-108a6d7 CreateMutexW 232->235 233->232 234->235 238 108a709-108a70e 235->238 239 108a6d9-108a6ff 235->239 238->239
                                                                                                          APIs
                                                                                                          • CreateMutexW.KERNELBASE(?,?), ref: 0108A6B9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.2002489135.000000000108A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_108a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateMutex
                                                                                                          • String ID:
                                                                                                          • API String ID: 1964310414-0
                                                                                                          • Opcode ID: 313af4d32a24a1ee902d6b2d23f5fb2a294afac14f8bba182114eabae74dccef
                                                                                                          • Instruction ID: dd29faee97af91ecf5b15800aa53d5fc15956895c13f84918d7acb17d2a49953
                                                                                                          • Opcode Fuzzy Hash: 313af4d32a24a1ee902d6b2d23f5fb2a294afac14f8bba182114eabae74dccef
                                                                                                          • Instruction Fuzzy Hash: 8F31D1B1509780AFE712CB65CC85B96BFF8EF06214F08849AE984CB293D374E909C771
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0108A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 242 108a361-108a3cf 245 108a3d1 242->245 246 108a3d4-108a3dd 242->246 245->246 247 108a3df 246->247 248 108a3e2-108a3e8 246->248 247->248 249 108a3ea 248->249 250 108a3ed-108a404 248->250 249->250 252 108a43b-108a440 250->252 253 108a406-108a419 RegQueryValueExW 250->253 252->253 254 108a41b-108a438 253->254 255 108a442-108a447 253->255 255->254
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,AD34AE30,00000000,00000000,00000000,00000000), ref: 0108A40C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.2002489135.000000000108A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_108a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 27d43b5446ce3bcd1160560d9266c5b500337649d2a674a03fb7b4c86ef87d13
                                                                                                          • Instruction ID: fd13012c535167df73c9a3c5232e9a31b9a5c4f79584d1accdde1c12c127d0e8
                                                                                                          • Opcode Fuzzy Hash: 27d43b5446ce3bcd1160560d9266c5b500337649d2a674a03fb7b4c86ef87d13
                                                                                                          • Instruction Fuzzy Hash: 00318175509780AFE762CF15CC84F92BFF8EF46210F0884DAE9858B692D364E949CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0108A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 259 108a462-108a4c3 262 108a4c8-108a4d4 259->262 263 108a4c5 259->263 264 108a4d9-108a4f0 262->264 265 108a4d6 262->265 263->262 267 108a4f2-108a505 RegSetValueExW 264->267 268 108a527-108a52c 264->268 265->264 269 108a52e-108a533 267->269 270 108a507-108a524 267->270 268->267 269->270
                                                                                                          APIs
                                                                                                          • RegSetValueExW.KERNELBASE(?,00000E24,AD34AE30,00000000,00000000,00000000,00000000), ref: 0108A4F8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.2002489135.000000000108A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_108a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value
                                                                                                          • String ID:
                                                                                                          • API String ID: 3702945584-0
                                                                                                          • Opcode ID: def43e2cb62584da9b8d5d8b73abf7cb2f5a2b98882cb9a4d6ac302c5cb88d44
                                                                                                          • Instruction ID: c2982b90238364f6f13abe1879b444eba27316b240bc7440e237fa6b08c969a4
                                                                                                          • Opcode Fuzzy Hash: def43e2cb62584da9b8d5d8b73abf7cb2f5a2b98882cb9a4d6ac302c5cb88d44
                                                                                                          • Instruction Fuzzy Hash: FC21B272508380AFEB228F15CC44FA3BFF8EF46210F08849AE985CB652D364E948C771
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0108A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 274 108a646-108a695 277 108a69a-108a6a3 274->277 278 108a697 274->278 279 108a6a8-108a6b1 277->279 280 108a6a5 277->280 278->277 281 108a702-108a707 279->281 282 108a6b3-108a6bb CreateMutexW 279->282 280->279 281->282 284 108a6c1-108a6d7 282->284 285 108a709-108a70e 284->285 286 108a6d9-108a6ff 284->286 285->286
                                                                                                          APIs
                                                                                                          • CreateMutexW.KERNELBASE(?,?), ref: 0108A6B9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.2002489135.000000000108A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_108a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateMutex
                                                                                                          • String ID:
                                                                                                          • API String ID: 1964310414-0
                                                                                                          • Opcode ID: 58ab1cbd5dd4d92efe567c6b807897853eea63e060170c0a6ea1f46d967573d5
                                                                                                          • Instruction ID: a6719124b5b426b6892f2cedc403657e997b87aa0d6b094b6a69fae9cdb974e0
                                                                                                          • Opcode Fuzzy Hash: 58ab1cbd5dd4d92efe567c6b807897853eea63e060170c0a6ea1f46d967573d5
                                                                                                          • Instruction Fuzzy Hash: 6721C2716042009FE720DF65DD45BA6FBE8EF08224F08C4AAE985CBB42D375E909CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0108A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 289 108a392-108a3cf 291 108a3d1 289->291 292 108a3d4-108a3dd 289->292 291->292 293 108a3df 292->293 294 108a3e2-108a3e8 292->294 293->294 295 108a3ea 294->295 296 108a3ed-108a404 294->296 295->296 298 108a43b-108a440 296->298 299 108a406-108a419 RegQueryValueExW 296->299 298->299 300 108a41b-108a438 299->300 301 108a442-108a447 299->301 301->300
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,AD34AE30,00000000,00000000,00000000,00000000), ref: 0108A40C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.2002489135.000000000108A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_108a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: e92f8d01a4ebf79c0dcab2a27cab586f286a90fc11f0d570ef5fa5ad4dc2a519
                                                                                                          • Instruction ID: 5ac4ca983f3daffc617c783ede58fdedbd34bfcb9cbcfa75ecadd419e89e212d
                                                                                                          • Opcode Fuzzy Hash: e92f8d01a4ebf79c0dcab2a27cab586f286a90fc11f0d570ef5fa5ad4dc2a519
                                                                                                          • Instruction Fuzzy Hash: 6B21C076604600DFEB61DF19CC84FA7F7ECEF44620F08C49AE9859BA51D764E848CA71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0108A710 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 305 108a710-108a778 307 108a7b9-108a7be 305->307 308 108a77a-108a782 FindCloseChangeNotification 305->308 307->308 309 108a788-108a79a 308->309 311 108a79c-108a7b8 309->311 312 108a7c0-108a7c5 309->312 312->311
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0108A780
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.2002489135.000000000108A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_108a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: 78b572ade9dbd97b1ea981215707197cd5ef110639b48318f49be85727712a7a
                                                                                                          • Instruction ID: 50cf0e94fb6bc4c85a9ccb141681910cb475c9d991da986a49ee8876f4cd360c
                                                                                                          • Opcode Fuzzy Hash: 78b572ade9dbd97b1ea981215707197cd5ef110639b48318f49be85727712a7a
                                                                                                          • Instruction Fuzzy Hash: C12105B19083809FDB128F25DC85752BFB4EF02324F0884DBDC858F653D275A905DBA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0108A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 314 108a486-108a4c3 316 108a4c8-108a4d4 314->316 317 108a4c5 314->317 318 108a4d9-108a4f0 316->318 319 108a4d6 316->319 317->316 321 108a4f2-108a505 RegSetValueExW 318->321 322 108a527-108a52c 318->322 319->318 323 108a52e-108a533 321->323 324 108a507-108a524 321->324 322->321 323->324
                                                                                                          APIs
                                                                                                          • RegSetValueExW.KERNELBASE(?,00000E24,AD34AE30,00000000,00000000,00000000,00000000), ref: 0108A4F8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.2002489135.000000000108A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_108a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value
                                                                                                          • String ID:
                                                                                                          • API String ID: 3702945584-0
                                                                                                          • Opcode ID: dabc37674dedee4f2ed6532b957be81126b352facfa28108898ccf58befde134
                                                                                                          • Instruction ID: c81795506d946232f0e3220bc18006cbf837400ba53dad21503d368a52e01458
                                                                                                          • Opcode Fuzzy Hash: dabc37674dedee4f2ed6532b957be81126b352facfa28108898ccf58befde134
                                                                                                          • Instruction Fuzzy Hash: EE110372600600AFEB219F15DC44FA7FBECEF04620F08C09AED859BA42D774E448CA71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0108A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 328 108a74e-108a778 329 108a7b9-108a7be 328->329 330 108a77a-108a782 FindCloseChangeNotification 328->330 329->330 331 108a788-108a79a 330->331 333 108a79c-108a7b8 331->333 334 108a7c0-108a7c5 331->334 334->333
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0108A780
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.2002489135.000000000108A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_108a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: e559ab84eff51429a3a4a11f40173af7fb10a19c3cf6473a87b9e6e524aa197b
                                                                                                          • Instruction ID: 39ceb704ff38fc8bbed2c735f1528eb214e05cad10644c6030df16170763a065
                                                                                                          • Opcode Fuzzy Hash: e559ab84eff51429a3a4a11f40173af7fb10a19c3cf6473a87b9e6e524aa197b
                                                                                                          • Instruction Fuzzy Hash: 2401D475604200CFEB509F15DC85766FBE4EF04220F08C4ABDD868BB42D278E444CAA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 016905E0 Relevance: .1, Instructions: 72COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 336 16905e0-16905e2 337 169058b-16905be 336->337 338 16905e4-1690603 336->338 341 1690606-1690620 338->341 343 1690626-1690643 341->343
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.2003831846.0000000001690000.00000040.00000020.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_1690000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b85e1f9aeaa5da18d5d41b3b02bf213dc14254cfff32f21e0eae6d34ac3afc88
                                                                                                          • Instruction ID: c1e9caa3070dac09d3e93c80e6c8559bece161311d2eaed99da2fb84fe852a13
                                                                                                          • Opcode Fuzzy Hash: b85e1f9aeaa5da18d5d41b3b02bf213dc14254cfff32f21e0eae6d34ac3afc88
                                                                                                          • Instruction Fuzzy Hash: C501F5B640D3806FCB038B119D02862BFBCEF9722070DC0DBEC498B613D125A949C7A2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 01670015 Relevance: .0, Instructions: 43COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 344 1670015-1670076
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.2003818501.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_1670000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e34fc6402673d229055eaf19d3f2b3b7a1745e22ee3e79c1ce08452d96a82786
                                                                                                          • Instruction ID: 5c4d632d9cfbac97bf8c461189c011c109fddd9c2f113874d103de86da45a687
                                                                                                          • Opcode Fuzzy Hash: e34fc6402673d229055eaf19d3f2b3b7a1745e22ee3e79c1ce08452d96a82786
                                                                                                          • Instruction Fuzzy Hash: 7E01927148E7C29FC7478B708C65291BF71AE5322070E82DBC494CF5A7D62D6829DB62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 01690606 Relevance: .0, Instructions: 27COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 345 1690606-1690620 346 1690626-1690643 345->346
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.2003831846.0000000001690000.00000040.00000020.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_1690000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8d25d6714a776e1750cf649021b6b70c2ae2572c509225897a2e1e6c9b14aa87
                                                                                                          • Instruction ID: 6245cd377a8cfaedaf81138e6b2f716e0d6ec38a973d7577fb1aafa8466b8c1e
                                                                                                          • Opcode Fuzzy Hash: 8d25d6714a776e1750cf649021b6b70c2ae2572c509225897a2e1e6c9b14aa87
                                                                                                          • Instruction Fuzzy Hash: FDE092B66006044B9750CF0AEC41462F7D8EB98630708C07FDC0D8B701D639B548CAA5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 010823F4 Relevance: .0, Instructions: 15COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 347 10823f4-10823ff 348 1082401-108240e 347->348 349 1082412-1082417 347->349 348->349 350 1082419 349->350 351 108241a 349->351 352 1082420-1082421 351->352
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.2002442272.0000000001082000.00000040.00000800.00020000.00000000.sdmp, Offset: 01082000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_1082000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9e8590ff22eac96973435fc26cf3f66870a9f5129e6756f0791d298e28405d60
                                                                                                          • Instruction ID: 2cec9da0a7be5dc63c2e011d837d3e167a854449f3d2c3f5d96333a02d534ae0
                                                                                                          • Opcode Fuzzy Hash: 9e8590ff22eac96973435fc26cf3f66870a9f5129e6756f0791d298e28405d60
                                                                                                          • Instruction Fuzzy Hash: 98D02E392086C04FE316AE0CC2A8B853BE4BB40708F0A00FAA8808B763CB68D4C4C210
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 010823BC Relevance: .0, Instructions: 14COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 353 10823bc-10823c3 354 10823c5-10823d2 353->354 355 10823d6-10823db 353->355 354->355 356 10823dd-10823e0 355->356 357 10823e1 355->357 358 10823e7-10823e8 357->358
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.2002442272.0000000001082000.00000040.00000800.00020000.00000000.sdmp, Offset: 01082000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_1082000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b1e277477f76a2d8e73c12e3d33f79ce0efba02812fce00ebe786e88442a4c9d
                                                                                                          • Instruction ID: e099b3d3d6103b63b45d1733c74e996bd7d113c1ca2e4a582505392551fef61f
                                                                                                          • Opcode Fuzzy Hash: b1e277477f76a2d8e73c12e3d33f79ce0efba02812fce00ebe786e88442a4c9d
                                                                                                          • Instruction Fuzzy Hash: 8DD05E343446814BD756EE0CD2E4F593BD4AB40B15F0684E8BC908B762C7A8D9C4CA00
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:13.8%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:19
                                                                                                          Total number of Limit Nodes:1
                                                                                                          execution_graph 636 16aa74e 637 16aa77a FindCloseChangeNotification 636->637 638 16aa7b9 636->638 639 16aa788 637->639 638->637 652 16aa462 654 16aa486 RegSetValueExW 652->654 655 16aa507 654->655 660 16aa612 663 16aa646 CreateMutexW 660->663 662 16aa6c1 663->662 664 16aa710 665 16aa74e FindCloseChangeNotification 664->665 667 16aa788 665->667 656 16aa361 657 16aa392 RegQueryValueExW 656->657 659 16aa41b 657->659 644 16aa646 645 16aa67e CreateMutexW 644->645 647 16aa6c1 645->647

                                                                                                          Callgraph

                                                                                                          Executed Functions

                                                                                                          Function 055703A8 Relevance: 4.1, Strings: 3, Instructions: 356COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 0 55703a8-55703f6 4 557041d-5570424 0->4 5 55703f8-55703fe 0->5 6 5570426-5570436 4->6 7 5570455-557045c 4->7 5->4 6->7 8 5570483-557048a 7->8 9 557045e-5570464 7->9 11 55704b1-55704b8 8->11 12 557048c-5570492 8->12 9->8 18 557052e-557056b 11->18 19 55704ba-5570524 11->19 12->11 27 5570572-557057f 18->27 28 557056d 18->28 19->18 30 55705b6-5570603 27->30 31 5570581-55705ab 27->31 28->27 41 5570605-5570667 30->41 42 557066e-55706af 30->42 31->30 41->42 45 5570712-5570723 42->45 46 55706b1-55706e6 42->46 50 5570725-557072b 45->50 51 557072e-5570739 45->51 46->45 50->51 55 5570ad3-5570b00 51->55 56 557073f-5570746 51->56 55->45 59 55707a6-55707aa 56->59 60 5570748-557077a 56->60 61 55707ed-55707f4 59->61 62 55707ac-55707c9 59->62 60->59 66 5570ace 61->66 67 55707fa-55708a8 61->67 62->61 77 55707cb-55707e5 62->77 66->55 90 55708ae-5570931 67->90 91 5570938-5570a12 67->91 77->61 90->91 106 5570aa2 91->106 107 5570a18-5570a9b 91->107 106->66 107->106
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2086007077.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_5570000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 2l$2l$Z1k^
                                                                                                          • API String ID: 0-3714752447
                                                                                                          • Opcode ID: 3c6b075fc529b67b060bb481aa87f641359df2fbb2486efb0e4f3ee901f9f706
                                                                                                          • Instruction ID: cb059c235b947f2ad8d34e435750c913924b1a41dc32b20caec3445ad9f6ae0f
                                                                                                          • Opcode Fuzzy Hash: 3c6b075fc529b67b060bb481aa87f641359df2fbb2486efb0e4f3ee901f9f706
                                                                                                          • Instruction Fuzzy Hash: 56F11A70A00219CFEB28DF74D894BADB7B2FB89304F1044A9D40AA73A4DB399D85CF51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05570397 Relevance: 4.1, Strings: 3, Instructions: 355COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 113 5570397-557039e 114 55703a1-55703a2 113->114 115 55703a0 113->115 116 55703a5-55703f6 114->116 117 55703a3-55703a4 114->117 115->114 122 557041d-5570424 116->122 123 55703f8-55703fe 116->123 117->116 124 5570426-5570436 122->124 125 5570455-557045c 122->125 123->122 124->125 126 5570483-557048a 125->126 127 557045e-5570464 125->127 129 55704b1-55704b8 126->129 130 557048c-5570492 126->130 127->126 136 557052e-557056b 129->136 137 55704ba-5570524 129->137 130->129 145 5570572-557057f 136->145 146 557056d 136->146 137->136 148 55705b6-5570603 145->148 149 5570581-55705ab 145->149 146->145 159 5570605-5570667 148->159 160 557066e-55706af 148->160 149->148 159->160 163 5570712-5570723 160->163 164 55706b1-55706e6 160->164 168 5570725-557072b 163->168 169 557072e-5570739 163->169 164->163 168->169 173 5570ad3-5570b00 169->173 174 557073f-5570746 169->174 173->163 177 55707a6-55707aa 174->177 178 5570748-557077a 174->178 179 55707ed-55707f4 177->179 180 55707ac-55707c9 177->180 178->177 184 5570ace 179->184 185 55707fa-55708a8 179->185 180->179 195 55707cb-55707e5 180->195 184->173 208 55708ae-5570931 185->208 209 5570938-5570a12 185->209 195->179 208->209 224 5570aa2 209->224 225 5570a18-5570a9b 209->225 224->184 225->224
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2086007077.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_5570000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 2l$2l$Z1k^
                                                                                                          • API String ID: 0-3714752447
                                                                                                          • Opcode ID: 601e364d62901c58800398e3fce51775610d1bf2d34b14dcad966a6dbb275b93
                                                                                                          • Instruction ID: 72232539590a056834b39384f659cf2f1e9b1203f5a729a453092fec7eab0bf9
                                                                                                          • Opcode Fuzzy Hash: 601e364d62901c58800398e3fce51775610d1bf2d34b14dcad966a6dbb275b93
                                                                                                          • Instruction Fuzzy Hash: 9BF12A70A00209DFEB28DF74D894BADB7B2FB49304F1044A9D50AAB3A4DB799D85CF51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 016AA612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 231 16aa612-16aa695 235 16aa69a-16aa6a3 231->235 236 16aa697 231->236 237 16aa6a8-16aa6b1 235->237 238 16aa6a5 235->238 236->235 239 16aa702-16aa707 237->239 240 16aa6b3-16aa6d7 CreateMutexW 237->240 238->237 239->240 243 16aa709-16aa70e 240->243 244 16aa6d9-16aa6ff 240->244 243->244
                                                                                                          APIs
                                                                                                          • CreateMutexW.KERNELBASE(?,?), ref: 016AA6B9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2085617182.00000000016AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AA000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_16aa000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateMutex
                                                                                                          • String ID:
                                                                                                          • API String ID: 1964310414-0
                                                                                                          • Opcode ID: f2c68c4943aae5d2c3a3c2dedf7b883cb00208ffad6ac74c9bc7bea5555554ff
                                                                                                          • Instruction ID: 615a8bc0ecb9fcb0cf8c42786c15b0209dfeeb196ccaa3639bdd2684c4740508
                                                                                                          • Opcode Fuzzy Hash: f2c68c4943aae5d2c3a3c2dedf7b883cb00208ffad6ac74c9bc7bea5555554ff
                                                                                                          • Instruction Fuzzy Hash: BE3193755093805FE712CB65CC45BA6BFF8EF06210F08849AE984CB293D375E909CB61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 016AA361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 247 16aa361-16aa3cf 250 16aa3d1 247->250 251 16aa3d4-16aa3dd 247->251 250->251 252 16aa3df 251->252 253 16aa3e2-16aa3e8 251->253 252->253 254 16aa3ea 253->254 255 16aa3ed-16aa404 253->255 254->255 257 16aa43b-16aa440 255->257 258 16aa406-16aa419 RegQueryValueExW 255->258 257->258 259 16aa41b-16aa438 258->259 260 16aa442-16aa447 258->260 260->259
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,6D22A0FB,00000000,00000000,00000000,00000000), ref: 016AA40C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2085617182.00000000016AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AA000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_16aa000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: a5a742a9da8259cf7453c21187135771555f656cf78c5d614b24eb98d9f4f872
                                                                                                          • Instruction ID: 9a85a8773569f09a91c519ee79fcfa45565b06ad1942ecf9fe107120d820a051
                                                                                                          • Opcode Fuzzy Hash: a5a742a9da8259cf7453c21187135771555f656cf78c5d614b24eb98d9f4f872
                                                                                                          • Instruction Fuzzy Hash: 94318075505780AFE722CF55CC84F92BBF8EF06610F08849AE985CB292D364E949CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 016AA462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 264 16aa462-16aa4c3 267 16aa4c8-16aa4d4 264->267 268 16aa4c5 264->268 269 16aa4d9-16aa4f0 267->269 270 16aa4d6 267->270 268->267 272 16aa4f2-16aa505 RegSetValueExW 269->272 273 16aa527-16aa52c 269->273 270->269 274 16aa52e-16aa533 272->274 275 16aa507-16aa524 272->275 273->272 274->275
                                                                                                          APIs
                                                                                                          • RegSetValueExW.KERNELBASE(?,00000E24,6D22A0FB,00000000,00000000,00000000,00000000), ref: 016AA4F8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2085617182.00000000016AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AA000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_16aa000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value
                                                                                                          • String ID:
                                                                                                          • API String ID: 3702945584-0
                                                                                                          • Opcode ID: caf7932e2fd3143996c69144a23e83267a03abe29fc3f785ec69a5b0f113a623
                                                                                                          • Instruction ID: 230b783c2d9ce7e04d44224f8828d0ab622a8bac4740056b0e0a31b61bd83c97
                                                                                                          • Opcode Fuzzy Hash: caf7932e2fd3143996c69144a23e83267a03abe29fc3f785ec69a5b0f113a623
                                                                                                          • Instruction Fuzzy Hash: DC21B0B25043806FE7228F55CC44FA3BFB8EF46210F08849AE985DB652D364E848CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 016AA646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 279 16aa646-16aa695 282 16aa69a-16aa6a3 279->282 283 16aa697 279->283 284 16aa6a8-16aa6b1 282->284 285 16aa6a5 282->285 283->282 286 16aa702-16aa707 284->286 287 16aa6b3-16aa6bb CreateMutexW 284->287 285->284 286->287 288 16aa6c1-16aa6d7 287->288 290 16aa709-16aa70e 288->290 291 16aa6d9-16aa6ff 288->291 290->291
                                                                                                          APIs
                                                                                                          • CreateMutexW.KERNELBASE(?,?), ref: 016AA6B9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2085617182.00000000016AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AA000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_16aa000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateMutex
                                                                                                          • String ID:
                                                                                                          • API String ID: 1964310414-0
                                                                                                          • Opcode ID: cba93db43c95798bb2711d95bd04b74aa43dd689f9599f797573498f1c54cfae
                                                                                                          • Instruction ID: 46d1986a028bd11e2cf0ff5d064d3dfede445b81c61e05dd9590f9fbc0c8c840
                                                                                                          • Opcode Fuzzy Hash: cba93db43c95798bb2711d95bd04b74aa43dd689f9599f797573498f1c54cfae
                                                                                                          • Instruction Fuzzy Hash: 3B21CF756002009FEB20CF65CD85BA6FBE8EF04220F08C46AE949CB742D775E909CE71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 016AA392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 294 16aa392-16aa3cf 296 16aa3d1 294->296 297 16aa3d4-16aa3dd 294->297 296->297 298 16aa3df 297->298 299 16aa3e2-16aa3e8 297->299 298->299 300 16aa3ea 299->300 301 16aa3ed-16aa404 299->301 300->301 303 16aa43b-16aa440 301->303 304 16aa406-16aa419 RegQueryValueExW 301->304 303->304 305 16aa41b-16aa438 304->305 306 16aa442-16aa447 304->306 306->305
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,6D22A0FB,00000000,00000000,00000000,00000000), ref: 016AA40C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2085617182.00000000016AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AA000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_16aa000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 4fb174d25da9c4d99327aa77ebdda5fde936e8cabd39f2b6fb334bf05fcfaac4
                                                                                                          • Instruction ID: 2630e5e71aa0789a36450e5e0540f5b2c19a4209a01ae8707a2db98e6733462d
                                                                                                          • Opcode Fuzzy Hash: 4fb174d25da9c4d99327aa77ebdda5fde936e8cabd39f2b6fb334bf05fcfaac4
                                                                                                          • Instruction Fuzzy Hash: 4C21AC76600604AFEB21CF55CC84FA2FBECEF04620F08C46AE945DB752D764E849CA71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 016AA710 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 310 16aa710-16aa778 312 16aa77a-16aa782 FindCloseChangeNotification 310->312 313 16aa7b9-16aa7be 310->313 315 16aa788-16aa79a 312->315 313->312 316 16aa79c-16aa7b8 315->316 317 16aa7c0-16aa7c5 315->317 317->316
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 016AA780
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2085617182.00000000016AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AA000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_16aa000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: b7fefe578877d42b97e9f2901deb718eb6990310713b85ab616b35a0e7518398
                                                                                                          • Instruction ID: 890f425fe241514b79e3ccad7acb956ef449549a6310fc6f8da6301b586e7dc6
                                                                                                          • Opcode Fuzzy Hash: b7fefe578877d42b97e9f2901deb718eb6990310713b85ab616b35a0e7518398
                                                                                                          • Instruction Fuzzy Hash: 6D2105B59083809FDB128F25DC85B52BFB4EF02224F0884DBEC858F653D275A905DBA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 016AA486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 319 16aa486-16aa4c3 321 16aa4c8-16aa4d4 319->321 322 16aa4c5 319->322 323 16aa4d9-16aa4f0 321->323 324 16aa4d6 321->324 322->321 326 16aa4f2-16aa505 RegSetValueExW 323->326 327 16aa527-16aa52c 323->327 324->323 328 16aa52e-16aa533 326->328 329 16aa507-16aa524 326->329 327->326 328->329
                                                                                                          APIs
                                                                                                          • RegSetValueExW.KERNELBASE(?,00000E24,6D22A0FB,00000000,00000000,00000000,00000000), ref: 016AA4F8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2085617182.00000000016AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AA000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_16aa000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value
                                                                                                          • String ID:
                                                                                                          • API String ID: 3702945584-0
                                                                                                          • Opcode ID: 429ffaf91153c117c4e053f7e15a1f87a23f6535e6813fc662a571fec3167049
                                                                                                          • Instruction ID: 0cfaff2cac76a9351ca215dd7244f68c20865fdb695aea149aa3dd6c09cb3b39
                                                                                                          • Opcode Fuzzy Hash: 429ffaf91153c117c4e053f7e15a1f87a23f6535e6813fc662a571fec3167049
                                                                                                          • Instruction Fuzzy Hash: 6C11BEB6500600AFEB218F55DC44FA7FBECEF04624F08845AFD459B742D760E848CAB2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 016AA74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 333 16aa74e-16aa778 334 16aa77a-16aa782 FindCloseChangeNotification 333->334 335 16aa7b9-16aa7be 333->335 337 16aa788-16aa79a 334->337 335->334 338 16aa79c-16aa7b8 337->338 339 16aa7c0-16aa7c5 337->339 339->338
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 016AA780
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2085617182.00000000016AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AA000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_16aa000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: 7c37c2eac48847e0ec34f64a45b429483dcaed923e30c04bd470e5a22505ec24
                                                                                                          • Instruction ID: 1e00fcfc11a55ab6cb0ecb7d4d0d5f61d09298394a8e4da56d89189eafda0303
                                                                                                          • Opcode Fuzzy Hash: 7c37c2eac48847e0ec34f64a45b429483dcaed923e30c04bd470e5a22505ec24
                                                                                                          • Instruction Fuzzy Hash: 1801DF79A002008FEB508F59DD84766FBE4DF05220F08C4ABED4A9B742D779E808CEA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0557008B Relevance: .1, Instructions: 149COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 341 557008b-5570094 342 557009e-5570395 341->342
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2086007077.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_5570000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 2ce9e8e88f7d5edc15a8e0a37c944bd765e81c8f019c545324e734d6c5f3ef7e
                                                                                                          • Instruction ID: f2f20ebd00225392e0a1b76fc04373ce836ac4e7b939857f2c68ddffd62fd95b
                                                                                                          • Opcode Fuzzy Hash: 2ce9e8e88f7d5edc15a8e0a37c944bd765e81c8f019c545324e734d6c5f3ef7e
                                                                                                          • Instruction Fuzzy Hash: 4F613070215642DFF308FF78E98188AB772FFA1209340855DD1045B369DBB8AD59CB93
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05570006 Relevance: .0, Instructions: 48COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 389 5570006-557006d 391 5570070 call 5570397 389->391 392 5570070 call 1750606 389->392 393 5570070 call 16a23bc 389->393 394 5570070 call 55703a8 389->394 390 5570076 391->390 392->390 393->390 394->390
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2086007077.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_5570000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b4ad5245a3320d02c99e768a05ec14ef7b56570fccfa4ba85afca94d5c28e984
                                                                                                          • Instruction ID: 89a6e58ec002d7bb8fd8676bc8693eb4ee67f1859a3acca4e36e3f046bcaba83
                                                                                                          • Opcode Fuzzy Hash: b4ad5245a3320d02c99e768a05ec14ef7b56570fccfa4ba85afca94d5c28e984
                                                                                                          • Instruction Fuzzy Hash: 8101BD6654E3C04FCB138B389C65BA57FB0AE83518B1F41DFD4C4CE9A7E2588819C722
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 01750606 Relevance: .0, Instructions: 27COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 395 1750606-1750620 396 1750626-1750643 395->396
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2085759939.0000000001750000.00000040.00000020.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_1750000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4e056ccda786e20e68c8356559f9c46a12a2b709ba14f1d9ab684851f71d392c
                                                                                                          • Instruction ID: f0af58e0e6f079fa2a779df5d300709e44009fc8791e8de88106497b5e08d889
                                                                                                          • Opcode Fuzzy Hash: 4e056ccda786e20e68c8356559f9c46a12a2b709ba14f1d9ab684851f71d392c
                                                                                                          • Instruction Fuzzy Hash: 93E092B66046044B9750CF0AEC41462F7D8EB88630708C47FDC0D8BB01DA35B508CEA5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 016A23F4 Relevance: .0, Instructions: 15COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 397 16a23f4-16a23ff 398 16a2412-16a2417 397->398 399 16a2401-16a240e 397->399 400 16a241a 398->400 401 16a2419 398->401 399->398 402 16a2420-16a2421 400->402
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2085604275.00000000016A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A2000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_16a2000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: dcc23ec7a5eb9686c3889acf20545993f01a8b6dab660abfcd365576bad8b36c
                                                                                                          • Instruction ID: 98acc4fcadb185b2b9861223142fbe5188ebddfeb6d9cee50640bac4bf71dd5a
                                                                                                          • Opcode Fuzzy Hash: dcc23ec7a5eb9686c3889acf20545993f01a8b6dab660abfcd365576bad8b36c
                                                                                                          • Instruction Fuzzy Hash: 92D02E392427C04FE31A8E0CC6A8B853BE4BB40708F8A00FDA8008B763C728D8C4CA10
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 016A23BC Relevance: .0, Instructions: 14COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 403 16a23bc-16a23c3 404 16a23d6-16a23db 403->404 405 16a23c5-16a23d2 403->405 406 16a23dd-16a23e0 404->406 407 16a23e1 404->407 405->404 408 16a23e7-16a23e8 407->408
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2085604275.00000000016A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A2000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_16a2000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 128ae2cf18af0222749abea513ec75ae4f99ce26ec8f0a3f1948f9ec43cc1103
                                                                                                          • Instruction ID: 75cf58af871f17463bce80af59aaa5792f723befcedcfa4d81c9d8ccc42b2301
                                                                                                          • Opcode Fuzzy Hash: 128ae2cf18af0222749abea513ec75ae4f99ce26ec8f0a3f1948f9ec43cc1103
                                                                                                          • Instruction Fuzzy Hash: 44D05E343806814BDB15DE0CD6E4F593BD4AB41B15F0644ECAC108B762C7A8DDC4CE00
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:14.8%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:19
                                                                                                          Total number of Limit Nodes:1
                                                                                                          execution_graph 627 136a646 628 136a67e CreateMutexW 627->628 630 136a6c1 628->630 639 136a462 640 136a486 RegSetValueExW 639->640 642 136a507 640->642 647 136a612 648 136a646 CreateMutexW 647->648 650 136a6c1 648->650 651 136a710 652 136a74e FindCloseChangeNotification 651->652 654 136a788 652->654 643 136a361 645 136a392 RegQueryValueExW 643->645 646 136a41b 645->646 635 136a74e 636 136a77a FindCloseChangeNotification 635->636 637 136a7b9 635->637 638 136a788 636->638 637->636

                                                                                                          Callgraph

                                                                                                          Executed Functions

                                                                                                          Function 055703A8 Relevance: 4.1, Strings: 3, Instructions: 356COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 0 55703a8-55703f6 4 557041d-5570424 0->4 5 55703f8-55703fe 0->5 6 5570426-5570436 4->6 7 5570455-557045c 4->7 5->4 6->7 9 5570483-557048a 7->9 10 557045e-5570464 7->10 12 55704b1-55704b8 9->12 13 557048c-5570492 9->13 10->9 18 557052e-557056b 12->18 19 55704ba-5570524 12->19 13->12 26 5570572-557057f 18->26 27 557056d 18->27 19->18 30 55705b6-5570603 26->30 31 5570581-55705ab 26->31 27->26 41 5570605-5570667 30->41 42 557066e-55706af 30->42 31->30 41->42 45 5570712-5570723 42->45 46 55706b1-55706e6 42->46 50 5570725-557072b 45->50 51 557072e-5570739 45->51 46->45 50->51 55 5570ad3-5570b00 51->55 56 557073f-5570746 51->56 55->45 59 55707a6-55707aa 56->59 60 5570748-557077a 56->60 63 55707ed-55707f4 59->63 64 55707ac-55707c9 59->64 60->59 67 5570ace 63->67 68 55707fa-55708a8 63->68 64->63 79 55707cb-55707e5 64->79 67->55 90 55708ae-5570931 68->90 91 5570938-5570a12 68->91 79->63 90->91 106 5570aa2 91->106 107 5570a18-5570a9b 91->107 106->67 107->106
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000C.00000002.2167430855.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_12_2_5570000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 2l$2l$Zek^
                                                                                                          • API String ID: 0-3068074451
                                                                                                          • Opcode ID: cba74b94cba42c6010da69c71fda5f9cf12c4006126d7fddb3b1f812dfe53495
                                                                                                          • Instruction ID: 40759cc9dd8d69ea905c849406c726c38a63bf10036c8022b451f17e341aeb62
                                                                                                          • Opcode Fuzzy Hash: cba74b94cba42c6010da69c71fda5f9cf12c4006126d7fddb3b1f812dfe53495
                                                                                                          • Instruction Fuzzy Hash: CFF13970A00309CFDB24DB74D854BADB7BAFB89308F1045A9D40AAB3A4DB399C85CF51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05570397 Relevance: 4.1, Strings: 3, Instructions: 350COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 113 5570397-55703f6 117 557041d-5570424 113->117 118 55703f8-55703fe 113->118 119 5570426-5570436 117->119 120 5570455-557045c 117->120 118->117 119->120 122 5570483-557048a 120->122 123 557045e-5570464 120->123 125 55704b1-55704b8 122->125 126 557048c-5570492 122->126 123->122 131 557052e-557056b 125->131 132 55704ba-5570524 125->132 126->125 139 5570572-557057f 131->139 140 557056d 131->140 132->131 143 55705b6-5570603 139->143 144 5570581-55705ab 139->144 140->139 154 5570605-5570667 143->154 155 557066e-55706af 143->155 144->143 154->155 158 5570712-5570723 155->158 159 55706b1-55706e6 155->159 163 5570725-557072b 158->163 164 557072e-5570739 158->164 159->158 163->164 168 5570ad3-5570b00 164->168 169 557073f-5570746 164->169 168->158 172 55707a6-55707aa 169->172 173 5570748-557077a 169->173 176 55707ed-55707f4 172->176 177 55707ac-55707c9 172->177 173->172 180 5570ace 176->180 181 55707fa-55708a8 176->181 177->176 192 55707cb-55707e5 177->192 180->168 203 55708ae-5570931 181->203 204 5570938-5570a12 181->204 192->176 203->204 219 5570aa2 204->219 220 5570a18-5570a9b 204->220 219->180 220->219
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000C.00000002.2167430855.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_12_2_5570000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 2l$2l$Zek^
                                                                                                          • API String ID: 0-3068074451
                                                                                                          • Opcode ID: 904b581e83a89704407ca14ed1643cc9ae9df133e0efce2275bd0c6333d5b5c2
                                                                                                          • Instruction ID: d029d3ef972946638d546eac678c7394d367f7325ec8b95fa0bcdabdfdf52ba7
                                                                                                          • Opcode Fuzzy Hash: 904b581e83a89704407ca14ed1643cc9ae9df133e0efce2275bd0c6333d5b5c2
                                                                                                          • Instruction Fuzzy Hash: F9F12870A00309CFDB24DB74D855BADB7BAFB89308F1045A9D40AAB3A4DB399D85CF51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0136A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 226 136a612-136a695 230 136a697 226->230 231 136a69a-136a6a3 226->231 230->231 232 136a6a5 231->232 233 136a6a8-136a6b1 231->233 232->233 234 136a702-136a707 233->234 235 136a6b3-136a6d7 CreateMutexW 233->235 234->235 238 136a709-136a70e 235->238 239 136a6d9-136a6ff 235->239 238->239
                                                                                                          APIs
                                                                                                          • CreateMutexW.KERNELBASE(?,?), ref: 0136A6B9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000C.00000002.2166860221.000000000136A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_12_2_136a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateMutex
                                                                                                          • String ID:
                                                                                                          • API String ID: 1964310414-0
                                                                                                          • Opcode ID: 874ef79b5ffd60f1ebf3144d2a0aeb9003a8527c9593348ac701e63175c6447a
                                                                                                          • Instruction ID: 2f95f5da3ab8d32fbb3ca21395613ba573c6a5a05ae44213620619485777a988
                                                                                                          • Opcode Fuzzy Hash: 874ef79b5ffd60f1ebf3144d2a0aeb9003a8527c9593348ac701e63175c6447a
                                                                                                          • Instruction Fuzzy Hash: 0D3191B55093806FE712CB65CC85B96BFF8EF06214F08849AE984DB293D375E909C761
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0136A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 242 136a361-136a3cf 245 136a3d4-136a3dd 242->245 246 136a3d1 242->246 247 136a3e2-136a3e8 245->247 248 136a3df 245->248 246->245 249 136a3ed-136a404 247->249 250 136a3ea 247->250 248->247 252 136a406-136a419 RegQueryValueExW 249->252 253 136a43b-136a440 249->253 250->249 254 136a442-136a447 252->254 255 136a41b-136a438 252->255 253->252 254->255
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,1E45E86D,00000000,00000000,00000000,00000000), ref: 0136A40C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000C.00000002.2166860221.000000000136A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_12_2_136a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: ae88a90b27bb6de4227902da050cb1931424d3ab987fb8cf9b486b8786cd7167
                                                                                                          • Instruction ID: ee5a1806bef97bb4fff95b9f2e62694c73c2b77a38df2a15b52c8e2da03be599
                                                                                                          • Opcode Fuzzy Hash: ae88a90b27bb6de4227902da050cb1931424d3ab987fb8cf9b486b8786cd7167
                                                                                                          • Instruction Fuzzy Hash: 59315E75505780AFE722CF15CC84F92BBFCEF06614F08849AE9459B292D364E949CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0136A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 259 136a462-136a4c3 262 136a4c5 259->262 263 136a4c8-136a4d4 259->263 262->263 264 136a4d6 263->264 265 136a4d9-136a4f0 263->265 264->265 267 136a527-136a52c 265->267 268 136a4f2-136a505 RegSetValueExW 265->268 267->268 269 136a507-136a524 268->269 270 136a52e-136a533 268->270 270->269
                                                                                                          APIs
                                                                                                          • RegSetValueExW.KERNELBASE(?,00000E24,1E45E86D,00000000,00000000,00000000,00000000), ref: 0136A4F8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000C.00000002.2166860221.000000000136A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_12_2_136a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value
                                                                                                          • String ID:
                                                                                                          • API String ID: 3702945584-0
                                                                                                          • Opcode ID: 5135c55c0a16a293aff3e3af38354902dde1dea1c7d1fb76e29f896f8481836e
                                                                                                          • Instruction ID: ab97591aa53a610bc17f11295307d7199d1771d4b1247973c6dd7933062d78d8
                                                                                                          • Opcode Fuzzy Hash: 5135c55c0a16a293aff3e3af38354902dde1dea1c7d1fb76e29f896f8481836e
                                                                                                          • Instruction Fuzzy Hash: 7B218EB6504380AFE7228F15DC44FA7BFBCEF46214F08849AE9859B692D264E848C771
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0136A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 274 136a646-136a695 277 136a697 274->277 278 136a69a-136a6a3 274->278 277->278 279 136a6a5 278->279 280 136a6a8-136a6b1 278->280 279->280 281 136a702-136a707 280->281 282 136a6b3-136a6bb CreateMutexW 280->282 281->282 284 136a6c1-136a6d7 282->284 285 136a709-136a70e 284->285 286 136a6d9-136a6ff 284->286 285->286
                                                                                                          APIs
                                                                                                          • CreateMutexW.KERNELBASE(?,?), ref: 0136A6B9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000C.00000002.2166860221.000000000136A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_12_2_136a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateMutex
                                                                                                          • String ID:
                                                                                                          • API String ID: 1964310414-0
                                                                                                          • Opcode ID: fc63b02b0e7cd6cc1ccc757fce8a87a718a677e90dd04f0acecba77ac09d769a
                                                                                                          • Instruction ID: 76d4c86c7623f30d63112843e3e4b02087ee33145f4e389d5506ffd4e748e551
                                                                                                          • Opcode Fuzzy Hash: fc63b02b0e7cd6cc1ccc757fce8a87a718a677e90dd04f0acecba77ac09d769a
                                                                                                          • Instruction Fuzzy Hash: 6521D4B16002409FE720DF65CD45BA6FBECEF04224F04C86AE945DB746D374E809CA71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0136A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 289 136a392-136a3cf 291 136a3d4-136a3dd 289->291 292 136a3d1 289->292 293 136a3e2-136a3e8 291->293 294 136a3df 291->294 292->291 295 136a3ed-136a404 293->295 296 136a3ea 293->296 294->293 298 136a406-136a419 RegQueryValueExW 295->298 299 136a43b-136a440 295->299 296->295 300 136a442-136a447 298->300 301 136a41b-136a438 298->301 299->298 300->301
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,1E45E86D,00000000,00000000,00000000,00000000), ref: 0136A40C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000C.00000002.2166860221.000000000136A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_12_2_136a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: be3d4849010511702ac2804ee6206407e8a61df4ca4eb59b741436a9ccd7ffad
                                                                                                          • Instruction ID: 37678aab6c5c1b1a934c442409636ba10589f573e02a05416beecb9f529e2778
                                                                                                          • Opcode Fuzzy Hash: be3d4849010511702ac2804ee6206407e8a61df4ca4eb59b741436a9ccd7ffad
                                                                                                          • Instruction Fuzzy Hash: 1F21C0766006049FE721CF16CC84FA2FBECEF04624F18C49AE945EB752D360E848CA71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0136A710 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 305 136a710-136a778 307 136a77a-136a782 FindCloseChangeNotification 305->307 308 136a7b9-136a7be 305->308 309 136a788-136a79a 307->309 308->307 311 136a7c0-136a7c5 309->311 312 136a79c-136a7b8 309->312 311->312
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0136A780
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000C.00000002.2166860221.000000000136A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_12_2_136a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: 9a3640553a10a257826b8c275ce5f8c82a1885929341cb67b3496199f8f718c8
                                                                                                          • Instruction ID: 051177b604a8b723c82a46f282ff53ea8d8a4c37a92806051b20cefc3bcb3e8e
                                                                                                          • Opcode Fuzzy Hash: 9a3640553a10a257826b8c275ce5f8c82a1885929341cb67b3496199f8f718c8
                                                                                                          • Instruction Fuzzy Hash: 282108B19083809FD7128F25DC45B51BFB4EF02324F0884DBDC858F653D2759905CB61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0136A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 314 136a486-136a4c3 316 136a4c5 314->316 317 136a4c8-136a4d4 314->317 316->317 318 136a4d6 317->318 319 136a4d9-136a4f0 317->319 318->319 321 136a527-136a52c 319->321 322 136a4f2-136a505 RegSetValueExW 319->322 321->322 323 136a507-136a524 322->323 324 136a52e-136a533 322->324 324->323
                                                                                                          APIs
                                                                                                          • RegSetValueExW.KERNELBASE(?,00000E24,1E45E86D,00000000,00000000,00000000,00000000), ref: 0136A4F8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000C.00000002.2166860221.000000000136A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_12_2_136a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value
                                                                                                          • String ID:
                                                                                                          • API String ID: 3702945584-0
                                                                                                          • Opcode ID: 22a1b9e17fc3b4fc4b59e97931a13df0dd5da0b14bd1819b7dfb1e4a0c839abf
                                                                                                          • Instruction ID: 5648a745ceca3fe23f8f52b5245a79ca3a6accc1f42a377920a2237610c67edc
                                                                                                          • Opcode Fuzzy Hash: 22a1b9e17fc3b4fc4b59e97931a13df0dd5da0b14bd1819b7dfb1e4a0c839abf
                                                                                                          • Instruction Fuzzy Hash: A811B176500604AFEB21CF15DC44FA6FBECEF04624F08C45AED45AB741D360E448CA71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0136A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 328 136a74e-136a778 329 136a77a-136a782 FindCloseChangeNotification 328->329 330 136a7b9-136a7be 328->330 331 136a788-136a79a 329->331 330->329 333 136a7c0-136a7c5 331->333 334 136a79c-136a7b8 331->334 333->334
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0136A780
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000C.00000002.2166860221.000000000136A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_12_2_136a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: 0c629c089405d280b9de67d40ed9407593c3b611750f6bbb868a95a7ca8005f0
                                                                                                          • Instruction ID: 54c65c5c42c88b5d6839cf8488ed83b103c23fb88596f4e51ee70c5057acf186
                                                                                                          • Opcode Fuzzy Hash: 0c629c089405d280b9de67d40ed9407593c3b611750f6bbb868a95a7ca8005f0
                                                                                                          • Instruction Fuzzy Hash: 4501F7759002008FDB10CF55D884765FBE8DF15224F08C4ABDC469F746D278E404CEA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0557008A Relevance: .2, Instructions: 150COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 336 557008a-5570093 337 557009e-5570395 336->337
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000C.00000002.2167430855.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_12_2_5570000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a17a472ba7699959e29d413d8d5a0143c2a64f79348160921eed45a225dbd1b3
                                                                                                          • Instruction ID: 71455bf69b8dc974bb60cb05dd5c720f5b9c58a670495e397a53338b39cb1aa9
                                                                                                          • Opcode Fuzzy Hash: a17a472ba7699959e29d413d8d5a0143c2a64f79348160921eed45a225dbd1b3
                                                                                                          • Instruction Fuzzy Hash: 25612C716127428FDB14EB38F5819ABB77EFFA8308B009569D0044B729DB38AC59CF91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05570006 Relevance: .0, Instructions: 49COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 384 5570006-557006b 386 5570070 call 5570397 384->386 387 5570070 call 1650606 384->387 388 5570070 call 16505e1 384->388 389 5570070 call 13623bc 384->389 390 5570070 call 55703a8 384->390 385 5570076 386->385 387->385 388->385 389->385 390->385
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000C.00000002.2167430855.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_12_2_5570000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0703e342bbfdf35c783b10027c438182496239b986cd7ef594c7c5c2aa4f9bd3
                                                                                                          • Instruction ID: 588d7d1289d466651b7ecc2c3178aa31cb27b9c4b2e53985a0c7e200bd50e55a
                                                                                                          • Opcode Fuzzy Hash: 0703e342bbfdf35c783b10027c438182496239b986cd7ef594c7c5c2aa4f9bd3
                                                                                                          • Instruction Fuzzy Hash: 7D01AB6614E3C05FC7038734ACA6A953FB8AE83614B0F44DBD0C4CE9A7D258981CD732
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 016505E1 Relevance: .0, Instructions: 43COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 391 16505e1-1650620 393 1650626-1650643 391->393
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000C.00000002.2167188927.0000000001650000.00000040.00000020.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_12_2_1650000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a4192110d4234368e841279f6434bf7a2ab3b62403b38f294cc90011777aa627
                                                                                                          • Instruction ID: 798fc5d29bcb9a6b14854dd88e853399498146b0350b8926e00d6e82f8e3d922
                                                                                                          • Opcode Fuzzy Hash: a4192110d4234368e841279f6434bf7a2ab3b62403b38f294cc90011777aa627
                                                                                                          • Instruction Fuzzy Hash: 6D01A9B65097806FD7128F16AC45862FFB8DF96620709C4DFEC498B752D125B809CB72
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 01650606 Relevance: .0, Instructions: 27COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 394 1650606-1650620 395 1650626-1650643 394->395
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000C.00000002.2167188927.0000000001650000.00000040.00000020.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_12_2_1650000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 55887d9391309d318ee417e0be84266e4d6247982283d5bd49b32666cb0180cc
                                                                                                          • Instruction ID: a50a566334983f6898b5826968f9c76a1e1c5c204602dbc159e928d57898a0e2
                                                                                                          • Opcode Fuzzy Hash: 55887d9391309d318ee417e0be84266e4d6247982283d5bd49b32666cb0180cc
                                                                                                          • Instruction Fuzzy Hash: 89E092B6A006048B9750DF0BEC41852F7D8EF98630708C47FDC0D8B701D635B508CAA5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 013623F4 Relevance: .0, Instructions: 15COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 396 13623f4-13623ff 397 1362412-1362417 396->397 398 1362401-136240e 396->398 399 136241a 397->399 400 1362419 397->400 398->397 401 1362420-1362421 399->401
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000C.00000002.2166848193.0000000001362000.00000040.00000800.00020000.00000000.sdmp, Offset: 01362000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_12_2_1362000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: eb8dd2fd1213559edac0b766884fe0c939a40d97267994ce0e7c7ed983bde856
                                                                                                          • Instruction ID: 210fac46dba3454eb0393d2df0d46eee96ba876e776fe6a7c50f680bd5adba40
                                                                                                          • Opcode Fuzzy Hash: eb8dd2fd1213559edac0b766884fe0c939a40d97267994ce0e7c7ed983bde856
                                                                                                          • Instruction Fuzzy Hash: 20D02B352006C04FE3178E0CC158B963FE87F41708F0740F998008B767C718D4C4C100
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 013623BC Relevance: .0, Instructions: 14COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000C.00000002.2166848193.0000000001362000.00000040.00000800.00020000.00000000.sdmp, Offset: 01362000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_12_2_1362000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a1ed7aaf7560fe995e34d23e30752717b231427d258a05a27ad5aa671f5ae29e
                                                                                                          • Instruction ID: 1587b7a957646052d7755c91c6243b168fcadef2b878b99286157ab8951ad447
                                                                                                          • Opcode Fuzzy Hash: a1ed7aaf7560fe995e34d23e30752717b231427d258a05a27ad5aa671f5ae29e
                                                                                                          • Instruction Fuzzy Hash: 0FD05E343406814BD715DF0CD2D4F5A3BD8AB40B19F1684E9AC108B766C7A8D9C4CA00
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:10.4%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:19
                                                                                                          Total number of Limit Nodes:1
                                                                                                          execution_graph 652 106a646 654 106a67e CreateMutexW 652->654 655 106a6c1 654->655 664 106a612 665 106a646 CreateMutexW 664->665 667 106a6c1 665->667 672 106a462 673 106a486 RegSetValueExW 672->673 675 106a507 673->675 668 106a710 669 106a74e FindCloseChangeNotification 668->669 671 106a788 669->671 676 106a361 678 106a392 RegQueryValueExW 676->678 679 106a41b 678->679 660 106a74e 661 106a77a FindCloseChangeNotification 660->661 662 106a7b9 660->662 663 106a788 661->663 662->661

                                                                                                          Callgraph

                                                                                                          Executed Functions

                                                                                                          Function 012803A8 Relevance: 2.9, Strings: 2, Instructions: 356COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 0 12803a8-12803f6 4 12803f8-12803fe 0->4 5 128041d-1280424 0->5 4->5 6 1280455-128045c 5->6 7 1280426-1280436 5->7 8 128045e-1280464 6->8 9 1280483-128048a 6->9 7->6 8->9 12 128048c-1280492 9->12 13 12804b1-12804b8 9->13 12->13 18 12804ba-1280524 13->18 19 128052e-128056b 13->19 18->19 26 128056d 19->26 27 1280572-128057f 19->27 26->27 30 1280581-12805ab 27->30 31 12805b6-1280603 27->31 30->31 41 128066e-12806af 31->41 42 1280605-1280667 31->42 44 12806b1-12806e6 41->44 45 1280712-1280723 41->45 42->41 44->45 50 128072e-1280739 45->50 51 1280725-128072b 45->51 57 128073f-1280746 50->57 58 1280ad3-1280b00 50->58 51->50 59 1280748-128077a 57->59 60 12807a6-12807aa 57->60 58->45 59->60 63 12807ac-12807c9 60->63 64 12807ed-12807f4 60->64 63->64 79 12807cb-12807e5 63->79 66 12807fa-12808a8 64->66 67 1280ace 64->67 90 1280938-1280a12 66->90 91 12808ae-1280931 66->91 67->58 79->64 106 1280a18-1280a9b 90->106 107 1280aa2 90->107 91->90 106->107 107->67
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.2249496596.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_1280000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 2l$2l
                                                                                                          • API String ID: 0-1392491997
                                                                                                          • Opcode ID: fbc070359aed26c35efbc824ded3ef260fec0995194a0fd66830a903331e4e64
                                                                                                          • Instruction ID: 387f760bb23f539ee78a4e359300aa0c6e2bed89384abb239fc3119767c12a4d
                                                                                                          • Opcode Fuzzy Hash: fbc070359aed26c35efbc824ded3ef260fec0995194a0fd66830a903331e4e64
                                                                                                          • Instruction Fuzzy Hash: 11F11730A01309CFEB28EF74D455BAEB7B6EF89208F1044A9D509AB395DB399C85CF51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 01280397 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 113 1280397-12803f6 117 12803f8-12803fe 113->117 118 128041d-1280424 113->118 117->118 119 1280455-128045c 118->119 120 1280426-1280436 118->120 121 128045e-1280464 119->121 122 1280483-128048a 119->122 120->119 121->122 125 128048c-1280492 122->125 126 12804b1-12804b8 122->126 125->126 131 12804ba-1280524 126->131 132 128052e-128055a 126->132 131->132 138 1280565-128056b 132->138 139 128056d 138->139 140 1280572-128057f 138->140 139->140 143 1280581-12805ab 140->143 144 12805b6-1280603 140->144 143->144 154 128066e-12806af 144->154 155 1280605-1280667 144->155 157 12806b1-12806e6 154->157 158 1280712-1280723 154->158 155->154 157->158 163 128072e-1280739 158->163 164 1280725-128072b 158->164 170 128073f-1280746 163->170 171 1280ad3-1280b00 163->171 164->163 172 1280748-128077a 170->172 173 12807a6-12807aa 170->173 171->158 172->173 176 12807ac-12807c9 173->176 177 12807ed-12807f4 173->177 176->177 192 12807cb-12807e5 176->192 179 12807fa-12808a8 177->179 180 1280ace 177->180 203 1280938-1280a12 179->203 204 12808ae-1280931 179->204 180->171 192->177 219 1280a18-1280a9b 203->219 220 1280aa2 203->220 204->203 219->220 220->180
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.2249496596.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_1280000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 2l$2l
                                                                                                          • API String ID: 0-1392491997
                                                                                                          • Opcode ID: 80f82ad6f60146262e153b9951e74ff10cbc9a66d415a93de7a72dbcdadf7d5e
                                                                                                          • Instruction ID: 698504c5a3f05e3dd3fc45c7cf1b13739ca2a6ec205b8e5cb0f9693d4bcbce44
                                                                                                          • Opcode Fuzzy Hash: 80f82ad6f60146262e153b9951e74ff10cbc9a66d415a93de7a72dbcdadf7d5e
                                                                                                          • Instruction Fuzzy Hash: 5CF12630A01309CFEB28EF74D855BAEB7B6EF89204F1044A9D509AB395DB399C85CF51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0106A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 226 106a612-106a695 230 106a697 226->230 231 106a69a-106a6a3 226->231 230->231 232 106a6a5 231->232 233 106a6a8-106a6b1 231->233 232->233 234 106a702-106a707 233->234 235 106a6b3-106a6d7 CreateMutexW 233->235 234->235 238 106a709-106a70e 235->238 239 106a6d9-106a6ff 235->239 238->239
                                                                                                          APIs
                                                                                                          • CreateMutexW.KERNELBASE(?,?), ref: 0106A6B9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.2249173538.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_106a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateMutex
                                                                                                          • String ID:
                                                                                                          • API String ID: 1964310414-0
                                                                                                          • Opcode ID: c1d7aa6cc34f25bb59e03d32c081a81034be26bf79207656fd2c39e0623a5455
                                                                                                          • Instruction ID: d4b9f720de31f26b65a3829a3691455f943630c0c7eb2a0d7b7b03bd0d93dc61
                                                                                                          • Opcode Fuzzy Hash: c1d7aa6cc34f25bb59e03d32c081a81034be26bf79207656fd2c39e0623a5455
                                                                                                          • Instruction Fuzzy Hash: 7E3191B5509380AFE712CB65CC85B96BFF8EF06214F0884DAE984DB293D375E909C761
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0106A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 242 106a361-106a3cf 245 106a3d4-106a3dd 242->245 246 106a3d1 242->246 247 106a3e2-106a3e8 245->247 248 106a3df 245->248 246->245 249 106a3ed-106a404 247->249 250 106a3ea 247->250 248->247 252 106a406-106a419 RegQueryValueExW 249->252 253 106a43b-106a440 249->253 250->249 254 106a442-106a447 252->254 255 106a41b-106a438 252->255 253->252 254->255
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,F660DF04,00000000,00000000,00000000,00000000), ref: 0106A40C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.2249173538.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_106a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 041d883388786834658e85cd26e7ffa7935548fa955ff58ea638622a2c3db5f9
                                                                                                          • Instruction ID: 7dec3cc939f4ab2bf9fb913b27bdb753950bbb781ebcb5e58f90efd7102ac564
                                                                                                          • Opcode Fuzzy Hash: 041d883388786834658e85cd26e7ffa7935548fa955ff58ea638622a2c3db5f9
                                                                                                          • Instruction Fuzzy Hash: B0318E75508780AFE762CF15CC84F92BFFCEF46210F0884DAE9859B292D364E949CB61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0106A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 259 106a462-106a4c3 262 106a4c5 259->262 263 106a4c8-106a4d4 259->263 262->263 264 106a4d6 263->264 265 106a4d9-106a4f0 263->265 264->265 267 106a527-106a52c 265->267 268 106a4f2-106a505 RegSetValueExW 265->268 267->268 269 106a507-106a524 268->269 270 106a52e-106a533 268->270 270->269
                                                                                                          APIs
                                                                                                          • RegSetValueExW.KERNELBASE(?,00000E24,F660DF04,00000000,00000000,00000000,00000000), ref: 0106A4F8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.2249173538.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_106a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value
                                                                                                          • String ID:
                                                                                                          • API String ID: 3702945584-0
                                                                                                          • Opcode ID: 54fd85c6529abb600d8fa1592be1f089dfe80ac91c10741b088853455adfacaf
                                                                                                          • Instruction ID: 18bec7999460a60cd03a7111ef0cee06a6d48d9b89725e7cc2910f1a99dfe9b7
                                                                                                          • Opcode Fuzzy Hash: 54fd85c6529abb600d8fa1592be1f089dfe80ac91c10741b088853455adfacaf
                                                                                                          • Instruction Fuzzy Hash: 2E218176504380AFD7228F15DC44FA7BFFCEF46224F08849AE9859B652D264E948C771
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0106A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 274 106a646-106a695 277 106a697 274->277 278 106a69a-106a6a3 274->278 277->278 279 106a6a5 278->279 280 106a6a8-106a6b1 278->280 279->280 281 106a702-106a707 280->281 282 106a6b3-106a6bb CreateMutexW 280->282 281->282 284 106a6c1-106a6d7 282->284 285 106a709-106a70e 284->285 286 106a6d9-106a6ff 284->286 285->286
                                                                                                          APIs
                                                                                                          • CreateMutexW.KERNELBASE(?,?), ref: 0106A6B9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.2249173538.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_106a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateMutex
                                                                                                          • String ID:
                                                                                                          • API String ID: 1964310414-0
                                                                                                          • Opcode ID: ca5d58561ab24d19aee4078e0a3e762a42d6b1fa49ab3440c9612a4a9375bed0
                                                                                                          • Instruction ID: 991d0770107357874e2b3d280459926128fc5fc1e6bf92fbd0bce4a2fe728899
                                                                                                          • Opcode Fuzzy Hash: ca5d58561ab24d19aee4078e0a3e762a42d6b1fa49ab3440c9612a4a9375bed0
                                                                                                          • Instruction Fuzzy Hash: 1221D4716002409FEB10DF65CD45BA6FBECEF08224F04C4A9E985DB742D374E809CA71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0106A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 289 106a392-106a3cf 291 106a3d4-106a3dd 289->291 292 106a3d1 289->292 293 106a3e2-106a3e8 291->293 294 106a3df 291->294 292->291 295 106a3ed-106a404 293->295 296 106a3ea 293->296 294->293 298 106a406-106a419 RegQueryValueExW 295->298 299 106a43b-106a440 295->299 296->295 300 106a442-106a447 298->300 301 106a41b-106a438 298->301 299->298 300->301
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E24,F660DF04,00000000,00000000,00000000,00000000), ref: 0106A40C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.2249173538.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_106a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 49bc2cbaca502a10cdef015194596405c264fd00f8814336c58548228708d500
                                                                                                          • Instruction ID: 08feaf87a3ff8cc73d4b49f36b8f3f41d508bdddd06a1389ea6a6deec33c413e
                                                                                                          • Opcode Fuzzy Hash: 49bc2cbaca502a10cdef015194596405c264fd00f8814336c58548228708d500
                                                                                                          • Instruction Fuzzy Hash: F821D276600600EFEB61DF15CC84FA6FBECEF44620F08C49AE985DB652D760E848CA71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0106A710 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 305 106a710-106a778 307 106a77a-106a782 FindCloseChangeNotification 305->307 308 106a7b9-106a7be 305->308 309 106a788-106a79a 307->309 308->307 311 106a7c0-106a7c5 309->311 312 106a79c-106a7b8 309->312 311->312
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0106A780
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.2249173538.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_106a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: 934d32dee1d333d6dade8ed28c7718d78417c06bda4e6991eeb5f55cf4ff517b
                                                                                                          • Instruction ID: fd44c90b8849e64ec579ee3be954f6a32b3f7fc9497b2fb1b844d641d531a4ec
                                                                                                          • Opcode Fuzzy Hash: 934d32dee1d333d6dade8ed28c7718d78417c06bda4e6991eeb5f55cf4ff517b
                                                                                                          • Instruction Fuzzy Hash: B72105B19083809FDB128F25DC85752BFB8EF02224F0884EBDC858F653D2759905CBA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0106A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 314 106a486-106a4c3 316 106a4c5 314->316 317 106a4c8-106a4d4 314->317 316->317 318 106a4d6 317->318 319 106a4d9-106a4f0 317->319 318->319 321 106a527-106a52c 319->321 322 106a4f2-106a505 RegSetValueExW 319->322 321->322 323 106a507-106a524 322->323 324 106a52e-106a533 322->324 324->323
                                                                                                          APIs
                                                                                                          • RegSetValueExW.KERNELBASE(?,00000E24,F660DF04,00000000,00000000,00000000,00000000), ref: 0106A4F8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.2249173538.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_106a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value
                                                                                                          • String ID:
                                                                                                          • API String ID: 3702945584-0
                                                                                                          • Opcode ID: bebb8bcb3834e3c7827ce4694548422f872e0e0367ee4955710f95bbc15c93d9
                                                                                                          • Instruction ID: f49d788e951e9da5dddd7324d1e661627fad35206bcc0e67f7268dbf66782a12
                                                                                                          • Opcode Fuzzy Hash: bebb8bcb3834e3c7827ce4694548422f872e0e0367ee4955710f95bbc15c93d9
                                                                                                          • Instruction Fuzzy Hash: 5611B176600600AFEB61DF15DC44FA6FBECEF44624F08C49AED45AB641D760E548CA71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0106A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 328 106a74e-106a778 329 106a77a-106a782 FindCloseChangeNotification 328->329 330 106a7b9-106a7be 328->330 331 106a788-106a79a 329->331 330->329 333 106a7c0-106a7c5 331->333 334 106a79c-106a7b8 331->334 333->334
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0106A780
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.2249173538.000000000106A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_106a000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: b903044719dfd673739db2f16d614a52f5e86ad129c4eb5f949346548e9f1f08
                                                                                                          • Instruction ID: fbeb50fb0b54507c26608e0c33467d8e0227fe80ba371e337e25a4ce2b0608e1
                                                                                                          • Opcode Fuzzy Hash: b903044719dfd673739db2f16d614a52f5e86ad129c4eb5f949346548e9f1f08
                                                                                                          • Instruction Fuzzy Hash: D701DF75A04200CFEB509F19DC84766FBE8EF04220F08C4ABDD8A9B742D278E408CAA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 015105E3 Relevance: .0, Instructions: 44COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 337 15105e3-1510603 339 1510606-1510620 337->339 340 1510626-1510643 339->340
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.2249578553.0000000001510000.00000040.00000020.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_1510000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9b813f2ace288304dfe110fbea0ae96abdd2036ae35042e5da386cdb4ea2297e
                                                                                                          • Instruction ID: 433b936d5ae53cd5cebf3724fd0770eba138e132949cf4dd5507f0d5ef2ff40d
                                                                                                          • Opcode Fuzzy Hash: 9b813f2ace288304dfe110fbea0ae96abdd2036ae35042e5da386cdb4ea2297e
                                                                                                          • Instruction Fuzzy Hash: 30F086B65097846FD7128B15AC40862FFB8EA86620709C4AFED498B652D125A908CB61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 01280016 Relevance: .0, Instructions: 44COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 336 1280016-1280076
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.2249496596.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_1280000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ee95b695df6c165ac563ae7bd45fb40f345446637df36f685b9fe20b985c8b7d
                                                                                                          • Instruction ID: 2676a3e8b3324d5f9ad6620d37e25d2af71912108181fdf09d715387b27481fb
                                                                                                          • Opcode Fuzzy Hash: ee95b695df6c165ac563ae7bd45fb40f345446637df36f685b9fe20b985c8b7d
                                                                                                          • Instruction Fuzzy Hash: 2801646180E3C08FC3535B7088656903FB0AE53228B1F01DBC080CF0B3E26D1D1ADBA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 01510606 Relevance: .0, Instructions: 27COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 341 1510606-1510620 342 1510626-1510643 341->342
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.2249578553.0000000001510000.00000040.00000020.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_1510000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a5bb40b283b34f756717b7c2082870b1e884f394f518e39197f5cb5e58490864
                                                                                                          • Instruction ID: 8ab535fdaf1e4155d9921bdd30b640eaafe45168501e193b16264758f8bd8b67
                                                                                                          • Opcode Fuzzy Hash: a5bb40b283b34f756717b7c2082870b1e884f394f518e39197f5cb5e58490864
                                                                                                          • Instruction Fuzzy Hash: D0E092B66046045BD750CF0AEC41452F7D8EB88630718C17FDC0D8B701D635F508CAA5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 010623F4 Relevance: .0, Instructions: 15COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 343 10623f4-10623ff 344 1062412-1062417 343->344 345 1062401-106240e 343->345 346 106241a 344->346 347 1062419 344->347 345->344 348 1062420-1062421 346->348
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.2249161673.0000000001062000.00000040.00000800.00020000.00000000.sdmp, Offset: 01062000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_1062000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: cb0aa3f2d645be1f7eeeebdd36a1fac8f5ed01286e20f1d4bf7c62c770478f2d
                                                                                                          • Instruction ID: 66a421031009fb350b929560c5ae759de6202b1ca99d8717830ac43388721d4f
                                                                                                          • Opcode Fuzzy Hash: cb0aa3f2d645be1f7eeeebdd36a1fac8f5ed01286e20f1d4bf7c62c770478f2d
                                                                                                          • Instruction Fuzzy Hash: 55D02E392006C04FE3168E0CC2A8BA53BE8BF41708F0A00F9A8808BB63CB28D4C8C200
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 010623BC Relevance: .0, Instructions: 14COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 349 10623bc-10623c3 350 10623d6-10623db 349->350 351 10623c5-10623d2 349->351 352 10623e1 350->352 353 10623dd-10623e0 350->353 351->350 354 10623e7-10623e8 352->354
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.2249161673.0000000001062000.00000040.00000800.00020000.00000000.sdmp, Offset: 01062000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_1062000_Exspa.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 2bc8a0e280137401cc459908737f0db760ff03220b01b4087c212f1974da5ae3
                                                                                                          • Instruction ID: 137afcb9e1a794eff83ef1cf1a8496560575a291a88fbb7d91f38974f5790522
                                                                                                          • Opcode Fuzzy Hash: 2bc8a0e280137401cc459908737f0db760ff03220b01b4087c212f1974da5ae3
                                                                                                          • Instruction Fuzzy Hash: 3BD05E343406814BD715DF0CD2D4F593BD8AF40B15F0684E9AC508B762C7A8D9C4CA00
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%