Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1iZH7aeO5F.exe

Overview

General Information

Sample name:1iZH7aeO5F.exe
renamed because original name is a hash value
Original sample name:320f34b9a9f567e773d2a526daf749fa.exe
Analysis ID:1443977
MD5:320f34b9a9f567e773d2a526daf749fa
SHA1:6a56b12f075f8daaf354ca44810bec29e756c941
SHA256:16e030019f05b734a973a0fafc0fb678d0eb2736cfd5159a7ea82ebf3c198170
Tags:exenjratRAT
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Disables the Windows task manager (taskmgr)
Disables zone checking for all users
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 1iZH7aeO5F.exe (PID: 5696 cmdline: "C:\Users\user\Desktop\1iZH7aeO5F.exe" MD5: 320F34B9A9F567E773D2A526DAF749FA)
    • netsh.exe (PID: 728 cmdline: netsh firewall add allowedprogram "C:\Users\user\Desktop\1iZH7aeO5F.exe" "1iZH7aeO5F.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 2724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 5344 cmdline: netsh firewall delete allowedprogram "C:\Users\user\Desktop\1iZH7aeO5F.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 5444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 5284 cmdline: netsh firewall add allowedprogram "C:\Users\user\Desktop\1iZH7aeO5F.exe" "1iZH7aeO5F.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 1876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "ef4ab10333351fde29c0e75b008795bc", "Install Dir": "system", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1iZH7aeO5F.exeJoeSecurity_NjratYara detected NjratJoe Security
    1iZH7aeO5F.exeWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x115d2:$a1: get_Registry
    • 0x15a27:$a2: SEE_MASK_NOZONECHECKS
    • 0x156c9:$a3: Download ERROR
    • 0x15c79:$a4: cmd.exe /c ping 0 -n 2 & del "
    • 0x13c06:$a5: netsh firewall delete allowedprogram "
    1iZH7aeO5F.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x15c79:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x13792:$s1: winmgmts:\\.\root\SecurityCenter2
    • 0x156e7:$s3: Executed As
    • 0x124f0:$s5: Stub.exe
    • 0x156c9:$s6: Download ERROR
    • 0x13754:$s8: Select * From AntiVirusProduct
    1iZH7aeO5F.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x15a27:$reg: SEE_MASK_NOZONECHECKS
    • 0x156ad:$msg: Execute ERROR
    • 0x15701:$msg: Execute ERROR
    • 0x15c79:$ping: cmd.exe /c ping 0 -n 2 & del
    1iZH7aeO5F.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
    • 0x13c06:$s1: netsh firewall delete allowedprogram
    • 0x13c58:$s2: netsh firewall add allowedprogram
    • 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
    • 0x156ad:$s4: Execute ERROR
    • 0x15701:$s4: Execute ERROR
    • 0x156c9:$s5: Download ERROR

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeWindows_Trojan_Njrat_30f3c220unknownunknown
      • 0x115d2:$a1: get_Registry
      • 0x15a27:$a2: SEE_MASK_NOZONECHECKS
      • 0x156c9:$a3: Download ERROR
      • 0x15c79:$a4: cmd.exe /c ping 0 -n 2 & del "
      • 0x13c06:$a5: netsh firewall delete allowedprogram "
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
      • 0x15c79:$x1: cmd.exe /c ping 0 -n 2 & del "
      • 0x13792:$s1: winmgmts:\\.\root\SecurityCenter2
      • 0x156e7:$s3: Executed As
      • 0x124f0:$s5: Stub.exe
      • 0x156c9:$s6: Download ERROR
      • 0x13754:$s8: Select * From AntiVirusProduct
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x15a27:$reg: SEE_MASK_NOZONECHECKS
      • 0x156ad:$msg: Execute ERROR
      • 0x15701:$msg: Execute ERROR
      • 0x15c79:$ping: cmd.exe /c ping 0 -n 2 & del
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
      • 0x13c06:$s1: netsh firewall delete allowedprogram
      • 0x13c58:$s2: netsh firewall add allowedprogram
      • 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
      • 0x156ad:$s4: Execute ERROR
      • 0x15701:$s4: Execute ERROR
      • 0x156c9:$s5: Download ERROR

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        00000000.00000000.1988603577.0000000000F92000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
          00000000.00000000.1988603577.0000000000F92000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
          • 0x113d2:$a1: get_Registry
          • 0x15827:$a2: SEE_MASK_NOZONECHECKS
          • 0x154c9:$a3: Download ERROR
          • 0x15a79:$a4: cmd.exe /c ping 0 -n 2 & del "
          • 0x13a06:$a5: netsh firewall delete allowedprogram "
          00000000.00000000.1988603577.0000000000F92000.00000002.00000001.01000000.00000003.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
          • 0x15827:$reg: SEE_MASK_NOZONECHECKS
          • 0x154ad:$msg: Execute ERROR
          • 0x15501:$msg: Execute ERROR
          • 0x15a79:$ping: cmd.exe /c ping 0 -n 2 & del
          Process Memory Space: 1iZH7aeO5F.exe PID: 5696JoeSecurity_NjratYara detected NjratJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.1iZH7aeO5F.exe.f90000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
              0.0.1iZH7aeO5F.exe.f90000.0.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
              • 0x115d2:$a1: get_Registry
              • 0x15a27:$a2: SEE_MASK_NOZONECHECKS
              • 0x156c9:$a3: Download ERROR
              • 0x15c79:$a4: cmd.exe /c ping 0 -n 2 & del "
              • 0x13c06:$a5: netsh firewall delete allowedprogram "
              0.0.1iZH7aeO5F.exe.f90000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
              • 0x15c79:$x1: cmd.exe /c ping 0 -n 2 & del "
              • 0x13792:$s1: winmgmts:\\.\root\SecurityCenter2
              • 0x156e7:$s3: Executed As
              • 0x124f0:$s5: Stub.exe
              • 0x156c9:$s6: Download ERROR
              • 0x13754:$s8: Select * From AntiVirusProduct
              0.0.1iZH7aeO5F.exe.f90000.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
              • 0x15a27:$reg: SEE_MASK_NOZONECHECKS
              • 0x156ad:$msg: Execute ERROR
              • 0x15701:$msg: Execute ERROR
              • 0x15c79:$ping: cmd.exe /c ping 0 -n 2 & del
              0.0.1iZH7aeO5F.exe.f90000.0.unpackMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
              • 0x13c06:$s1: netsh firewall delete allowedprogram
              • 0x13c58:$s2: netsh firewall add allowedprogram
              • 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
              • 0x156ad:$s4: Execute ERROR
              • 0x15701:$s4: Execute ERROR
              • 0x156c9:$s5: Download ERROR

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\1iZH7aeO5F.exe, ProcessId: 5696, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

              Snort Signatures

              Timestamp:05/19/24-13:58:30.141221
              SID:2814856
              Source Port:49743
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:24.873447
              SID:2814856
              Source Port:49741
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:37.401284
              SID:2814856
              Source Port:49745
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:27.517197
              SID:2814856
              Source Port:49742
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:40.953521
              SID:2814856
              Source Port:49746
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:43.869191
              SID:2814856
              Source Port:49747
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:01.293185
              SID:2814856
              Source Port:49704
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:03.600944
              SID:2814856
              Source Port:49705
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:22.261137
              SID:2814856
              Source Port:49740
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:55.620050
              SID:2033132
              Source Port:49731
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:52.818612
              SID:2033132
              Source Port:49730
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:32.733312
              SID:2814856
              Source Port:49744
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-14:00:21.177524
              SID:2814856
              Source Port:49759
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:19.605486
              SID:2825564
              Source Port:49739
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:59:19.811421
              SID:2814856
              Source Port:49753
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:59:22.393782
              SID:2814856
              Source Port:49754
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:58.732625
              SID:2814856
              Source Port:49732
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:04.716868
              SID:2814856
              Source Port:49734
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:59:12.889712
              SID:2814856
              Source Port:49752
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:59:48.841533
              SID:2814856
              Source Port:49756
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:55.673276
              SID:2814856
              Source Port:49731
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:07.280571
              SID:2814856
              Source Port:49735
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:59:00.265208
              SID:2814856
              Source Port:49750
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-14:00:03.906997
              SID:2814856
              Source Port:49757
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-14:00:11.073416
              SID:2814856
              Source Port:49758
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:14.849038
              SID:2814856
              Source Port:49714
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:17.710652
              SID:2814856
              Source Port:49716
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:52.868787
              SID:2814856
              Source Port:49730
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:09.905031
              SID:2814856
              Source Port:49736
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:19.605486
              SID:2814860
              Source Port:49739
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:59:10.297630
              SID:2814856
              Source Port:49751
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:13.052528
              SID:2814856
              Source Port:49737
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:27.299562
              SID:2033132
              Source Port:49720
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:30.702609
              SID:2825564
              Source Port:49721
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:24.819791
              SID:2033132
              Source Port:49741
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:22.209333
              SID:2033132
              Source Port:49740
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:59:37.333591
              SID:2814856
              Source Port:49755
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:01.588817
              SID:2814856
              Source Port:49733
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:09.310016
              SID:2033132
              Source Port:49707
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:49.912771
              SID:2033132
              Source Port:49728
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:06.277632
              SID:2033132
              Source Port:49706
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:12.109502
              SID:2033132
              Source Port:49708
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:53.202661
              SID:2033132
              Source Port:49749
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:03.547062
              SID:2033132
              Source Port:49705
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:44.237483
              SID:2033132
              Source Port:49726
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:47.102281
              SID:2033132
              Source Port:49727
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:48.599643
              SID:2033132
              Source Port:49748
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:59:22.622570
              SID:2814860
              Source Port:49754
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:27.466502
              SID:2033132
              Source Port:49742
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:23.369142
              SID:2814856
              Source Port:49719
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:30.687437
              SID:2033132
              Source Port:49721
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-14:00:37.885777
              SID:2814856
              Source Port:49760
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-14:01:03.033945
              SID:2814856
              Source Port:49761
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:20.532509
              SID:2814856
              Source Port:49718
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:30.091760
              SID:2033132
              Source Port:49743
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:33.272402
              SID:2033132
              Source Port:49722
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:36.010938
              SID:2033132
              Source Port:49723
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:19.573184
              SID:2814856
              Source Port:49739
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:32.682513
              SID:2033132
              Source Port:49744
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:38.789971
              SID:2033132
              Source Port:49724
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:41.511014
              SID:2033132
              Source Port:49725
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:01.287429
              SID:2033132
              Source Port:49704
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:37.347524
              SID:2033132
              Source Port:49745
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:43.807491
              SID:2033132
              Source Port:49747
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:40.901851
              SID:2033132
              Source Port:49746
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:33.320635
              SID:2814856
              Source Port:49722
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:30.693152
              SID:2814856
              Source Port:49721
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:36.065243
              SID:2814856
              Source Port:49723
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-14:01:02.978980
              SID:2033132
              Source Port:49761
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:27.352576
              SID:2814856
              Source Port:49720
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:38.799294
              SID:2814856
              Source Port:49724
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:41.523438
              SID:2814856
              Source Port:49725
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:47.112042
              SID:2814856
              Source Port:49727
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:44.293131
              SID:2814856
              Source Port:49726
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-14:00:37.831032
              SID:2033132
              Source Port:49760
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:59:12.837250
              SID:2033132
              Source Port:49752
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:59:00.214834
              SID:2033132
              Source Port:49750
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:59:22.622570
              SID:2825564
              Source Port:49754
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:59:10.247529
              SID:2033132
              Source Port:49751
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-14:00:21.171817
              SID:2033132
              Source Port:49759
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:19.518408
              SID:2033132
              Source Port:49739
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:20.476527
              SID:2033132
              Source Port:49718
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:17.487883
              SID:2033132
              Source Port:49738
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:13.046674
              SID:2033132
              Source Port:49737
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-14:00:11.022301
              SID:2033132
              Source Port:49758
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:17.698975
              SID:2033132
              Source Port:49716
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:23.312492
              SID:2033132
              Source Port:49719
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:30.702609
              SID:2814860
              Source Port:49721
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:59:19.755628
              SID:2033132
              Source Port:49753
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:12.130118
              SID:2814856
              Source Port:49708
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:58.681738
              SID:2033132
              Source Port:49732
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:01.531695
              SID:2033132
              Source Port:49733
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:53.253209
              SID:2814856
              Source Port:49749
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:59:22.388360
              SID:2033132
              Source Port:49754
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:06.329376
              SID:2814856
              Source Port:49706
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:09.320195
              SID:2814856
              Source Port:49707
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:59:37.282316
              SID:2033132
              Source Port:49755
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:49.965614
              SID:2814856
              Source Port:49728
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:07.229080
              SID:2033132
              Source Port:49735
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:59:48.789535
              SID:2033132
              Source Port:49756
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:57:14.793035
              SID:2033132
              Source Port:49714
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:04.686444
              SID:2033132
              Source Port:49734
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-13:58:09.853627
              SID:2033132
              Source Port:49736
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/19/24-14:00:03.901621
              SID:2033132
              Source Port:49757
              Destination Port:13006
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: 1iZH7aeO5F.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Found malware configuration
              Source: 0.0.1iZH7aeO5F.exe.f90000.0.unpackMalware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "ef4ab10333351fde29c0e75b008795bc", "Install Dir": "system", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}
              Multi AV Scanner detection for domain / URL
              Source: 6.tcp.eu.ngrok.ioVirustotal: Detection: 12%Perma Link
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeReversingLabs: Detection: 91%
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeVirustotal: Detection: 71%Perma Link
              Multi AV Scanner detection for submitted file
              Source: 1iZH7aeO5F.exeReversingLabs: Detection: 91%
              Source: 1iZH7aeO5F.exeVirustotal: Detection: 71%Perma Link
              Yara detected Njrat
              Source: Yara matchFile source: 1iZH7aeO5F.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.1iZH7aeO5F.exe.f90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1988603577.0000000000F92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 1iZH7aeO5F.exe PID: 5696, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: 1iZH7aeO5F.exeJoe Sandbox ML: detected
              Source: 1iZH7aeO5F.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
              Source: 1iZH7aeO5F.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Spreading

              barindex
              Contains functionality to spread to USB devices (.Net source)
              Source: 1iZH7aeO5F.exe, Usb1.cs.Net Code: infect
              Source: Microsoft Corporation.exe.0.dr, Usb1.cs.Net Code: infect
              Source: 1iZH7aeO5F.exe, 00000000.00000000.1988603577.0000000000F92000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: \autorun.inf
              Source: 1iZH7aeO5F.exe, 00000000.00000000.1988603577.0000000000F92000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
              Source: 1iZH7aeO5F.exe, 00000000.00000000.1988603577.0000000000F92000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
              Source: 1iZH7aeO5F.exeBinary or memory string: \autorun.inf
              Source: 1iZH7aeO5F.exeBinary or memory string: [autorun]
              Source: 1iZH7aeO5F.exeBinary or memory string: autorun.inf
              Source: Microsoft Corporation.exe.0.drBinary or memory string: \autorun.inf
              Source: Microsoft Corporation.exe.0.drBinary or memory string: [autorun]
              Source: Microsoft Corporation.exe.0.drBinary or memory string: autorun.inf

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49704 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49704 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49705 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49705 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49706 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49706 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49707 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49707 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49708 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49708 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49714 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49714 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49716 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49716 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49718 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49718 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49719 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49719 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49720 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49720 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49721 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49721 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.5:49721 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49721 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49722 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49722 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49723 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49723 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49724 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49724 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49725 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49725 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49726 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49726 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49727 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49727 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49728 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49728 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49730 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49730 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49731 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49731 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49732 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49732 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49733 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49733 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49734 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49734 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49735 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49735 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49736 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49736 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49737 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49737 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49738 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49739 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49739 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.5:49739 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49739 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49740 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49740 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49741 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49741 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49742 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49742 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49743 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49743 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49744 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49744 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49745 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49745 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49746 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49746 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49747 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49747 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49748 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49749 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49749 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49750 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49750 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49751 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49751 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49752 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49752 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49753 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49753 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49754 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49754 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.5:49754 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49754 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49755 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49755 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49756 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49756 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49757 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49757 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49758 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49758 -> 3.68.171.119:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49759 -> 3.69.115.178:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49759 -> 3.69.115.178:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49760 -> 3.69.115.178:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49760 -> 3.69.115.178:13006
              Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49761 -> 3.69.115.178:13006
              Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49761 -> 3.69.115.178:13006
              Source: global trafficTCP traffic: 192.168.2.5:49704 -> 3.68.171.119:13006
              Source: global trafficTCP traffic: 192.168.2.5:49759 -> 3.69.115.178:13006
              Source: Joe Sandbox ViewIP Address: 3.69.115.178 3.69.115.178
              Source: Joe Sandbox ViewIP Address: 3.68.171.119 3.68.171.119
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeCode function: 0_2_0187A186 recv,0_2_0187A186
              Source: global trafficDNS traffic detected: DNS query: 6.tcp.eu.ngrok.io
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              E-Banking Fraud

              barindex
              Yara detected Njrat
              Source: Yara matchFile source: 1iZH7aeO5F.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.1iZH7aeO5F.exe.f90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1988603577.0000000000F92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 1iZH7aeO5F.exe PID: 5696, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 1iZH7aeO5F.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: 1iZH7aeO5F.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 1iZH7aeO5F.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 1iZH7aeO5F.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: 0.0.1iZH7aeO5F.exe.f90000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: 0.0.1iZH7aeO5F.exe.f90000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 0.0.1iZH7aeO5F.exe.f90000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0.0.1iZH7aeO5F.exe.f90000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: 00000000.00000000.1988603577.0000000000F92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: 00000000.00000000.1988603577.0000000000F92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeCode function: 0_2_062E076A NtQuerySystemInformation,0_2_062E076A
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeCode function: 0_2_062E0739 NtQuerySystemInformation,0_2_062E0739
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeCode function: 0_2_057673470_2_05767347
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeCode function: 0_2_057642980_2_05764298
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeCode function: 0_2_057677800_2_05767780
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeCode function: 0_2_057642870_2_05764287
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4437764810.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs 1iZH7aeO5F.exe
              Source: 1iZH7aeO5F.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 1iZH7aeO5F.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: 1iZH7aeO5F.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 1iZH7aeO5F.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 1iZH7aeO5F.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: 0.0.1iZH7aeO5F.exe.f90000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: 0.0.1iZH7aeO5F.exe.f90000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.0.1iZH7aeO5F.exe.f90000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0.0.1iZH7aeO5F.exe.f90000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: 00000000.00000000.1988603577.0000000000F92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: 00000000.00000000.1988603577.0000000000F92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: classification engineClassification label: mal100.spre.phis.troj.adwa.evad.winEXE@10/6@4/2
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeCode function: 0_2_062E05EE AdjustTokenPrivileges,0_2_062E05EE
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeCode function: 0_2_062E05B7 AdjustTokenPrivileges,0_2_062E05B7
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeFile created: C:\Users\user\AppData\Roaming\appJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMutant created: NULL
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMutant created: \Sessions\1\BaseNamedObjects\ef4ab10333351fde29c0e75b008795bc
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5444:120:WilError_03
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2724:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1876:120:WilError_03
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeFile created: C:\Users\user\AppData\Local\Temp\FransescoPast.txtJump to behavior
              Source: 1iZH7aeO5F.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 1iZH7aeO5F.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 1iZH7aeO5F.exeReversingLabs: Detection: 91%
              Source: 1iZH7aeO5F.exeVirustotal: Detection: 71%
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeFile read: C:\Users\user\Desktop\1iZH7aeO5F.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\1iZH7aeO5F.exe "C:\Users\user\Desktop\1iZH7aeO5F.exe"
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\1iZH7aeO5F.exe" "1iZH7aeO5F.exe" ENABLE
              Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\Desktop\1iZH7aeO5F.exe"
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\1iZH7aeO5F.exe" "1iZH7aeO5F.exe" ENABLE
              Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\1iZH7aeO5F.exe" "1iZH7aeO5F.exe" ENABLEJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\Desktop\1iZH7aeO5F.exe"Jump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\1iZH7aeO5F.exe" "1iZH7aeO5F.exe" ENABLEJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
              Source: 1iZH7aeO5F.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
              Source: 1iZH7aeO5F.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: 1iZH7aeO5F.exe, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: Microsoft Corporation.exe.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJump to dropped file

              Boot Survival

              barindex
              Drops PE files to the startup folder
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJump to dropped file
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe\:Zone.Identifier:$DATAJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1910000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 35C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 55C0000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 8950000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 9950000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 9B20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: AC20000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: AFB0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: BFB0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: CFB0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: DFB0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: AFB0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: C1B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: D3B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: E3B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: F3B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 103B0000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 9950000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 8950000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: AFA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: C1B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: F3B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 10AC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 11AC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 12AC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 13AC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 14AC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 15AC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 16AC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 17AC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 18AC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 19AC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1AAC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1BAC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1CAC0000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1D8D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1E8D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1F8D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 103B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 114F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 124F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: EC30000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: FC30000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 134F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 144F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 154F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 164F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 174F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 184F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 194F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1A4F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1B4F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 208D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 218D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 228D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 238D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 248D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 258D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 268D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 278D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 288D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 298D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 2A8D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 2B8D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 2C8D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: EF30000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: FF30000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: F030000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 10170000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 155F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 165F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 175F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 185F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 195F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1A5F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1B5F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 2D8D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 2E8D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 2F8D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 308D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 318D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 328D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 2E8D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 338D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 348D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 358D0000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 374E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 384E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1C5F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1D5F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1E5F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1F5F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 205F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 215F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 225F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 235F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 245F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 255F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 265F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 275F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 285F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 295F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 2A5F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 139F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 176F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 186F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 196F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1A6F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1B6F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1C6F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1D6F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1E6F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 1F6F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 206F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 216F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 226F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 236F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 246F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 256F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 266F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 276F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 286F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 296F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 2A6F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 2B6F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 2C6F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 2D6F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 2E6F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 2F6F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 306F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 316F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 326F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 336F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 346F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 394E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 3A4E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 3B4E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 3C4E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 3D4E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 3E4E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 3F4E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 404E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 414E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 424E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 434E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 444E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 454E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 464E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 474E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 484E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 494E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 4A4E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 4B4E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 327F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: 374E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeWindow / User API: threadDelayed 2403Jump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeWindow / User API: threadDelayed 1850Jump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeWindow / User API: foregroundWindowGot 421Jump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeWindow / User API: foregroundWindowGot 427Jump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exe TID: 5248Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exe TID: 4124Thread sleep time: -1201500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exe TID: 4124Thread sleep time: -925000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: netsh.exe, 00000004.00000003.2077074101.0000000003301000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4437764810.000000000140A000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000003.2015365172.0000000000911000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000005.00000002.2108158359.00000000034CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeMemory allocated: page read and write | page guardJump to behavior
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:57:53 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:58:52 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 08:00:35 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:58:11 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 12:57:51 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:58:57 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:59:31 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:59:49 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:57:58 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:58:09 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 09:45:06 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:57:32 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 08:00:01 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:57:41 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 08:27:09 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:56:53 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 16:49:40 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4446606289.000000000AB20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Rh Program Manager<1
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:57:27 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:58:49 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:58:39 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:57:07 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:56:55 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 15:40:02 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:58:41 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:58:31 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:58:32 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:58:08 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:57:20 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 08:02:29 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 10:11:46 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:59:00 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 08:00:45 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 08:04:39 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:57:28 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 08:01:09 - Program Manager
              Source: 1iZH7aeO5F.exe, Microsoft Corporation.exe.0.drBinary or memory string: ProgMan
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 09:20:33 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:57:15 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:58:07 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:57:22 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 08:00:24 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:57:42 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 12:49:40 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 09:00:59 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 11:55:05 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:57:55 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:56:56 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:57:24 - Program Manager
              Source: 1iZH7aeO5F.exe, Microsoft Corporation.exe.0.drBinary or memory string: Shell_traywnd+MostrarBarraDeTarefas
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 10:10:28 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/22 | 05:54:57 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 08:03:08 - Program Manager
              Source: 1iZH7aeO5F.exe, Microsoft Corporation.exe.0.drBinary or memory string: Shell_TrayWnd
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 08:00:59 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:57:29 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:57:39 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 08:48:22 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:58:05 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:57:19 - Program Manager
              Source: 1iZH7aeO5F.exe, 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/05/19 | 07:57:43 - Program Manager
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Contains functionality to disable the Task Manager (.Net Source)
              Source: 1iZH7aeO5F.exe, Fransesco.cs.Net Code: INS
              Source: Microsoft Corporation.exe.0.dr, Fransesco.cs.Net Code: INS
              Disables the Windows task manager (taskmgr)
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgrJump to behavior
              Disables zone checking for all users
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeRegistry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKSJump to behavior
              Modifies the windows firewall
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\1iZH7aeO5F.exe" "1iZH7aeO5F.exe" ENABLE
              Uses netsh to modify the Windows network and firewall settings
              Source: C:\Users\user\Desktop\1iZH7aeO5F.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\1iZH7aeO5F.exe" "1iZH7aeO5F.exe" ENABLE

              Stealing of Sensitive Information

              barindex
              Yara detected Njrat
              Source: Yara matchFile source: 1iZH7aeO5F.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.1iZH7aeO5F.exe.f90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1988603577.0000000000F92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 1iZH7aeO5F.exe PID: 5696, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected Njrat
              Source: Yara matchFile source: 1iZH7aeO5F.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.1iZH7aeO5F.exe.f90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1988603577.0000000000F92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 1iZH7aeO5F.exe PID: 5696, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure11
              Replication Through Removable Media              		Windows Management Instrumentation12
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		1
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading              		2
              Process Injection              		51
              Disable or Modify Tools              		LSASS Memory2
              Process Discovery              		Remote Desktop Protocol1
              Clipboard Data              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)12
              Registry Run Keys / Startup Folder              		31
              Virtualization/Sandbox Evasion              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              DLL Side-Loading              		1
              Access Token Manipulation              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture1
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
              Process Injection              		LSA Secrets1
              Peripheral Device Discovery              		SSHKeylogging1
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Software Packing              		Cached Domain Credentials12
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1443977 Sample: 1iZH7aeO5F.exe Startdate: 19/05/2024 Architecture: WINDOWS Score: 100 27 6.tcp.eu.ngrok.io 2->27 33 Snort IDS alert for network traffic 2->33 35 Multi AV Scanner detection for domain / URL 2->35 37 Found malware configuration 2->37 39 11 other signatures 2->39 8 1iZH7aeO5F.exe 2 8 2->8         started        signatures3 process4 dnsIp5 29 6.tcp.eu.ngrok.io 3.68.171.119, 13006, 49704, 49705 AMAZON-02US United States 8->29 31 3.69.115.178, 13006, 49759, 49760 AMAZON-02US United States 8->31 25 C:\Users\user\...\Microsoft Corporation.exe, PE32 8->25 dropped 41 Disables zone checking for all users 8->41 43 Drops PE files to the startup folder 8->43 45 Uses netsh to modify the Windows network and firewall settings 8->45 47 2 other signatures 8->47 13 netsh.exe 2 8->13         started        15 netsh.exe 2 8->15         started        17 netsh.exe 2 8->17         started        file6 signatures7 process8 process9 19 conhost.exe 13->19         started        21 conhost.exe 15->21         started        23 conhost.exe 17->23         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              1iZH7aeO5F.exe91%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
              1iZH7aeO5F.exe71%VirustotalBrowse
              1iZH7aeO5F.exe100%AviraTR/Dropper.Gen
              1iZH7aeO5F.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe100%AviraTR/Dropper.Gen
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe91%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe71%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              6.tcp.eu.ngrok.io13%VirustotalBrowse

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              6.tcp.eu.ngrok.io
              		3.68.171.119
              		truetrueunknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              3.69.115.178
              		unknownUnited States
              		16509AMAZON-02UStrue
              3.68.171.119
              		6.tcp.eu.ngrok.ioUnited States
              		16509AMAZON-02UStrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1443977
              Start date and time:2024-05-19 13:56:06 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 7m 43s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:11
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:1iZH7aeO5F.exe
              renamed because original name is a hash value
              Original Sample Name:320f34b9a9f567e773d2a526daf749fa.exe
              Detection:MAL
              Classification:mal100.spre.phis.troj.adwa.evad.winEXE@10/6@4/2
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 134
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240s for sample files taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              07:56:56API Interceptor144246x Sleep call for process: 1iZH7aeO5F.exe modified
              13:56:57AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              3.69.115.178YTYyFVemXR.exeGet hashmaliciousNjratBrowse
                zyx3qItgQK.exeGet hashmaliciousNjratBrowse
                  ziTLBa3N50.exeGet hashmaliciousNjratBrowse
                    IsJb5hB84q.exeGet hashmaliciousNjratBrowse
                      myidJB8lDL.exeGet hashmaliciousNjratBrowse
                        rkIcS0Y2WY.exeGet hashmaliciousNjratBrowse
                          30b4CoDmKk.exeGet hashmaliciousNjratBrowse
                            QsKtlzYaKF.exeGet hashmaliciousNjratBrowse
                              xZLQ8X9Cxo.exeGet hashmaliciousNjratBrowse
                                sCXwkZrcZ3.exeGet hashmaliciousNjratBrowse
                                  3.68.171.119mhYCwt8wBz.exeGet hashmaliciousNjratBrowse
                                    592CDAD0A5B0AE90E0C812AECB2677096AF06CF941CE2.exeGet hashmaliciousNjratBrowse
                                      U22p1GcCSb.exeGet hashmaliciousNjratBrowse
                                        M5vARlA2c4.exeGet hashmaliciousNjratBrowse
                                          YTYyFVemXR.exeGet hashmaliciousNjratBrowse
                                            zyx3qItgQK.exeGet hashmaliciousNjratBrowse
                                              NfJ0jC2dPr.exeGet hashmaliciousNjratBrowse
                                                226dVJ2zRZ.exeGet hashmaliciousNjratBrowse
                                                  N1aqZIb7KG.exeGet hashmaliciousNjratBrowse
                                                    m5l9v13hIi.exeGet hashmaliciousNjratBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      6.tcp.eu.ngrok.iomhYCwt8wBz.exeGet hashmaliciousNjratBrowse
                                                      • 3.68.171.119
                                                      592CDAD0A5B0AE90E0C812AECB2677096AF06CF941CE2.exeGet hashmaliciousNjratBrowse
                                                      • 52.28.247.255
                                                      U22p1GcCSb.exeGet hashmaliciousNjratBrowse
                                                      • 3.66.38.117
                                                      Client.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                      • 3.69.157.220
                                                      M5vARlA2c4.exeGet hashmaliciousNjratBrowse
                                                      • 3.68.171.119
                                                      YTYyFVemXR.exeGet hashmaliciousNjratBrowse
                                                      • 3.68.171.119
                                                      zyx3qItgQK.exeGet hashmaliciousNjratBrowse
                                                      • 3.69.115.178
                                                      NfJ0jC2dPr.exeGet hashmaliciousNjratBrowse
                                                      • 3.69.157.220
                                                      ziTLBa3N50.exeGet hashmaliciousNjratBrowse
                                                      • 3.69.157.220
                                                      1.exeGet hashmaliciousNjratBrowse
                                                      • 3.66.38.117

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      AMAZON-02UShttps://www.trades-protection.co.uk/update/?id=senderredu&sender_campaign=dGoZr0&sender_ctype=email&sender_customer=xn0JvBl&utm_campaign=Policy+Premium+Changed&utm_medium=email&utm_source=newsletterGet hashmaliciousUnknownBrowse
                                                      • 52.217.228.72
                                                      https://www.cxpqst.cc/Get hashmaliciousUnknownBrowse
                                                      • 13.32.99.104
                                                      https://hnknly.com/Get hashmaliciousUnknownBrowse
                                                      • 18.181.40.233
                                                      eliane formatado.docGet hashmaliciousUnknownBrowse
                                                      • 52.67.96.33
                                                      pending delivery needs attention.vbsGet hashmaliciousUnknownBrowse
                                                      • 104.192.141.1
                                                      SO4ZFnqWrV.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 34.249.145.219
                                                      IO23806Dwj.exeGet hashmaliciousFormBookBrowse
                                                      • 3.64.163.50
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • 99.86.1.70
                                                      7XKILEOAsR.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                      • 34.249.145.219
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • 18.245.33.69
                                                      AMAZON-02UShttps://www.trades-protection.co.uk/update/?id=senderredu&sender_campaign=dGoZr0&sender_ctype=email&sender_customer=xn0JvBl&utm_campaign=Policy+Premium+Changed&utm_medium=email&utm_source=newsletterGet hashmaliciousUnknownBrowse
                                                      • 52.217.228.72
                                                      https://www.cxpqst.cc/Get hashmaliciousUnknownBrowse
                                                      • 13.32.99.104
                                                      https://hnknly.com/Get hashmaliciousUnknownBrowse
                                                      • 18.181.40.233
                                                      eliane formatado.docGet hashmaliciousUnknownBrowse
                                                      • 52.67.96.33
                                                      pending delivery needs attention.vbsGet hashmaliciousUnknownBrowse
                                                      • 104.192.141.1
                                                      SO4ZFnqWrV.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 34.249.145.219
                                                      IO23806Dwj.exeGet hashmaliciousFormBookBrowse
                                                      • 3.64.163.50
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • 99.86.1.70
                                                      7XKILEOAsR.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                      • 34.249.145.219
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • 18.245.33.69

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\1iZH7aeO5F.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):95232
                                                      Entropy (8bit):5.558282844115275
                                                      Encrypted:false
                                                      SSDEEP:768:KY3/KpD7O/pBcxYsbae6GIXb9pDX2b98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk3hsGi:ZKBOx6baIa9RPj00ljEwzGi1dDRDUgS
                                                      MD5:320F34B9A9F567E773D2A526DAF749FA
                                                      SHA1:6A56B12F075F8DAAF354CA44810BEC29E756C941
                                                      SHA-256:16E030019F05B734A973A0FAFC0FB678D0EB2736CFD5159A7EA82EBF3C198170
                                                      SHA-512:92C05E4D6C55B68810E55B918C5C017C5D772E9F85C65EC0F35B0B9B24345BA33E0E9D1FB0055DF8CEDB437EE55F6409E3ED16E6ECA3A0A03BE3831DC5531D50
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Joe Security
                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: unknown
                                                      • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Florian Roth
                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: JPCERT/CC Incident Response Group
                                                      • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 91%
                                                      • Antivirus: Virustotal, Detection: 71%, Browse
                                                      Reputation:low
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ef.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe:Zone.Identifier

                                                      Download File
                                                      Process:C:\Users\user\Desktop\1iZH7aeO5F.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:false
                                                      Reputation:high, very likely benign file
                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                      C:\Users\user\AppData\Roaming\app

                                                      Download File
                                                      Process:C:\Users\user\Desktop\1iZH7aeO5F.exe
                                                      File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):5
                                                      Entropy (8bit):2.321928094887362
                                                      Encrypted:false
                                                      SSDEEP:3:6n:6n
                                                      MD5:2099BB64FD1770D321DF364F99B658D1
                                                      SHA1:3124EDEAA14C060BECFA8B980ED77DB15D56A9E3
                                                      SHA-256:D53CE6BDBD0C3CB4596AC3103F15824570A9858DA95F63CEDF64CEC11DC44E2D
                                                      SHA-512:3481F2A02F7B1255AD0F3CD8A716DE9C7414753B6F8657F0BF99738FF6623F8717469BC10E737D6C0D1D13846E726D50BAEB5E8EF73EFCFCE7BE5C63327C4895
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:.19

                                                      \Device\ConDrv

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\netsh.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):313
                                                      Entropy (8bit):4.971939296804078
                                                      Encrypted:false
                                                      SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                                                      MD5:689E2126A85BF55121488295EE068FA1
                                                      SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                                                      SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                                                      SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                                                      Malicious:false
                                                      Reputation:high, very likely benign file
                                                      Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):5.558282844115275
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Windows Screen Saver (13104/52) 0.07%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      File name:1iZH7aeO5F.exe
                                                      File size:95'232 bytes
                                                      MD5:320f34b9a9f567e773d2a526daf749fa
                                                      SHA1:6a56b12f075f8daaf354ca44810bec29e756c941
                                                      SHA256:16e030019f05b734a973a0fafc0fb678d0eb2736cfd5159a7ea82ebf3c198170
                                                      SHA512:92c05e4d6c55b68810e55b918c5c017c5d772e9f85c65ec0f35b0b9b24345ba33e0e9d1fb0055df8cedb437ee55f6409e3ed16e6eca3a0a03be3831dc5531d50
                                                      SSDEEP:768:KY3/KpD7O/pBcxYsbae6GIXb9pDX2b98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk3hsGi:ZKBOx6baIa9RPj00ljEwzGi1dDRDUgS
                                                      TLSH:8F93F84977E56524E4BF56F79871F2004E34B48B1602E39D48F219AA1B33AC44F89FEB
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ef.................p............... ........@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:00928e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x418efe
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x6645061A [Wed May 15 18:59:38 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x18ea80x53.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x16f040x17000e7224b3d383a503c52fc24ac0d2fffe8False0.36818529211956524data5.590134667871109IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .reloc0x1a0000xc0x20002466978873e232bef309f048b95192fFalse0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      05/19/24-13:58:30.141221TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974313006192.168.2.53.68.171.119
                                                      05/19/24-13:58:24.873447TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974113006192.168.2.53.68.171.119
                                                      05/19/24-13:58:37.401284TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974513006192.168.2.53.68.171.119
                                                      05/19/24-13:58:27.517197TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974213006192.168.2.53.68.171.119
                                                      05/19/24-13:58:40.953521TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974613006192.168.2.53.68.171.119
                                                      05/19/24-13:58:43.869191TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974713006192.168.2.53.68.171.119
                                                      05/19/24-13:57:01.293185TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4970413006192.168.2.53.68.171.119
                                                      05/19/24-13:57:03.600944TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4970513006192.168.2.53.68.171.119
                                                      05/19/24-13:58:22.261137TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974013006192.168.2.53.68.171.119
                                                      05/19/24-13:57:55.620050TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973113006192.168.2.53.68.171.119
                                                      05/19/24-13:57:52.818612TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973013006192.168.2.53.68.171.119
                                                      05/19/24-13:58:32.733312TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974413006192.168.2.53.68.171.119
                                                      05/19/24-14:00:21.177524TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975913006192.168.2.53.69.115.178
                                                      05/19/24-13:58:19.605486TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4973913006192.168.2.53.68.171.119
                                                      05/19/24-13:59:19.811421TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975313006192.168.2.53.68.171.119
                                                      05/19/24-13:59:22.393782TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975413006192.168.2.53.68.171.119
                                                      05/19/24-13:57:58.732625TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973213006192.168.2.53.68.171.119
                                                      05/19/24-13:58:04.716868TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973413006192.168.2.53.68.171.119
                                                      05/19/24-13:59:12.889712TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975213006192.168.2.53.68.171.119
                                                      05/19/24-13:59:48.841533TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975613006192.168.2.53.68.171.119
                                                      05/19/24-13:57:55.673276TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973113006192.168.2.53.68.171.119
                                                      05/19/24-13:58:07.280571TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973513006192.168.2.53.68.171.119
                                                      05/19/24-13:59:00.265208TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975013006192.168.2.53.68.171.119
                                                      05/19/24-14:00:03.906997TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975713006192.168.2.53.68.171.119
                                                      05/19/24-14:00:11.073416TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975813006192.168.2.53.68.171.119
                                                      05/19/24-13:57:14.849038TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971413006192.168.2.53.68.171.119
                                                      05/19/24-13:57:17.710652TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971613006192.168.2.53.68.171.119
                                                      05/19/24-13:57:52.868787TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973013006192.168.2.53.68.171.119
                                                      05/19/24-13:58:09.905031TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973613006192.168.2.53.68.171.119
                                                      05/19/24-13:58:19.605486TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4973913006192.168.2.53.68.171.119
                                                      05/19/24-13:59:10.297630TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975113006192.168.2.53.68.171.119
                                                      05/19/24-13:58:13.052528TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973713006192.168.2.53.68.171.119
                                                      05/19/24-13:57:27.299562TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972013006192.168.2.53.68.171.119
                                                      05/19/24-13:57:30.702609TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4972113006192.168.2.53.68.171.119
                                                      05/19/24-13:58:24.819791TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974113006192.168.2.53.68.171.119
                                                      05/19/24-13:58:22.209333TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974013006192.168.2.53.68.171.119
                                                      05/19/24-13:59:37.333591TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975513006192.168.2.53.68.171.119
                                                      05/19/24-13:58:01.588817TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973313006192.168.2.53.68.171.119
                                                      05/19/24-13:57:09.310016TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4970713006192.168.2.53.68.171.119
                                                      05/19/24-13:57:49.912771TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972813006192.168.2.53.68.171.119
                                                      05/19/24-13:57:06.277632TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4970613006192.168.2.53.68.171.119
                                                      05/19/24-13:57:12.109502TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4970813006192.168.2.53.68.171.119
                                                      05/19/24-13:58:53.202661TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974913006192.168.2.53.68.171.119
                                                      05/19/24-13:57:03.547062TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4970513006192.168.2.53.68.171.119
                                                      05/19/24-13:57:44.237483TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972613006192.168.2.53.68.171.119
                                                      05/19/24-13:57:47.102281TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972713006192.168.2.53.68.171.119
                                                      05/19/24-13:58:48.599643TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974813006192.168.2.53.68.171.119
                                                      05/19/24-13:59:22.622570TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4975413006192.168.2.53.68.171.119
                                                      05/19/24-13:58:27.466502TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974213006192.168.2.53.68.171.119
                                                      05/19/24-13:57:23.369142TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971913006192.168.2.53.68.171.119
                                                      05/19/24-13:57:30.687437TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972113006192.168.2.53.68.171.119
                                                      05/19/24-14:00:37.885777TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4976013006192.168.2.53.69.115.178
                                                      05/19/24-14:01:03.033945TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4976113006192.168.2.53.69.115.178
                                                      05/19/24-13:57:20.532509TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971813006192.168.2.53.68.171.119
                                                      05/19/24-13:58:30.091760TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974313006192.168.2.53.68.171.119
                                                      05/19/24-13:57:33.272402TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972213006192.168.2.53.68.171.119
                                                      05/19/24-13:57:36.010938TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972313006192.168.2.53.68.171.119
                                                      05/19/24-13:58:19.573184TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973913006192.168.2.53.68.171.119
                                                      05/19/24-13:58:32.682513TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974413006192.168.2.53.68.171.119
                                                      05/19/24-13:57:38.789971TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972413006192.168.2.53.68.171.119
                                                      05/19/24-13:57:41.511014TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972513006192.168.2.53.68.171.119
                                                      05/19/24-13:57:01.287429TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4970413006192.168.2.53.68.171.119
                                                      05/19/24-13:58:37.347524TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974513006192.168.2.53.68.171.119
                                                      05/19/24-13:58:43.807491TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974713006192.168.2.53.68.171.119
                                                      05/19/24-13:58:40.901851TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974613006192.168.2.53.68.171.119
                                                      05/19/24-13:57:33.320635TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4972213006192.168.2.53.68.171.119
                                                      05/19/24-13:57:30.693152TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4972113006192.168.2.53.68.171.119
                                                      05/19/24-13:57:36.065243TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4972313006192.168.2.53.68.171.119
                                                      05/19/24-14:01:02.978980TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4976113006192.168.2.53.69.115.178
                                                      05/19/24-13:57:27.352576TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4972013006192.168.2.53.68.171.119
                                                      05/19/24-13:57:38.799294TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4972413006192.168.2.53.68.171.119
                                                      05/19/24-13:57:41.523438TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4972513006192.168.2.53.68.171.119
                                                      05/19/24-13:57:47.112042TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4972713006192.168.2.53.68.171.119
                                                      05/19/24-13:57:44.293131TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4972613006192.168.2.53.68.171.119
                                                      05/19/24-14:00:37.831032TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4976013006192.168.2.53.69.115.178
                                                      05/19/24-13:59:12.837250TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975213006192.168.2.53.68.171.119
                                                      05/19/24-13:59:00.214834TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975013006192.168.2.53.68.171.119
                                                      05/19/24-13:59:22.622570TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4975413006192.168.2.53.68.171.119
                                                      05/19/24-13:59:10.247529TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975113006192.168.2.53.68.171.119
                                                      05/19/24-14:00:21.171817TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975913006192.168.2.53.69.115.178
                                                      05/19/24-13:58:19.518408TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973913006192.168.2.53.68.171.119
                                                      05/19/24-13:57:20.476527TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971813006192.168.2.53.68.171.119
                                                      05/19/24-13:58:17.487883TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973813006192.168.2.53.68.171.119
                                                      05/19/24-13:58:13.046674TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973713006192.168.2.53.68.171.119
                                                      05/19/24-14:00:11.022301TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975813006192.168.2.53.68.171.119
                                                      05/19/24-13:57:17.698975TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971613006192.168.2.53.68.171.119
                                                      05/19/24-13:57:23.312492TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971913006192.168.2.53.68.171.119
                                                      05/19/24-13:57:30.702609TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4972113006192.168.2.53.68.171.119
                                                      05/19/24-13:59:19.755628TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975313006192.168.2.53.68.171.119
                                                      05/19/24-13:57:12.130118TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4970813006192.168.2.53.68.171.119
                                                      05/19/24-13:57:58.681738TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973213006192.168.2.53.68.171.119
                                                      05/19/24-13:58:01.531695TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973313006192.168.2.53.68.171.119
                                                      05/19/24-13:58:53.253209TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974913006192.168.2.53.68.171.119
                                                      05/19/24-13:59:22.388360TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975413006192.168.2.53.68.171.119
                                                      05/19/24-13:57:06.329376TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4970613006192.168.2.53.68.171.119
                                                      05/19/24-13:57:09.320195TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4970713006192.168.2.53.68.171.119
                                                      05/19/24-13:59:37.282316TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975513006192.168.2.53.68.171.119
                                                      05/19/24-13:57:49.965614TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4972813006192.168.2.53.68.171.119
                                                      05/19/24-13:58:07.229080TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973513006192.168.2.53.68.171.119
                                                      05/19/24-13:59:48.789535TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975613006192.168.2.53.68.171.119
                                                      05/19/24-13:57:14.793035TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971413006192.168.2.53.68.171.119
                                                      05/19/24-13:58:04.686444TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973413006192.168.2.53.68.171.119
                                                      05/19/24-13:58:09.853627TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973613006192.168.2.53.68.171.119
                                                      05/19/24-14:00:03.901621TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975713006192.168.2.53.68.171.119

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      May 19, 2024 13:57:00.706864119 CEST4970413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:00.712179899 CEST13006497043.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:00.712282896 CEST4970413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:01.287429094 CEST4970413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:01.292992115 CEST13006497043.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:01.293184996 CEST4970413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:01.298612118 CEST13006497043.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:01.527338028 CEST13006497043.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:01.527580976 CEST4970413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:03.535880089 CEST4970413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:03.536628008 CEST4970513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:03.541361094 CEST13006497043.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:03.546312094 CEST13006497053.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:03.546418905 CEST4970513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:03.547061920 CEST4970513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:03.600800037 CEST13006497053.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:03.600944042 CEST4970513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:03.606427908 CEST13006497053.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:04.259557009 CEST13006497053.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:04.259629965 CEST4970513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:06.265609980 CEST4970513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:06.266484022 CEST4970613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:06.271133900 CEST13006497053.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:06.276257038 CEST13006497063.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:06.276515961 CEST4970613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:06.277631998 CEST4970613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:06.328999043 CEST13006497063.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:06.329375982 CEST4970613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:06.334913969 CEST13006497063.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:07.016166925 CEST13006497063.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:07.016289949 CEST4970613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:09.252491951 CEST4970613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:09.253823996 CEST4970713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:09.258171082 CEST13006497063.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:09.309335947 CEST13006497073.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:09.309598923 CEST4970713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:09.310015917 CEST4970713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:09.319981098 CEST13006497073.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:09.320194960 CEST4970713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:09.325562000 CEST13006497073.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:10.010397911 CEST13006497073.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:10.010504007 CEST4970713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:12.015156984 CEST4970713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:12.015753031 CEST4970813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:12.020390987 CEST13006497073.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:12.069127083 CEST13006497083.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:12.069211006 CEST4970813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:12.109502077 CEST4970813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:12.130033016 CEST13006497083.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:12.130117893 CEST4970813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:12.181282997 CEST13006497083.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:12.767674923 CEST13006497083.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:12.767762899 CEST4970813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:14.780648947 CEST4970813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:14.781725883 CEST4971413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:14.786449909 CEST13006497083.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:14.792304039 CEST13006497143.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:14.792398930 CEST4971413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:14.793035030 CEST4971413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:14.848963976 CEST13006497143.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:14.849037886 CEST4971413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:14.854300022 CEST13006497143.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:15.462346077 CEST13006497143.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:15.462440968 CEST4971413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:17.475456953 CEST4971413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:17.481023073 CEST13006497143.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:17.692450047 CEST4971613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:17.697977066 CEST13006497163.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:17.698230028 CEST4971613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:17.698975086 CEST4971613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:17.710458040 CEST13006497163.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:17.710652113 CEST4971613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:17.716022968 CEST13006497163.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:18.390405893 CEST13006497163.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:18.390521049 CEST4971613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:20.433239937 CEST4971613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:20.438611984 CEST13006497163.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:20.470069885 CEST4971813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:20.475892067 CEST13006497183.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:20.476016045 CEST4971813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:20.476526976 CEST4971813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:20.532409906 CEST13006497183.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:20.532509089 CEST4971813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:20.537506104 CEST13006497183.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:21.163750887 CEST13006497183.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:21.163847923 CEST4971813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:23.199655056 CEST4971813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:23.205229998 CEST13006497183.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:23.305973053 CEST4971913006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:23.311635971 CEST13006497193.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:23.312000990 CEST4971913006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:23.312491894 CEST4971913006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:23.368923903 CEST13006497193.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:23.369142056 CEST4971913006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:23.374557018 CEST13006497193.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:23.994513988 CEST13006497193.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:23.994699955 CEST4971913006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:26.859771967 CEST4971913006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:26.865475893 CEST13006497193.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:27.293231010 CEST4972013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:27.298656940 CEST13006497203.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:27.298854113 CEST4972013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:27.299561977 CEST4972013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:27.352477074 CEST13006497203.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:27.352576017 CEST4972013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:27.357965946 CEST13006497203.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:28.000294924 CEST13006497203.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:28.000597000 CEST4972013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:30.015774965 CEST4972013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:30.020919085 CEST13006497203.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:30.235384941 CEST4972113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:30.241103888 CEST13006497213.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:30.241460085 CEST4972113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:30.687437057 CEST4972113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:30.692929029 CEST13006497213.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:30.693151951 CEST4972113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:30.698801994 CEST13006497213.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:30.702609062 CEST4972113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:30.708355904 CEST13006497213.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:30.942318916 CEST13006497213.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:30.942410946 CEST4972113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:32.963355064 CEST4972113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:32.969074011 CEST13006497213.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:33.262398958 CEST4972213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:33.267849922 CEST13006497223.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:33.267996073 CEST4972213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:33.272402048 CEST4972213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:33.320544958 CEST13006497223.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:33.320635080 CEST4972213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:33.325567007 CEST13006497223.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:33.987447977 CEST13006497223.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:33.987545013 CEST4972213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:35.999485970 CEST4972213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:36.000149012 CEST4972313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:36.005404949 CEST13006497223.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:36.010292053 CEST13006497233.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:36.010509014 CEST4972313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:36.010937929 CEST4972313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:36.065155983 CEST13006497233.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:36.065243006 CEST4972313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:36.070827961 CEST13006497233.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:36.730247021 CEST13006497233.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:36.730344057 CEST4972313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:38.735157013 CEST4972313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:38.736939907 CEST4972413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:38.740503073 CEST13006497233.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:38.789081097 CEST13006497243.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:38.789299965 CEST4972413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:38.789971113 CEST4972413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:38.799204111 CEST13006497243.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:38.799293995 CEST4972413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:38.804706097 CEST13006497243.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:39.491616011 CEST13006497243.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:39.491710901 CEST4972413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:41.499517918 CEST4972413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:41.500193119 CEST4972513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:41.505074978 CEST13006497243.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:41.510272026 CEST13006497253.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:41.510540009 CEST4972513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:41.511013985 CEST4972513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:41.523205996 CEST13006497253.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:41.523437977 CEST4972513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:41.533231020 CEST13006497253.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:42.188287020 CEST13006497253.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:42.188580990 CEST4972513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:44.210433960 CEST4972513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:44.217730045 CEST13006497253.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:44.229238987 CEST4972613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:44.236638069 CEST13006497263.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:44.236740112 CEST4972613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:44.237483025 CEST4972613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:44.292938948 CEST13006497263.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:44.293131113 CEST4972613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:44.298566103 CEST13006497263.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:45.038036108 CEST13006497263.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:45.041393995 CEST4972613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:47.046538115 CEST4972613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:47.047523022 CEST4972713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:47.052436113 CEST13006497263.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:47.101434946 CEST13006497273.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:47.101650953 CEST4972713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:47.102281094 CEST4972713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:47.111841917 CEST13006497273.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:47.112041950 CEST4972713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:47.117280960 CEST13006497273.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:47.803777933 CEST13006497273.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:47.803966045 CEST4972713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:49.821165085 CEST4972713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:49.827218056 CEST13006497273.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:49.906727076 CEST4972813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:49.912256956 CEST13006497283.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:49.912365913 CEST4972813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:49.912770987 CEST4972813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:49.965373039 CEST13006497283.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:49.965614080 CEST4972813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:49.971074104 CEST13006497283.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:50.713473082 CEST13006497283.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:50.713582993 CEST4972813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:52.735888958 CEST4972813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:52.740900040 CEST13006497283.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:52.813009024 CEST4973013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:52.818058014 CEST13006497303.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:52.818151951 CEST4973013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:52.818612099 CEST4973013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:52.868726015 CEST13006497303.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:52.868787050 CEST4973013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:52.873661995 CEST13006497303.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:53.517165899 CEST13006497303.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:53.517393112 CEST4973013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:55.594805002 CEST4973013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:55.600140095 CEST13006497303.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:55.613459110 CEST4973113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:55.618798018 CEST13006497313.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:55.618894100 CEST4973113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:55.620049953 CEST4973113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:55.673068047 CEST13006497313.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:55.673275948 CEST4973113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:55.678239107 CEST13006497313.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:56.167782068 CEST13006497313.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:56.172513962 CEST13006497313.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:56.172593117 CEST4973113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:58.509807110 CEST4973113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:58.676235914 CEST4973213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:58.681272030 CEST13006497323.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:58.681359053 CEST4973213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:58.681737900 CEST4973213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:58.732489109 CEST13006497323.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:58.732625008 CEST4973213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:57:58.737463951 CEST13006497323.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:59.257917881 CEST13006497323.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:59.262646914 CEST13006497323.68.171.119192.168.2.5
                                                      May 19, 2024 13:57:59.262742996 CEST4973213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:01.459604979 CEST4973213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:01.525835991 CEST4973313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:01.530859947 CEST13006497333.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:01.530931950 CEST4973313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:01.531694889 CEST4973313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:01.588594913 CEST13006497333.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:01.588816881 CEST4973313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:01.593736887 CEST13006497333.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:02.102580070 CEST13006497333.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:02.107541084 CEST13006497333.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:02.107593060 CEST4973313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:04.110130072 CEST4973313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:04.656816006 CEST4973413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:04.661909103 CEST13006497343.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:04.662117004 CEST4973413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:04.686444044 CEST4973413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:04.716681957 CEST13006497343.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:04.716867924 CEST4973413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:04.726691961 CEST13006497343.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:05.206093073 CEST13006497343.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:05.210772038 CEST13006497343.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:05.210978031 CEST4973413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:07.218476057 CEST4973413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:07.219360113 CEST4973513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:07.228316069 CEST13006497353.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:07.228400946 CEST4973513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:07.229079962 CEST4973513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:07.280512094 CEST13006497353.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:07.280570984 CEST4973513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:07.285444975 CEST13006497353.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:07.784384966 CEST13006497353.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:07.789230108 CEST13006497353.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:07.789314985 CEST4973513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:09.796533108 CEST4973513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:09.797410965 CEST4973613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:09.852890968 CEST13006497363.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:09.853144884 CEST4973613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:09.853626966 CEST4973613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:09.904807091 CEST13006497363.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:09.905030966 CEST4973613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:09.912184000 CEST13006497363.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:10.407164097 CEST13006497363.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:10.411992073 CEST13006497363.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:10.412209988 CEST4973613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:12.459871054 CEST4973613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:12.710725069 CEST4973713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:12.715817928 CEST13006497373.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:12.715913057 CEST4973713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:13.046674013 CEST4973713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:13.052445889 CEST13006497373.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:13.052527905 CEST4973713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:13.058029890 CEST13006497373.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:13.293591022 CEST13006497373.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:13.298610926 CEST13006497373.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:13.298803091 CEST4973713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:15.365113020 CEST4973713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:15.848793030 CEST4973813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:15.854072094 CEST13006497383.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:15.854154110 CEST4973813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:16.416874886 CEST13006497383.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:16.465197086 CEST13006497383.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:16.465239048 CEST13006497383.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:16.465382099 CEST4973813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:16.466444969 CEST4973813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:17.487883091 CEST4973813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:17.493505001 CEST13006497383.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:19.512399912 CEST4973913006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:19.517882109 CEST13006497393.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:19.517997026 CEST4973913006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:19.518408060 CEST4973913006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:19.572984934 CEST13006497393.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:19.573184013 CEST4973913006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:19.578232050 CEST13006497393.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:19.605485916 CEST4973913006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:19.611136913 CEST13006497393.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:20.115334988 CEST13006497393.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:20.120012999 CEST13006497393.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:20.120191097 CEST4973913006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:22.155855894 CEST4973913006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:22.156706095 CEST4974013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:22.208738089 CEST13006497403.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:22.208830118 CEST4974013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:22.209332943 CEST4974013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:22.261029005 CEST13006497403.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:22.261137009 CEST4974013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:22.266113043 CEST13006497403.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:22.789012909 CEST13006497403.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:22.793915987 CEST13006497403.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:22.794013977 CEST4974013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:24.805918932 CEST4974013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:24.813409090 CEST4974113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:24.819134951 CEST13006497413.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:24.819308996 CEST4974113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:24.819791079 CEST4974113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:24.873346090 CEST13006497413.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:24.873446941 CEST4974113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:24.878827095 CEST13006497413.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:25.415775061 CEST13006497413.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:25.420315981 CEST13006497413.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:25.423047066 CEST4974113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:25.425296068 CEST13006497413.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:25.425358057 CEST4974113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:27.455615997 CEST4974113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:27.458981037 CEST4974213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:27.465780973 CEST13006497423.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:27.465873003 CEST4974213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:27.466501951 CEST4974213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:27.517106056 CEST13006497423.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:27.517196894 CEST4974213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:27.522274017 CEST13006497423.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:28.022763968 CEST13006497423.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:28.027399063 CEST13006497423.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:28.027482986 CEST4974213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:30.037406921 CEST4974213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:30.058484077 CEST4974313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:30.089128017 CEST13006497433.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:30.089318991 CEST4974313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:30.091759920 CEST4974313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:30.141149044 CEST13006497433.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:30.141221046 CEST4974313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:30.146365881 CEST13006497433.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:30.666953087 CEST13006497433.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:30.671837091 CEST13006497433.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:30.671900988 CEST4974313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:32.671598911 CEST4974313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:32.672281981 CEST4974413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:32.681972027 CEST13006497443.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:32.682321072 CEST4974413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:32.682512999 CEST4974413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:32.733011961 CEST13006497443.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:32.733311892 CEST4974413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:32.738326073 CEST13006497443.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:33.252136946 CEST13006497443.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:33.256732941 CEST13006497443.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:33.256799936 CEST4974413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:37.211405039 CEST4974413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:37.341661930 CEST4974513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:37.346852064 CEST13006497453.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:37.346962929 CEST4974513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:37.347523928 CEST4974513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:37.401163101 CEST13006497453.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:37.401283979 CEST4974513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:37.406938076 CEST13006497453.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:37.911853075 CEST13006497453.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:37.917891026 CEST13006497453.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:37.917967081 CEST4974513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:39.953352928 CEST4974513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:40.896017075 CEST4974613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:40.901087046 CEST13006497463.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:40.901169062 CEST4974613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:40.901850939 CEST4974613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:40.953305006 CEST13006497463.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:40.953521013 CEST4974613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:40.958776951 CEST13006497463.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:41.461981058 CEST13006497463.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:41.466789007 CEST13006497463.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:41.466876984 CEST4974613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:43.468612909 CEST4974613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:43.798475027 CEST4974713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:43.803898096 CEST13006497473.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:43.804028034 CEST4974713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:43.807491064 CEST4974713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:43.868988991 CEST13006497473.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:43.869190931 CEST4974713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:43.874283075 CEST13006497473.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:44.373368979 CEST13006497473.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:44.378490925 CEST13006497473.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:44.378582001 CEST4974713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:47.659929991 CEST4974713006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:47.676023006 CEST4974813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:47.713282108 CEST13006497483.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:47.714719057 CEST4974813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:48.300187111 CEST13006497483.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:48.343403101 CEST4974813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:48.345344067 CEST13006497483.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:48.345360994 CEST13006497483.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:48.345525980 CEST4974813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:48.345525980 CEST4974813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:48.599642992 CEST4974813006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:48.605360985 CEST13006497483.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:53.195399046 CEST4974913006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:53.201680899 CEST13006497493.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:53.201792002 CEST4974913006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:53.202661037 CEST4974913006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:53.253122091 CEST13006497493.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:53.253209114 CEST4974913006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:53.258634090 CEST13006497493.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:53.777420998 CEST13006497493.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:53.782360077 CEST13006497493.68.171.119192.168.2.5
                                                      May 19, 2024 13:58:53.782478094 CEST4974913006192.168.2.53.68.171.119
                                                      May 19, 2024 13:58:55.780972004 CEST4974913006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:00.208844900 CEST4975013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:00.214071989 CEST13006497503.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:00.214262009 CEST4975013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:00.214833975 CEST4975013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:00.265001059 CEST13006497503.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:00.265208006 CEST4975013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:00.270168066 CEST13006497503.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:00.782491922 CEST13006497503.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:00.787286997 CEST13006497503.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:00.787374973 CEST4975013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:02.828882933 CEST4975013006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:10.240875006 CEST4975113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:10.246640921 CEST13006497513.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:10.246789932 CEST4975113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:10.247529030 CEST4975113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:10.297420025 CEST13006497513.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:10.297630072 CEST4975113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:10.303257942 CEST13006497513.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:10.805330038 CEST13006497513.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:10.810036898 CEST13006497513.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:10.810112953 CEST4975113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:12.826059103 CEST4975113006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:12.829778910 CEST4975213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:12.836666107 CEST13006497523.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:12.836771965 CEST4975213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:12.837249994 CEST4975213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:12.889538050 CEST13006497523.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:12.889712095 CEST4975213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:12.895312071 CEST13006497523.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:13.387269974 CEST13006497523.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:13.392446995 CEST13006497523.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:13.392549992 CEST4975213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:15.442898035 CEST4975213006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:19.748450994 CEST4975313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:19.754750967 CEST13006497533.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:19.754848003 CEST4975313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:19.755628109 CEST4975313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:19.811333895 CEST13006497533.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:19.811420918 CEST4975313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:19.817445993 CEST13006497533.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:20.323151112 CEST13006497533.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:20.328187943 CEST13006497533.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:20.328274965 CEST4975313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:22.328125954 CEST4975313006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:22.328955889 CEST4975413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:22.338855028 CEST13006497543.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:22.339066982 CEST4975413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:22.388360023 CEST4975413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:22.393337965 CEST13006497543.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:22.393781900 CEST4975413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:22.398782969 CEST13006497543.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:22.622570038 CEST4975413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:22.627674103 CEST13006497543.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:22.914586067 CEST13006497543.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:22.919317961 CEST13006497543.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:22.919583082 CEST4975413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:24.932934046 CEST4975413006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:37.275433064 CEST4975513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:37.280826092 CEST13006497553.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:37.280919075 CEST4975513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:37.282315969 CEST4975513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:37.333513975 CEST13006497553.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:37.333590984 CEST4975513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:37.338846922 CEST13006497553.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:37.848175049 CEST13006497553.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:37.852895975 CEST13006497553.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:37.852968931 CEST4975513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:47.371789932 CEST4975513006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:48.783298969 CEST4975613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:48.788662910 CEST13006497563.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:48.788805008 CEST4975613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:48.789535046 CEST4975613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:48.841438055 CEST13006497563.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:48.841532946 CEST4975613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:48.846586943 CEST13006497563.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:49.334038019 CEST13006497563.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:49.339335918 CEST13006497563.68.171.119192.168.2.5
                                                      May 19, 2024 13:59:49.339473009 CEST4975613006192.168.2.53.68.171.119
                                                      May 19, 2024 13:59:52.007766008 CEST4975613006192.168.2.53.68.171.119
                                                      May 19, 2024 14:00:03.062750101 CEST4975713006192.168.2.53.68.171.119
                                                      May 19, 2024 14:00:03.068126917 CEST13006497573.68.171.119192.168.2.5
                                                      May 19, 2024 14:00:03.068238974 CEST4975713006192.168.2.53.68.171.119
                                                      May 19, 2024 14:00:03.901621103 CEST4975713006192.168.2.53.68.171.119
                                                      May 19, 2024 14:00:03.906897068 CEST13006497573.68.171.119192.168.2.5
                                                      May 19, 2024 14:00:03.906996965 CEST4975713006192.168.2.53.68.171.119
                                                      May 19, 2024 14:00:03.912389994 CEST13006497573.68.171.119192.168.2.5
                                                      May 19, 2024 14:00:04.130201101 CEST13006497573.68.171.119192.168.2.5
                                                      May 19, 2024 14:00:04.130300999 CEST4975713006192.168.2.53.68.171.119
                                                      May 19, 2024 14:00:06.221843004 CEST4975713006192.168.2.53.68.171.119
                                                      May 19, 2024 14:00:06.227242947 CEST13006497573.68.171.119192.168.2.5
                                                      May 19, 2024 14:00:11.016043901 CEST4975813006192.168.2.53.68.171.119
                                                      May 19, 2024 14:00:11.021339893 CEST13006497583.68.171.119192.168.2.5
                                                      May 19, 2024 14:00:11.021446943 CEST4975813006192.168.2.53.68.171.119
                                                      May 19, 2024 14:00:11.022300959 CEST4975813006192.168.2.53.68.171.119
                                                      May 19, 2024 14:00:11.073262930 CEST13006497583.68.171.119192.168.2.5
                                                      May 19, 2024 14:00:11.073415995 CEST4975813006192.168.2.53.68.171.119
                                                      May 19, 2024 14:00:11.078424931 CEST13006497583.68.171.119192.168.2.5
                                                      May 19, 2024 14:00:11.706121922 CEST13006497583.68.171.119192.168.2.5
                                                      May 19, 2024 14:00:11.706233978 CEST4975813006192.168.2.53.68.171.119
                                                      May 19, 2024 14:00:13.725110054 CEST4975813006192.168.2.53.68.171.119
                                                      May 19, 2024 14:00:13.730432034 CEST13006497583.68.171.119192.168.2.5
                                                      May 19, 2024 14:00:18.962853909 CEST4975913006192.168.2.53.69.115.178
                                                      May 19, 2024 14:00:18.968255997 CEST13006497593.69.115.178192.168.2.5
                                                      May 19, 2024 14:00:18.968373060 CEST4975913006192.168.2.53.69.115.178
                                                      May 19, 2024 14:00:21.171817064 CEST4975913006192.168.2.53.69.115.178
                                                      May 19, 2024 14:00:21.177273035 CEST13006497593.69.115.178192.168.2.5
                                                      May 19, 2024 14:00:21.177524090 CEST4975913006192.168.2.53.69.115.178
                                                      May 19, 2024 14:00:21.183069944 CEST13006497593.69.115.178192.168.2.5
                                                      May 19, 2024 14:00:21.399013996 CEST13006497593.69.115.178192.168.2.5
                                                      May 19, 2024 14:00:21.399175882 CEST4975913006192.168.2.53.69.115.178
                                                      May 19, 2024 14:00:23.450938940 CEST4975913006192.168.2.53.69.115.178
                                                      May 19, 2024 14:00:23.456183910 CEST13006497593.69.115.178192.168.2.5
                                                      May 19, 2024 14:00:37.824238062 CEST4976013006192.168.2.53.69.115.178
                                                      May 19, 2024 14:00:37.830080032 CEST13006497603.69.115.178192.168.2.5
                                                      May 19, 2024 14:00:37.830188990 CEST4976013006192.168.2.53.69.115.178
                                                      May 19, 2024 14:00:37.831032038 CEST4976013006192.168.2.53.69.115.178
                                                      May 19, 2024 14:00:37.885608912 CEST13006497603.69.115.178192.168.2.5
                                                      May 19, 2024 14:00:37.885776997 CEST4976013006192.168.2.53.69.115.178
                                                      May 19, 2024 14:00:37.891309977 CEST13006497603.69.115.178192.168.2.5
                                                      May 19, 2024 14:00:38.523072004 CEST13006497603.69.115.178192.168.2.5
                                                      May 19, 2024 14:00:38.523303032 CEST4976013006192.168.2.53.69.115.178
                                                      May 19, 2024 14:00:40.600415945 CEST4976013006192.168.2.53.69.115.178
                                                      May 19, 2024 14:00:40.606077909 CEST13006497603.69.115.178192.168.2.5
                                                      May 19, 2024 14:01:02.972568989 CEST4976113006192.168.2.53.69.115.178
                                                      May 19, 2024 14:01:02.978178978 CEST13006497613.69.115.178192.168.2.5
                                                      May 19, 2024 14:01:02.978405952 CEST4976113006192.168.2.53.69.115.178
                                                      May 19, 2024 14:01:02.978980064 CEST4976113006192.168.2.53.69.115.178
                                                      May 19, 2024 14:01:03.033751011 CEST13006497613.69.115.178192.168.2.5
                                                      May 19, 2024 14:01:03.033945084 CEST4976113006192.168.2.53.69.115.178
                                                      May 19, 2024 14:01:03.039242983 CEST13006497613.69.115.178192.168.2.5
                                                      May 19, 2024 14:01:03.674268961 CEST13006497613.69.115.178192.168.2.5
                                                      May 19, 2024 14:01:03.674542904 CEST4976113006192.168.2.53.69.115.178

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      May 19, 2024 13:57:00.620995998 CEST6039753192.168.2.51.1.1.1
                                                      May 19, 2024 13:57:00.631136894 CEST53603971.1.1.1192.168.2.5
                                                      May 19, 2024 13:58:01.460277081 CEST5421053192.168.2.51.1.1.1
                                                      May 19, 2024 13:58:01.522325039 CEST53542101.1.1.1192.168.2.5
                                                      May 19, 2024 13:59:09.434355974 CEST6001653192.168.2.51.1.1.1
                                                      May 19, 2024 13:59:09.452888966 CEST53600161.1.1.1192.168.2.5
                                                      May 19, 2024 14:00:13.725698948 CEST6202653192.168.2.51.1.1.1
                                                      May 19, 2024 14:00:13.781152010 CEST53620261.1.1.1192.168.2.5

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      May 19, 2024 13:57:00.620995998 CEST192.168.2.51.1.1.10xf37Standard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                      May 19, 2024 13:58:01.460277081 CEST192.168.2.51.1.1.10x4c41Standard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                      May 19, 2024 13:59:09.434355974 CEST192.168.2.51.1.1.10xb8c7Standard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                      May 19, 2024 14:00:13.725698948 CEST192.168.2.51.1.1.10x3618Standard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      May 19, 2024 13:57:00.631136894 CEST1.1.1.1192.168.2.50xf37No error (0)6.tcp.eu.ngrok.io3.68.171.119A (IP address)IN (0x0001)false
                                                      May 19, 2024 13:58:01.522325039 CEST1.1.1.1192.168.2.50x4c41No error (0)6.tcp.eu.ngrok.io3.68.171.119A (IP address)IN (0x0001)false
                                                      May 19, 2024 13:59:09.452888966 CEST1.1.1.1192.168.2.50xb8c7No error (0)6.tcp.eu.ngrok.io3.68.171.119A (IP address)IN (0x0001)false
                                                      May 19, 2024 14:00:13.781152010 CEST1.1.1.1192.168.2.50x3618No error (0)6.tcp.eu.ngrok.io3.69.115.178A (IP address)IN (0x0001)false

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:07:56:51
                                                      Start date:19/05/2024
                                                      Path:C:\Users\user\Desktop\1iZH7aeO5F.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\1iZH7aeO5F.exe"
                                                      Imagebase:0xf90000
                                                      File size:95'232 bytes
                                                      MD5 hash:320F34B9A9F567E773D2A526DAF749FA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.4439055603.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1988603577.0000000000F92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1988603577.0000000000F92000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.1988603577.0000000000F92000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:2
                                                      Start time:07:56:53
                                                      Start date:19/05/2024
                                                      Path:C:\Windows\SysWOW64\netsh.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:netsh firewall add allowedprogram "C:\Users\user\Desktop\1iZH7aeO5F.exe" "1iZH7aeO5F.exe" ENABLE
                                                      Imagebase:0x1080000
                                                      File size:82'432 bytes
                                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:07:56:53
                                                      Start date:19/05/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6d64d0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:07:56:57
                                                      Start date:19/05/2024
                                                      Path:C:\Windows\SysWOW64\netsh.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:netsh firewall delete allowedprogram "C:\Users\user\Desktop\1iZH7aeO5F.exe"
                                                      Imagebase:0x1080000
                                                      File size:82'432 bytes
                                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:07:56:57
                                                      Start date:19/05/2024
                                                      Path:C:\Windows\SysWOW64\netsh.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:netsh firewall add allowedprogram "C:\Users\user\Desktop\1iZH7aeO5F.exe" "1iZH7aeO5F.exe" ENABLE
                                                      Imagebase:0x1080000
                                                      File size:82'432 bytes
                                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:07:56:57
                                                      Start date:19/05/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6d64d0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:07:56:57
                                                      Start date:19/05/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6d64d0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:21.7%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:8.5%
                                                        Total number of Nodes:129
                                                        Total number of Limit Nodes:9
                                                        execution_graph 8892 62e252e 8893 62e2563 WSAConnect 8892->8893 8895 62e2582 8893->8895 8987 62e05ee 8990 62e061d AdjustTokenPrivileges 8987->8990 8989 62e063f 8990->8989 8991 62e1dee 8992 62e1e26 MapViewOfFile 8991->8992 8994 62e1e75 8992->8994 8995 62e046e 8997 62e0497 LookupPrivilegeValueW 8995->8997 8998 62e04be 8997->8998 8896 187a186 8897 187a1f3 8896->8897 8898 187a1bb recv 8896->8898 8897->8898 8899 187a1c9 8898->8899 8999 62e076a 9000 62e079f NtQuerySystemInformation 8999->9000 9001 62e07ca 8999->9001 9002 62e07b4 9000->9002 9001->9000 8900 62e31a6 8903 62e31db ioctlsocket 8900->8903 8902 62e3207 8903->8902 8904 187bb8e 8906 187bbb7 MessageBoxW 8904->8906 8907 187bbe8 8906->8907 8908 187b40e 8911 187b443 RegSetValueExW 8908->8911 8910 187b48f 8911->8910 9007 62e2262 9009 62e2297 GetProcessTimes 9007->9009 9010 62e22c9 9009->9010 8912 62e1c3e 8913 62e1c76 ConvertStringSecurityDescriptorToSecurityDescriptorW 8912->8913 8915 62e1cb7 8913->8915 8916 62e343a 8918 62e346f SetProcessWorkingSetSize 8916->8918 8919 62e349b 8918->8919 8920 187b212 8922 187b24a RegOpenKeyExW 8920->8922 8923 187b2a0 8922->8923 8924 187aa12 8925 187aa67 8924->8925 8926 187aa3e SetErrorMode 8924->8926 8925->8926 8927 187aa53 8926->8927 9011 62e12f6 9012 62e134b 9011->9012 9013 62e1322 DispatchMessageW 9011->9013 9012->9013 9014 62e1337 9013->9014 9018 187a65e 9019 187a68a OleInitialize 9018->9019 9020 187a6c0 9018->9020 9021 187a698 9019->9021 9020->9019 8928 62e0ab2 8930 62e0ade K32EnumProcesses 8928->8930 8931 62e0afa 8930->8931 8932 187b31a 8933 187b34f RegQueryValueExW 8932->8933 8935 187b3a3 8933->8935 8936 187a59a 8937 187a610 8936->8937 8938 187a5d8 DuplicateHandle 8936->8938 8937->8938 8939 187a5e6 8938->8939 9022 62e234e 9024 62e2389 getaddrinfo 9022->9024 9025 62e23fb 9024->9025 8940 187aaa6 8941 187aade CreateFileW 8940->8941 8943 187ab2d 8941->8943 8944 187bda6 8945 187bdde RegCreateKeyExW 8944->8945 8947 187be50 8945->8947 8948 62e090a 8949 62e093f GetExitCodeProcess 8948->8949 8951 62e0968 8949->8951 9026 187b7e2 9028 187b80b CopyFileW 9026->9028 9029 187b832 9028->9029 8952 187a72e 8953 187a77e OleGetClipboard 8952->8953 8954 187a78c 8953->8954 8955 187aeae 8957 187aee3 ReadFile 8955->8957 8958 187af15 8957->8958 9030 187bcee 9032 187bd17 SetFileAttributesW 9030->9032 9033 187bd33 9032->9033 8959 62e3282 8960 62e32ab select 8959->8960 8962 62e32e0 8960->8962 8963 187b8aa 8964 187b8d0 DeleteFileW 8963->8964 8966 187b8ec 8964->8966 9034 187ac6a 9035 187ac9f GetFileType 9034->9035 9037 187accc 9035->9037 9038 187b06a 9039 187b0a2 CreateMutexW 9038->9039 9041 187b0e5 9039->9041 8967 5760958 8970 5760974 8967->8970 8968 5760ad5 8969 57600b8 GetWindowTextA GetWindowTextA 8969->8970 8970->8968 8970->8969 9042 187b4f6 9044 187b531 SendMessageTimeoutA 9042->9044 9045 187b579 9044->9045 9046 62e27da 9048 62e2815 LoadLibraryA 9046->9048 9049 62e2852 9048->9049 9050 187baf2 9051 187bb42 EnumThreadWindows 9050->9051 9052 187bb50 9051->9052 9053 62e3356 9055 62e338b GetProcessWorkingSetSize 9053->9055 9056 62e33b7 9055->9056 8971 187abbe 8972 187abea FindCloseChangeNotification 8971->8972 8973 187ac29 8971->8973 8974 187abf8 8972->8974 8973->8972 8975 62e1812 8977 62e184a WSASocketW 8975->8977 8978 62e1886 8977->8978 8979 62e2092 8981 62e20c7 shutdown 8979->8981 8982 62e20f0 8981->8982 8983 187b73a 8984 187b79f 8983->8984 8985 187b769 WaitForInputIdle 8983->8985 8984->8985 8986 187b777 8985->8986

                                                        Executed Functions

                                                        Function 05764298 Relevance: 10.7, Strings: 7, Instructions: 1950COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 5764298-57642c9 2 5764352-576435a 0->2 3 57642cf-5764350 0->3 4 5764366-576437a 2->4 3->2 30 576435c 3->30 6 5764380-57643bc 4->6 7 576452f-576467d 4->7 17 57643be-57643e6 6->17 18 57643ed-57644ef 6->18 44 5764683-57647d2 7->44 45 576480d-5764821 7->45 17->18 18->7 30->4 44->45 46 5764827-5764934 45->46 47 576496f-5764983 45->47 46->47 49 57649d6-57649ea 47->49 50 5764985-576498b call 5764210 47->50 54 5764a32-5764a46 49->54 55 57649ec-57649f7 49->55 57 5764990-576499b 50->57 58 5764b94-5764ba8 54->58 59 5764a4c-5764b51 54->59 55->54 57->49 62 5764cd4-5764ce8 58->62 63 5764bae-5764bc2 58->63 283 5764b59 59->283 70 5764f74-5764f88 62->70 71 5764cee-5764f2d 62->71 68 5764bc4-5764bcb 63->68 69 5764bd0-5764be4 63->69 74 5764c48-5764c5c 68->74 75 5764be6-5764bed 69->75 76 5764bef-5764c03 69->76 77 5764fe2-5764ff6 70->77 78 5764f8a-5764f91 70->78 71->70 83 5764c76-5764c82 74->83 84 5764c5e-5764c74 74->84 75->74 87 5764c05-5764c0c 76->87 88 5764c0e-5764c22 76->88 81 5765045-5765059 77->81 82 5764ff8-5764ffe 77->82 107 5764f9b 78->107 91 57650a2-57650b6 81->91 92 576505b 81->92 82->81 103 5764c8d 83->103 84->103 87->74 89 5764c24-5764c2b 88->89 90 5764c2d-5764c41 88->90 89->74 90->74 99 5764c43-5764c45 90->99 96 576512d-5765141 91->96 97 57650b8-57650e1 91->97 92->91 105 5765147-5765363 96->105 106 57653b4-57653c8 96->106 97->96 99->74 103->62 494 5765367 call 57671c1 105->494 495 5765365 105->495 114 576549e-57654b2 106->114 115 57653ce-57653de 106->115 107->77 119 576566f-5765683 114->119 120 57654b8-5765628 114->120 555 57653e4 call 1b60606 115->555 556 57653e4 call 1b605df 115->556 124 57657e6-57657fa 119->124 125 5765689-576579f 119->125 120->119 128 5765800-5765916 124->128 129 576595d-5765971 124->129 125->124 128->129 135 5765977-5765a8d 129->135 136 5765ad4-5765ae8 129->136 135->136 142 5765aee-5765c04 136->142 143 5765c4b-5765c5f 136->143 141 57653ea-5765450 227 5765457 141->227 142->143 151 5765c65-5765d7b 143->151 152 5765dc2-5765dd6 143->152 151->152 156 5765ddc-5765ef2 152->156 157 5765f39-5765f4d 152->157 156->157 164 5765f53-5766069 157->164 165 57660b0-57660c4 157->165 164->165 178 5766227-576623b 165->178 179 57660ca-57661e0 165->179 187 5766241-5766357 178->187 188 576639e-57663b2 178->188 179->178 187->188 196 5766536-576654a 188->196 197 57663b8-57663fd call 5764278 188->197 201 5766550-576656f 196->201 202 576668d-57666a1 196->202 321 57664bd-57664df 197->321 236 5766614-5766636 201->236 214 57666a7-57667a7 202->214 215 57667ee-5766802 202->215 214->215 223 576694f-5766963 215->223 224 5766808-5766908 215->224 240 5766ab0-5766ada 223->240 241 5766969-5766a69 223->241 224->223 227->114 255 5766574-5766583 236->255 256 576663c 236->256 263 5766ae0-5766b53 240->263 264 5766b9a-5766bae 240->264 241->240 260 576663e 255->260 261 5766589-57665bc 255->261 256->202 294 5766643-576668b 260->294 353 5766603-576660c 261->353 354 57665be-57665f8 261->354 263->264 277 5766bb4-5766c0b 264->277 278 5766c8b-5766c9f 264->278 401 5766c12-5766c44 277->401 286 5766de5-5766df9 278->286 287 5766ca5-5766d97 278->287 283->58 297 5766dff-5766e4f 286->297 298 576705c-5767070 286->298 526 5766d9e 287->526 294->202 412 5766e51-5766e77 297->412 413 5766ebd-5766ee8 297->413 306 5767076-5767111 call 5764278 * 2 298->306 307 5767158-576715f 298->307 306->307 340 57664e5 321->340 341 5766402-5766411 321->341 340->196 347 57664e7 341->347 348 5766417-57664b5 341->348 376 57664ec-5766534 347->376 348->376 486 57664b7 348->486 353->294 371 576660e 353->371 354->353 371->236 376->196 401->278 487 5766eb8 412->487 488 5766e79-5766e99 412->488 492 5766fc6-5767057 413->492 493 5766eee-5766fc1 413->493 486->321 487->298 488->487 492->298 493->298 498 576536d 494->498 495->498 498->106 526->286 555->141 556->141
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :@k$:@k$:@k$:@k$:@k$:@k$@
                                                        • API String ID: 0-4108611281
                                                        • Opcode ID: 8f5a8aa162522c14849d8a5d53a4bbf03a397251c0f73cea08b7b9225687760a
                                                        • Instruction ID: 122a15ccfa33b547218b3f83b88064fd62f88c9b5e318a66c301690dfea6db41
                                                        • Opcode Fuzzy Hash: 8f5a8aa162522c14849d8a5d53a4bbf03a397251c0f73cea08b7b9225687760a
                                                        • Instruction Fuzzy Hash: F1233874A016288FDB24DF74D9A4BADB7B2FB89304F0041E9D809A7391DB359E89DF50
                                                        Function 05764287 Relevance: 10.5, Strings: 7, Instructions: 1751COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 558 5764287-57642c9 561 5764352-576435a 558->561 562 57642cf-5764350 558->562 563 5764366-576437a 561->563 562->561 589 576435c 562->589 565 5764380-57643bc 563->565 566 576452f-576467d 563->566 576 57643be-57643e6 565->576 577 57643ed-57644ef 565->577 603 5764683-57647d2 566->603 604 576480d-5764821 566->604 576->577 577->566 589->563 603->604 605 5764827-5764934 604->605 606 576496f-5764983 604->606 605->606 608 57649d6-57649ea 606->608 609 5764985-576498b call 5764210 606->609 613 5764a32-5764a46 608->613 614 57649ec-57649f7 608->614 616 5764990-576499b 609->616 617 5764b94-5764ba8 613->617 618 5764a4c-5764b51 613->618 614->613 616->608 621 5764cd4-5764ce8 617->621 622 5764bae-5764bc2 617->622 842 5764b59 618->842 629 5764f74-5764f88 621->629 630 5764cee-5764f2d 621->630 627 5764bc4-5764bcb 622->627 628 5764bd0-5764be4 622->628 633 5764c48-5764c5c 627->633 634 5764be6-5764bed 628->634 635 5764bef-5764c03 628->635 636 5764fe2-5764ff6 629->636 637 5764f8a-5764f91 629->637 630->629 642 5764c76-5764c82 633->642 643 5764c5e-5764c74 633->643 634->633 646 5764c05-5764c0c 635->646 647 5764c0e-5764c22 635->647 640 5765045-5765059 636->640 641 5764ff8-5764ffe 636->641 666 5764f9b 637->666 650 57650a2-57650b6 640->650 651 576505b 640->651 641->640 662 5764c8d 642->662 643->662 646->633 648 5764c24-5764c2b 647->648 649 5764c2d-5764c41 647->649 648->633 649->633 658 5764c43-5764c45 649->658 655 576512d-5765141 650->655 656 57650b8-57650e1 650->656 651->650 664 5765147-5765363 655->664 665 57653b4-57653c8 655->665 656->655 658->633 662->621 1053 5765367 call 57671c1 664->1053 1054 5765365 664->1054 673 576549e-57654b2 665->673 674 57653ce-57653de 665->674 666->636 678 576566f-5765683 673->678 679 57654b8-5765628 673->679 1114 57653e4 call 1b60606 674->1114 1115 57653e4 call 1b605df 674->1115 683 57657e6-57657fa 678->683 684 5765689-576579f 678->684 679->678 687 5765800-5765916 683->687 688 576595d-5765971 683->688 684->683 687->688 694 5765977-5765a8d 688->694 695 5765ad4-5765ae8 688->695 694->695 701 5765aee-5765c04 695->701 702 5765c4b-5765c5f 695->702 700 57653ea-5765450 786 5765457 700->786 701->702 710 5765c65-5765d7b 702->710 711 5765dc2-5765dd6 702->711 710->711 715 5765ddc-5765ef2 711->715 716 5765f39-5765f4d 711->716 715->716 723 5765f53-5766069 716->723 724 57660b0-57660c4 716->724 723->724 737 5766227-576623b 724->737 738 57660ca-57661e0 724->738 746 5766241-5766357 737->746 747 576639e-57663b2 737->747 738->737 746->747 755 5766536-576654a 747->755 756 57663b8-57663fd call 5764278 747->756 760 5766550-576656f 755->760 761 576668d-57666a1 755->761 880 57664bd-57664df 756->880 795 5766614-5766636 760->795 773 57666a7-57667a7 761->773 774 57667ee-5766802 761->774 773->774 782 576694f-5766963 774->782 783 5766808-5766908 774->783 799 5766ab0-5766ada 782->799 800 5766969-5766a69 782->800 783->782 786->673 814 5766574-5766583 795->814 815 576663c 795->815 822 5766ae0-5766b53 799->822 823 5766b9a-5766bae 799->823 800->799 819 576663e 814->819 820 5766589-57665bc 814->820 815->761 853 5766643-576668b 819->853 912 5766603-576660c 820->912 913 57665be-57665f8 820->913 822->823 836 5766bb4-5766c0b 823->836 837 5766c8b-5766c9f 823->837 960 5766c12-5766c44 836->960 845 5766de5-5766df9 837->845 846 5766ca5-5766d97 837->846 842->617 856 5766dff-5766e4f 845->856 857 576705c-5767070 845->857 1085 5766d9e 846->1085 853->761 971 5766e51-5766e77 856->971 972 5766ebd-5766ee8 856->972 865 5767076-5767111 call 5764278 * 2 857->865 866 5767158-576715f 857->866 865->866 899 57664e5 880->899 900 5766402-5766411 880->900 899->755 906 57664e7 900->906 907 5766417-57664b5 900->907 935 57664ec-5766534 906->935 907->935 1045 57664b7 907->1045 912->853 930 576660e 912->930 913->912 930->795 935->755 960->837 1046 5766eb8 971->1046 1047 5766e79-5766e99 971->1047 1051 5766fc6-5767057 972->1051 1052 5766eee-5766fc1 972->1052 1045->880 1046->857 1047->1046 1051->857 1052->857 1057 576536d 1053->1057 1054->1057 1057->665 1085->845 1114->700 1115->700
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $:@k$:@k$:@k$:@k$:@k$:@k
                                                        • API String ID: 0-3720531893
                                                        • Opcode ID: e61ca2e0924654d12a2f2181bb16cb08e21d12524d93b369fe5c3754ed9b125d
                                                        • Instruction ID: 3b7a5309b0150046e7db84907b8f59a6c02940599a8553f3d328dcde70edaf33
                                                        • Opcode Fuzzy Hash: e61ca2e0924654d12a2f2181bb16cb08e21d12524d93b369fe5c3754ed9b125d
                                                        • Instruction Fuzzy Hash: C3133774A016288FDB24DF74D9A4BADB7B2FB49304F0041EAD809A7391DB359E89DF50
                                                        Function 062E05B7 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 062E0637
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: AdjustPrivilegesToken
                                                        • String ID:
                                                        • API String ID: 2874748243-0
                                                        • Opcode ID: 3b55dcce6989056ee9f2e3901266af54af19a8acce7dc83fb82a1e441b2d0341
                                                        • Instruction ID: 9de13d856203b749b7c7969afff562024b9f91d6867ec84e25e9c0303fd5b9b0
                                                        • Opcode Fuzzy Hash: 3b55dcce6989056ee9f2e3901266af54af19a8acce7dc83fb82a1e441b2d0341
                                                        • Instruction Fuzzy Hash: 6A219F755097819FDB128F25DC44B52BFF4AF06310F0884EAE9858B563D271A958CB62
                                                        Function 062E0739 Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 062E07A5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: InformationQuerySystem
                                                        • String ID:
                                                        • API String ID: 3562636166-0
                                                        • Opcode ID: 14406f2cbf99bf3d8ac7df791461f1cc97e38ec44a64e02955b174a53e4850f1
                                                        • Instruction ID: ac85858d680c6e1bc5835e59f54b9228e29af657123848f99606c282de610445
                                                        • Opcode Fuzzy Hash: 14406f2cbf99bf3d8ac7df791461f1cc97e38ec44a64e02955b174a53e4850f1
                                                        • Instruction Fuzzy Hash: 2D118E71409380AFDB228B15DC45A92FFB4EF07314F0984DAE9844F563D265A919CB62
                                                        Function 062E05EE Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 062E0637
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: AdjustPrivilegesToken
                                                        • String ID:
                                                        • API String ID: 2874748243-0
                                                        • Opcode ID: dbb6a08f11f4939fd406cbf965ba3970790dc58130fbe7d967113f80fbc2d20b
                                                        • Instruction ID: 7818c65c82632585356785b6abaceed2c553afa69e3777247eb496448b46e238
                                                        • Opcode Fuzzy Hash: dbb6a08f11f4939fd406cbf965ba3970790dc58130fbe7d967113f80fbc2d20b
                                                        • Instruction Fuzzy Hash: 1D11C2319102059FEB20CF55D944B66FBE4EF44320F08C4AADD858B662D3B5E4A8CFA1
                                                        Function 0187A186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: recv
                                                        • String ID:
                                                        • API String ID: 1507349165-0
                                                        • Opcode ID: c3fa19de76d56cbc39148aa231fa00f7205423374ba011a657553c6f28f7f8ec
                                                        • Instruction ID: 136d1cdf06a30acc1ac228d5f0af51cec7a472e9d5b6146ce0dfb0fa02c394c3
                                                        • Opcode Fuzzy Hash: c3fa19de76d56cbc39148aa231fa00f7205423374ba011a657553c6f28f7f8ec
                                                        • Instruction Fuzzy Hash: 6A01B131805644DFEB20CF55E944B66FBE4EF04324F08C49ADD4A8B612D375E548CBB2
                                                        Function 062E076A Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 062E07A5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: InformationQuerySystem
                                                        • String ID:
                                                        • API String ID: 3562636166-0
                                                        • Opcode ID: 299297685d41e90cf09e0c31d93818cdf678190f2bd91706d9a4ec1c10d7573e
                                                        • Instruction ID: 8dda8aae2c688fa2ab3e8092192123331b4a4cc4b045d050b9f96bc6c1ab5418
                                                        • Opcode Fuzzy Hash: 299297685d41e90cf09e0c31d93818cdf678190f2bd91706d9a4ec1c10d7573e
                                                        • Instruction Fuzzy Hash: A2018F358102449FEB60CF05D984B61FBE0EF09720F08C4AADE850A652D3B5E459CFA2
                                                        Function 05767347 Relevance: .7, Instructions: 662COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cb80176eb2bc45d37c57eea5bd1b74587a8f79fb9b87ff2ebb64f8be275f66a6
                                                        • Instruction ID: 6e7ed53d461df2496adad15c64b574c861f2b13187ec9b7aab8dba5c67bfccd8
                                                        • Opcode Fuzzy Hash: cb80176eb2bc45d37c57eea5bd1b74587a8f79fb9b87ff2ebb64f8be275f66a6
                                                        • Instruction Fuzzy Hash: 702202316017128FDB29DB35D59067D73E2FF80699B14807AE851DB2C1EF28DD89EBA0
                                                        Function 05767780 Relevance: .5, Instructions: 497COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b0e99ac6151c8046f91fc75654b1c5419abc0069a5e844b7afaa3dfda37c4396
                                                        • Instruction ID: f9637c1cf71be3ec1c6b943d490fc11e1674de78f04776aa6f5e8b47d44aa62b
                                                        • Opcode Fuzzy Hash: b0e99ac6151c8046f91fc75654b1c5419abc0069a5e844b7afaa3dfda37c4396
                                                        • Instruction Fuzzy Hash: 710208729016329FC72DCB31D550439B3A2FE417D9315857AEC919B280EF2DED85EBA0
                                                        Function 05768279 Relevance: 3.7, Strings: 2, Instructions: 1242COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :@k$:@k
                                                        • API String ID: 0-4032727010
                                                        • Opcode ID: 3c5e9b52243c7f43f2da37c1a3c52e9dd981f407e7b7882791aeff7ebb919b25
                                                        • Instruction ID: bab6ea4bfdeb7e7b0d39c63e1aa6602d93c2232a911a1e662d367ba1b1b0769b
                                                        • Opcode Fuzzy Hash: 3c5e9b52243c7f43f2da37c1a3c52e9dd981f407e7b7882791aeff7ebb919b25
                                                        • Instruction Fuzzy Hash: 63B25D34B00965CFDB219B74DA10BBD7BF6FB88704F00409A9845A3795DB788D89EFA1
                                                        Function 057682F4 Relevance: 3.6, Strings: 2, Instructions: 1079COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :@k$:@k
                                                        • API String ID: 0-4032727010
                                                        • Opcode ID: 16575de085a9e84a627aabd19fb659dcd4388f9f35bd42c52b7c638bd81fbc80
                                                        • Instruction ID: e884683eb1932dd83a8840c08d732b057be387c904d0946b0250624527f3323e
                                                        • Opcode Fuzzy Hash: 16575de085a9e84a627aabd19fb659dcd4388f9f35bd42c52b7c638bd81fbc80
                                                        • Instruction Fuzzy Hash: C2928C347045659FDF219B74DA10BAD3BF7FB88708F00406A9846A3794CBB88D99EF61
                                                        Function 0576832E Relevance: 3.6, Strings: 2, Instructions: 1076COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :@k$:@k
                                                        • API String ID: 0-4032727010
                                                        • Opcode ID: a443cca27be17449d88e5236b0fd42d293a0adf5a366bc1d826179759909a150
                                                        • Instruction ID: 2f72f21ee9fc5e34ffa734abdb296ca752768092b40059c02d394d4bd0985486
                                                        • Opcode Fuzzy Hash: a443cca27be17449d88e5236b0fd42d293a0adf5a366bc1d826179759909a150
                                                        • Instruction Fuzzy Hash: 19928C347045659FDF219B74DA10BAD3BF7FB88708F00406A9846A3794CBB88D99EF61
                                                        Function 0576835D Relevance: 3.6, Strings: 2, Instructions: 1075COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :@k$:@k
                                                        • API String ID: 0-4032727010
                                                        • Opcode ID: f8c9f1fa5a6e7260a6d62fd89441146a2b8a02bcc0e5e1bffa90958bef7867a2
                                                        • Instruction ID: b2d206c279c3298b48fe1cb3ff498249a90046b1926967b40fcf4549c64db1dd
                                                        • Opcode Fuzzy Hash: f8c9f1fa5a6e7260a6d62fd89441146a2b8a02bcc0e5e1bffa90958bef7867a2
                                                        • Instruction Fuzzy Hash: 57928C347045659FDF219B74DA107AD3BF7FB88708F00406A9846A3794CBB88D99EF61
                                                        Function 0187BD7A Relevance: 1.6, APIs: 1, Instructions: 103registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2666 187bd7a-187bdfe 2670 187be03-187be0f 2666->2670 2671 187be00 2666->2671 2672 187be14-187be1d 2670->2672 2673 187be11 2670->2673 2671->2670 2674 187be22-187be39 2672->2674 2675 187be1f 2672->2675 2673->2672 2677 187be7b-187be80 2674->2677 2678 187be3b-187be4e RegCreateKeyExW 2674->2678 2675->2674 2677->2678 2679 187be82-187be87 2678->2679 2680 187be50-187be78 2678->2680 2679->2680
                                                        APIs
                                                        • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 0187BE41
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: 7d117a57216dcdc07f059612af3f77098ab6b0fc3cc91cbf05f7e1d770c014eb
                                                        • Instruction ID: e0b67e92a08976fc4edfb8faed31cda9a0c20ef517508153914287e48869aa3d
                                                        • Opcode Fuzzy Hash: 7d117a57216dcdc07f059612af3f77098ab6b0fc3cc91cbf05f7e1d770c014eb
                                                        • Instruction Fuzzy Hash: 8F316D72500744AFEB228B25CC44FA7BBFCEF05614F08899AFA85CB652D334E549CB61
                                                        Function 062E16FF Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2685 62e16ff-62e171f 2686 62e1741-62e1773 2685->2686 2687 62e1721-62e1740 2685->2687 2691 62e1776-62e17ce RegQueryValueExW 2686->2691 2687->2686 2693 62e17d4-62e17ea 2691->2693
                                                        APIs
                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 062E17C6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: QueryValue
                                                        • String ID:
                                                        • API String ID: 3660427363-0
                                                        • Opcode ID: f7dca664cd70cf7714a9b36a015e1f38b25d24c70c2e5b08ea39eb836f948043
                                                        • Instruction ID: 92a24e50a00b580f70dd1af8af711c381482e2313caecdeee8040ab5fa9e0a31
                                                        • Opcode Fuzzy Hash: f7dca664cd70cf7714a9b36a015e1f38b25d24c70c2e5b08ea39eb836f948043
                                                        • Instruction Fuzzy Hash: AD318B7550E3C06FD3138B218C65A61BFB4EF47610B0E85DBE8C48F6A3D2296819C7B2
                                                        Function 0187B1E6 Relevance: 1.6, APIs: 1, Instructions: 97registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2694 187b1e6-187b1e8 2695 187b1f2-187b26d 2694->2695 2696 187b1ea-187b1f1 2694->2696 2700 187b272-187b289 2695->2700 2701 187b26f 2695->2701 2696->2695 2703 187b2cb-187b2d0 2700->2703 2704 187b28b-187b29e RegOpenKeyExW 2700->2704 2701->2700 2703->2704 2705 187b2d2-187b2d7 2704->2705 2706 187b2a0-187b2c8 2704->2706 2705->2706
                                                        APIs
                                                        • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0187B291
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: Open
                                                        • String ID:
                                                        • API String ID: 71445658-0
                                                        • Opcode ID: b7d2acfc8b14abec94b0644afd5a61cb2ac12f8a41263883c7b60399caca7ed5
                                                        • Instruction ID: f5026b599b9360edb0393756629bd5e7175d62a49aa7b8334f35678d8b4fe343
                                                        • Opcode Fuzzy Hash: b7d2acfc8b14abec94b0644afd5a61cb2ac12f8a41263883c7b60399caca7ed5
                                                        • Instruction Fuzzy Hash: C4317071409384AFE7228B65DC45FAABFB8EF06210F08849AE984CB553D264E549C771
                                                        Function 062E232C Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2711 62e232c-62e23eb 2717 62e243d-62e2442 2711->2717 2718 62e23ed-62e23f5 getaddrinfo 2711->2718 2717->2718 2720 62e23fb-62e240d 2718->2720 2721 62e240f-62e243a 2720->2721 2722 62e2444-62e2449 2720->2722 2722->2721
                                                        APIs
                                                        • getaddrinfo.WS2_32(?,00000E24), ref: 062E23F3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: getaddrinfo
                                                        • String ID:
                                                        • API String ID: 300660673-0
                                                        • Opcode ID: 5f2493ae8e5934643027c9fb4374c17a02f417e2690760e9ff78f4e026f826d9
                                                        • Instruction ID: 5f7738cac46f5c769ac1f0e73dda9efc066b2223cc49245cff43f8896cd96cf6
                                                        • Opcode Fuzzy Hash: 5f2493ae8e5934643027c9fb4374c17a02f417e2690760e9ff78f4e026f826d9
                                                        • Instruction Fuzzy Hash: 9831F6B1404344AFE721DB11CC44FABFBACEF05314F04889AFA459B581D374A949CB71
                                                        Function 0187AA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2726 187aa75-187aafe 2730 187ab03-187ab0f 2726->2730 2731 187ab00 2726->2731 2732 187ab14-187ab1d 2730->2732 2733 187ab11 2730->2733 2731->2730 2734 187ab1f-187ab43 CreateFileW 2732->2734 2735 187ab6e-187ab73 2732->2735 2733->2732 2738 187ab75-187ab7a 2734->2738 2739 187ab45-187ab6b 2734->2739 2735->2734 2738->2739
                                                        APIs
                                                        • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0187AB25
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: d3014aa27784e91e704dfc10fc0ad0201867c7ce076e013ab2a799f4c858441c
                                                        • Instruction ID: fd7b335ca1012ceadceed0bf5d10f1879cfd95e80f677fd900d4b0cce818b995
                                                        • Opcode Fuzzy Hash: d3014aa27784e91e704dfc10fc0ad0201867c7ce076e013ab2a799f4c858441c
                                                        • Instruction Fuzzy Hash: B2317071505380AFE722CF65CC84F56BFF8EF06314F08889AE9858B652D375E949CB61
                                                        Function 062E2224 Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2790 62e2224-62e22b9 2795 62e22bb-62e22c3 GetProcessTimes 2790->2795 2796 62e2306-62e230b 2790->2796 2798 62e22c9-62e22db 2795->2798 2796->2795 2799 62e230d-62e2312 2798->2799 2800 62e22dd-62e2303 2798->2800 2799->2800
                                                        APIs
                                                        • GetProcessTimes.KERNELBASE(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 062E22C1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: ProcessTimes
                                                        • String ID:
                                                        • API String ID: 1995159646-0
                                                        • Opcode ID: aa55bbb3aeb5d5e4fea3e24043bb6e77aad794e0084e218980f547586cf93f57
                                                        • Instruction ID: f33fc705ec9f305912947c14eec2b726a9f87b7ac37cae68d236938364cb82e3
                                                        • Opcode Fuzzy Hash: aa55bbb3aeb5d5e4fea3e24043bb6e77aad794e0084e218980f547586cf93f57
                                                        • Instruction Fuzzy Hash: 6C310671509380AFEB12CF21DC45F96BFB8EF06314F08849AE9858B593D331A949CB71
                                                        Function 062E1C18 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2775 62e1c18-62e1c99 2779 62e1c9e-62e1ca7 2775->2779 2780 62e1c9b 2775->2780 2781 62e1cff-62e1d04 2779->2781 2782 62e1ca9-62e1cb1 ConvertStringSecurityDescriptorToSecurityDescriptorW 2779->2782 2780->2779 2781->2782 2784 62e1cb7-62e1cc9 2782->2784 2785 62e1ccb-62e1cfc 2784->2785 2786 62e1d06-62e1d0b 2784->2786 2786->2785
                                                        APIs
                                                        • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 062E1CAF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: DescriptorSecurity$ConvertString
                                                        • String ID:
                                                        • API String ID: 3907675253-0
                                                        • Opcode ID: b0905fc7131d9b5f230dd4271397e4f10fde74e447690caadfd6f2cceac2dad9
                                                        • Instruction ID: cbe63d487c1bd4a158cccfa148ec00a813ca97bc7955326dcefe2c7d361ad787
                                                        • Opcode Fuzzy Hash: b0905fc7131d9b5f230dd4271397e4f10fde74e447690caadfd6f2cceac2dad9
                                                        • Instruction Fuzzy Hash: AC31B171504385AFE721CB25DC44FABBFECEF06210F0884AAE945CB652D334E808CB61
                                                        Function 0187B036 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2742 187b036-187b0b9 2746 187b0be-187b0c7 2742->2746 2747 187b0bb 2742->2747 2748 187b0cc-187b0d5 2746->2748 2749 187b0c9 2746->2749 2747->2746 2750 187b0d7-187b0fb CreateMutexW 2748->2750 2751 187b126-187b12b 2748->2751 2749->2748 2754 187b12d-187b132 2750->2754 2755 187b0fd-187b123 2750->2755 2751->2750 2754->2755
                                                        APIs
                                                        • CreateMutexW.KERNELBASE(?,?), ref: 0187B0DD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: CreateMutex
                                                        • String ID:
                                                        • API String ID: 1964310414-0
                                                        • Opcode ID: fb008cdd8d4d64cf8a8a6631f32126d92fdf4df83078ac0f703a5ca2296fd7bf
                                                        • Instruction ID: a2d6def3979497a702f0debeb8af3d14afee589c57b90321fbffbbfd6c11cca0
                                                        • Opcode Fuzzy Hash: fb008cdd8d4d64cf8a8a6631f32126d92fdf4df83078ac0f703a5ca2296fd7bf
                                                        • Instruction Fuzzy Hash: 6B31A1715093805FE712CB65DC85B96BFF8EF06314F08849AE984CB293D374E909C762
                                                        Function 0187B2D9 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2758 187b2d9-187b357 2761 187b35c-187b365 2758->2761 2762 187b359 2758->2762 2763 187b367 2761->2763 2764 187b36a-187b370 2761->2764 2762->2761 2763->2764 2765 187b375-187b38c 2764->2765 2766 187b372 2764->2766 2768 187b3c3-187b3c8 2765->2768 2769 187b38e-187b3a1 RegQueryValueExW 2765->2769 2766->2765 2768->2769 2770 187b3a3-187b3c0 2769->2770 2771 187b3ca-187b3cf 2769->2771 2771->2770
                                                        APIs
                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 0187B394
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: QueryValue
                                                        • String ID:
                                                        • API String ID: 3660427363-0
                                                        • Opcode ID: 4666511219cfebe0df0bc4b319faba6685ab26b77d38aa7b396a986794ba21f7
                                                        • Instruction ID: 4712565f43682a8b7843bbc0bd769c7cdbc9763136244d5e042e52ee26c9e91c
                                                        • Opcode Fuzzy Hash: 4666511219cfebe0df0bc4b319faba6685ab26b77d38aa7b396a986794ba21f7
                                                        • Instruction Fuzzy Hash: B131B3755093806FE722CB65CC44FA2BFF8EF06314F08849AE985CB193D264E949CB71
                                                        Function 062E08CC Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2821 62e08cc-62e0958 2825 62e095a-62e0962 GetExitCodeProcess 2821->2825 2826 62e09a3-62e09a8 2821->2826 2827 62e0968-62e097a 2825->2827 2826->2825 2829 62e097c-62e09a2 2827->2829 2830 62e09aa-62e09af 2827->2830 2830->2829
                                                        APIs
                                                        • GetExitCodeProcess.KERNELBASE(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 062E0960
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: CodeExitProcess
                                                        • String ID:
                                                        • API String ID: 3861947596-0
                                                        • Opcode ID: a7da51b4a195c43ec8e1eb03b220df9f3fd86788aa3f9fb3f864982ac768fa4f
                                                        • Instruction ID: 753bee9b2e93056ab27b6eb0c63ff6ed615a7579ddc68493a2ac1d367aa33df6
                                                        • Opcode Fuzzy Hash: a7da51b4a195c43ec8e1eb03b220df9f3fd86788aa3f9fb3f864982ac768fa4f
                                                        • Instruction Fuzzy Hash: 0B2191B15093846FEB12CF61DC45BA6BFB8EF47324F0884DAE984CF193D2649949C7A1
                                                        Function 0187BDA6 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2803 187bda6-187bdfe 2806 187be03-187be0f 2803->2806 2807 187be00 2803->2807 2808 187be14-187be1d 2806->2808 2809 187be11 2806->2809 2807->2806 2810 187be22-187be39 2808->2810 2811 187be1f 2808->2811 2809->2808 2813 187be7b-187be80 2810->2813 2814 187be3b-187be4e RegCreateKeyExW 2810->2814 2811->2810 2813->2814 2815 187be82-187be87 2814->2815 2816 187be50-187be78 2814->2816 2815->2816
                                                        APIs
                                                        • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 0187BE41
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: 99b8829f45992237d5f48fc3a9f8f9e666d50775268b8ac860cf01e729c9f9df
                                                        • Instruction ID: 5fcbb3c0d729349f6ce82f651e4fc8490b6497f9b4dc78c413755a46e22d7d36
                                                        • Opcode Fuzzy Hash: 99b8829f45992237d5f48fc3a9f8f9e666d50775268b8ac860cf01e729c9f9df
                                                        • Instruction Fuzzy Hash: 3E216F72500604AFEB21DA15CD44FA7BBECEF08714F04895AFA45C6651E734E5498A61
                                                        Function 062E3318 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessWorkingSetSize.KERNEL32(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 062E33AF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: ProcessSizeWorking
                                                        • String ID:
                                                        • API String ID: 3584180929-0
                                                        • Opcode ID: 2ea16294e2c904cea5a804c3c0a61fc92511b1045fc5e0331546bd73d1959a4d
                                                        • Instruction ID: 2ebe8c92b84f82757bd8a75f122e839482a38136aa64a12d6f571dd329a752ec
                                                        • Opcode Fuzzy Hash: 2ea16294e2c904cea5a804c3c0a61fc92511b1045fc5e0331546bd73d1959a4d
                                                        • Instruction Fuzzy Hash: B921A5715093C45FE712CB21DC55B96BFA8EF46214F08C4DAE9888F193D225A949CB71
                                                        Function 057698A0 Relevance: 1.6, Strings: 1, Instructions: 335COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2837 57698a0-57698f8 call 5769ec1 2842 5769941-57699a3 call 5764210 2837->2842 2843 57698fa-5769907 call 5764210 2837->2843 2856 57699e9-5769b31 2842->2856 2945 576990d call 1b60606 2843->2945 2946 576990d call 1b605df 2843->2946 2847 5769913-576993c 2847->2856 2947 5769b33 call 1b60606 2856->2947 2948 5769b33 call 1b605df 2856->2948 2874 5769b38-5769c33 2887 5769c46-5769c4c 2874->2887 2888 5769c35-5769c43 2874->2888 2889 5769c64 2887->2889 2890 5769c4e-5769c51 2887->2890 2888->2887 2893 5769c69-5769c99 2889->2893 2892 5769c53-5769c62 2890->2892 2890->2893 2896 5769c9e 2892->2896 2893->2896 2898 5769ca8-5769cc8 2896->2898 2902 5769ce3-5769cfa 2898->2902 2903 5769cca-5769ce1 2898->2903 2907 5769d2c-5769d34 2902->2907 2903->2907 2910 5769d36-5769d4d 2907->2910 2911 5769d4f-5769d63 2907->2911 2914 5769d66-5769e43 2910->2914 2911->2914 2929 5769e72-5769e7d 2914->2929 2930 5769e45-5769e48 2929->2930 2931 5769e7f 2929->2931 2933 5769e86-5769ea5 2930->2933 2934 5769e4a-5769e5a 2930->2934 2932 5769eaa-5769ebc 2931->2932 2933->2932 2935 5769e5c-5769e6a 2934->2935 2936 5769e6d-5769e70 2934->2936 2935->2936 2936->2929 2939 5769e81 2936->2939 2939->2933 2945->2847 2946->2847 2947->2874 2948->2874
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :@k
                                                        • API String ID: 0-2277858631
                                                        • Opcode ID: 8abbc16fd56552a7089106fcd22ffe88fe05752652015282312abc24f93783a5
                                                        • Instruction ID: d9179af0951ebbd5cf2679905a43a80983ad3de645934529efd0c4095f930c1b
                                                        • Opcode Fuzzy Hash: 8abbc16fd56552a7089106fcd22ffe88fe05752652015282312abc24f93783a5
                                                        • Instruction Fuzzy Hash: 7FD13E34A00604DFCB19EFB5E450AAD77B2FF88754B108169E812977A4DF39AC49EF90
                                                        Function 0187A6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2833 187a6ce-187a72b 2834 187a72e-187a786 OleGetClipboard 2833->2834 2836 187a78c-187a7a2 2834->2836
                                                        APIs
                                                        • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0187A77E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: Clipboard
                                                        • String ID:
                                                        • API String ID: 220874293-0
                                                        • Opcode ID: b12cf808a3aeeca2ce18b491cbaa0e910edba669ad70885b5d798c1f858cfa2e
                                                        • Instruction ID: 614f94f083267052a68ea30c78836327051b92addb7cd62fc2402310dcbd1323
                                                        • Opcode Fuzzy Hash: b12cf808a3aeeca2ce18b491cbaa0e910edba669ad70885b5d798c1f858cfa2e
                                                        • Instruction Fuzzy Hash: ED317E7144E3C06FD3138B259C65B61BFB4EF47610F0A80CBE884CB6A3D229681AD772
                                                        Function 062E234E Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • getaddrinfo.WS2_32(?,00000E24), ref: 062E23F3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: getaddrinfo
                                                        • String ID:
                                                        • API String ID: 300660673-0
                                                        • Opcode ID: 7d608637a7b92141654cf89dc8b5045a8c3208ed6834062f9bc0e985769f75cd
                                                        • Instruction ID: 3e3af8d2f7c07e56aee3ece46c7592f152beb3d596e4285195190c4fd0586af4
                                                        • Opcode Fuzzy Hash: 7d608637a7b92141654cf89dc8b5045a8c3208ed6834062f9bc0e985769f75cd
                                                        • Instruction Fuzzy Hash: 3C21D171511204AFFB21DB21CD84FAAFBACEF04714F04886AFA499A681D7B4A54D8B71
                                                        Function 0187BE89 Relevance: 1.6, APIs: 1, Instructions: 84registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegSetValueExW.KERNELBASE(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 0187BF38
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID:
                                                        • API String ID: 3702945584-0
                                                        • Opcode ID: 0f0186d208af1502dc1d113ff0d6ebac1521406cad51d812869ecaa34429d637
                                                        • Instruction ID: e3f7025443cdbc1de15e79f2840a92155ee8b5479be6d9a128bd8045d9d9617b
                                                        • Opcode Fuzzy Hash: 0f0186d208af1502dc1d113ff0d6ebac1521406cad51d812869ecaa34429d637
                                                        • Instruction Fuzzy Hash: 3931E1724093C06FDB228B248C44B97FFB8AF06714F08C4CEE9858B5A3D365E449CBA1
                                                        Function 0187B4C8 Relevance: 1.6, APIs: 1, Instructions: 82windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageTimeoutA.USER32(?,00000E24), ref: 0187B571
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: MessageSendTimeout
                                                        • String ID:
                                                        • API String ID: 1599653421-0
                                                        • Opcode ID: 5e81f2f07bd0efcacca05446267bd75517c091466c18d14f2f1485b223db11b4
                                                        • Instruction ID: fd43e5720cb55ecca3bcc4c3d69ae467488e72dc8cb90c9acdc3f86df39b4883
                                                        • Opcode Fuzzy Hash: 5e81f2f07bd0efcacca05446267bd75517c091466c18d14f2f1485b223db11b4
                                                        • Instruction Fuzzy Hash: 7C21F671505380AFEB22CF21DC44FA6FFB8EF46310F08849AF9858B5A2D375A509CB61
                                                        Function 062E3249 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: select
                                                        • String ID:
                                                        • API String ID: 1274211008-0
                                                        • Opcode ID: 585f07f5dcda305392c1d57f676a2a231b34e7398cc214322d9d8fb01ec2ad5d
                                                        • Instruction ID: d57285cc808a713b6e265ab9656fec9c4c743bb8f73a01da964e4d60dba98fb3
                                                        • Opcode Fuzzy Hash: 585f07f5dcda305392c1d57f676a2a231b34e7398cc214322d9d8fb01ec2ad5d
                                                        • Instruction Fuzzy Hash: 13216B719093849FDB22CF25DC44B92BFF8EF06210F0884EAED84CB563D324A849CB61
                                                        Function 0187AE77 Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ReadFile.KERNELBASE(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 0187AF0D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: FileRead
                                                        • String ID:
                                                        • API String ID: 2738559852-0
                                                        • Opcode ID: 381800c5016e7d0cd375ff66934263897bc633de8479e3fe46cce4684481e65e
                                                        • Instruction ID: 7fab652c88acf60b47788156da905cde903ebd444b25ec89d40777fc2d74cbb1
                                                        • Opcode Fuzzy Hash: 381800c5016e7d0cd375ff66934263897bc633de8479e3fe46cce4684481e65e
                                                        • Instruction Fuzzy Hash: 4C21D3B2409380AFDB22CB11DD44F96BFB8EF06314F08849AF9849B193D334A509CB71
                                                        Function 062E17F2 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WSASocketW.WS2_32(?,?,?,?,?), ref: 062E187E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: Socket
                                                        • String ID:
                                                        • API String ID: 38366605-0
                                                        • Opcode ID: c262c95cac9dc3bb9bfba6356090e775b64f9da18553d78ecc5db7de6b649d08
                                                        • Instruction ID: 089ce7f5a18f556c8b4685390dd9975c750f876d9bab9894976c1931e1f11589
                                                        • Opcode Fuzzy Hash: c262c95cac9dc3bb9bfba6356090e775b64f9da18553d78ecc5db7de6b649d08
                                                        • Instruction Fuzzy Hash: 2521B471505380AFE722CF51CD44F96FFF8EF06214F0488AEE9858B652D375A449CB62
                                                        Function 062E1DCE Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: FileView
                                                        • String ID:
                                                        • API String ID: 3314676101-0
                                                        • Opcode ID: 68a50db49ac6713921b502418c292e890c27c38f1a602cad3c6ad83cc9afd24b
                                                        • Instruction ID: 44c5f79883ad753845f6e76b6db8bdb06974e4e19619244f40c68cf9dcf33b5e
                                                        • Opcode Fuzzy Hash: 68a50db49ac6713921b502418c292e890c27c38f1a602cad3c6ad83cc9afd24b
                                                        • Instruction Fuzzy Hash: 1E219171405340AFE722CB55CD88F96FFF8EF09224F08889EF9858B652D375A549CB61
                                                        Function 0187B3EA Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegSetValueExW.KERNELBASE(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 0187B480
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID:
                                                        • API String ID: 3702945584-0
                                                        • Opcode ID: 35692c51a7968fbd99fecc50ce04cb43be90d3a3f03d1bec3d7be842fc6c0266
                                                        • Instruction ID: 62c6f248e1e06ad0c94feb0e7aebec112f02cb01cfed8c8785fdb0c6e5eb7708
                                                        • Opcode Fuzzy Hash: 35692c51a7968fbd99fecc50ce04cb43be90d3a3f03d1bec3d7be842fc6c0266
                                                        • Instruction Fuzzy Hash: 0921B072505380AFE722CF15CC84FA7BFBCEF46214F08849AE985CB652D264E949C771
                                                        Function 062E1B26 Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 062E1BC4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: QueryValue
                                                        • String ID:
                                                        • API String ID: 3660427363-0
                                                        • Opcode ID: a896fc1e4f46de17a06d245689bac55dd7816c12e46f2586b706e3226de6cb5a
                                                        • Instruction ID: 6a1d29376cb58b97da9ee57c159058b9ed1e93192f8ce6cb24adb097a432c84d
                                                        • Opcode Fuzzy Hash: a896fc1e4f46de17a06d245689bac55dd7816c12e46f2586b706e3226de6cb5a
                                                        • Instruction Fuzzy Hash: BE21A371905340AFE721CB11CC48F97BFF8AF45310F08849AE9858B692D324E548C771
                                                        Function 062E1C3E Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 062E1CAF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: DescriptorSecurity$ConvertString
                                                        • String ID:
                                                        • API String ID: 3907675253-0
                                                        • Opcode ID: f9c6277d5653f7d686d6c7568457fa3cd0629020e23b6a3d4cea7dd20cec7430
                                                        • Instruction ID: 34efad7d8c46128974434cb3211c6cb41859196a117ec95f10db7d8ad5f7c8ec
                                                        • Opcode Fuzzy Hash: f9c6277d5653f7d686d6c7568457fa3cd0629020e23b6a3d4cea7dd20cec7430
                                                        • Instruction Fuzzy Hash: 9821C272A00204AFEB20DF25DC45BAAFBECEF04214F04847AED45CB691D374E4488A62
                                                        Function 062E0A6C Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • K32EnumProcesses.KERNEL32(?,?,?,F3335DBD,00000000,?,?,?,?,?,?,?,?,6CA83C58), ref: 062E0AF2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: EnumProcesses
                                                        • String ID:
                                                        • API String ID: 84517404-0
                                                        • Opcode ID: b43a30195f11559ac6a97e4250df26fab285e073cc64492ecfd864002b551227
                                                        • Instruction ID: bb28cc6c206b6963a9eac4cff394266b29f738e765c4ef8f5b2bd9c50f651258
                                                        • Opcode Fuzzy Hash: b43a30195f11559ac6a97e4250df26fab285e073cc64492ecfd864002b551227
                                                        • Instruction Fuzzy Hash: 47216B7150A3C49FDB12CB65DC54A92BFB8AF07310F0D84EBD984CF1A3D264A859CB62
                                                        Function 0187AAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0187AB25
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: 1cbfc1fa5e3fe2ef2017394d89297463eba662ab0f682191c0dee07363c4ca01
                                                        • Instruction ID: ba81187adb6d975bac68bc6ef0b6aa39b00ecb6a6fd43362e8b2fb5fcab17ea3
                                                        • Opcode Fuzzy Hash: 1cbfc1fa5e3fe2ef2017394d89297463eba662ab0f682191c0dee07363c4ca01
                                                        • Instruction Fuzzy Hash: A321B071500204AFEB21CF65CD84F6AFBE8EF04314F08886AEA45CB652E375E548CB71
                                                        Function 0187B212 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0187B291
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: Open
                                                        • String ID:
                                                        • API String ID: 71445658-0
                                                        • Opcode ID: c6a7e6dbfe27db4583702bd0e4cfbad9a850c8c050312d8cfa16cc56ba6b0356
                                                        • Instruction ID: 23d7b927e0465247b729089b1760e30ea5bd2ad395ef96edf176015f2a0aa7b1
                                                        • Opcode Fuzzy Hash: c6a7e6dbfe27db4583702bd0e4cfbad9a850c8c050312d8cfa16cc56ba6b0356
                                                        • Instruction Fuzzy Hash: 1E219F72500204AEEB21DB55CD84FABFBECEF04714F04845AFA45CAA52D774E54D8AB1
                                                        Function 0187BAA3 Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnumThreadWindows.USER32(?,00000E24,?,?), ref: 0187BB42
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: EnumThreadWindows
                                                        • String ID:
                                                        • API String ID: 2941952884-0
                                                        • Opcode ID: 7c672230c4bb58058cf68051a481b222110271cb09ff94367b11ced92b9a89a3
                                                        • Instruction ID: 8a37dc649bd2626c9805e16309ca77ecdf9191c919a4715f844ae04b0abed24d
                                                        • Opcode Fuzzy Hash: 7c672230c4bb58058cf68051a481b222110271cb09ff94367b11ced92b9a89a3
                                                        • Instruction Fuzzy Hash: A321607150E3C06FC3139B258C55A66BFB4EF47610F0A80DBD884DB6A3D624A95DC7B2
                                                        Function 062E3417 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetProcessWorkingSetSize.KERNEL32(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 062E3493
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: ProcessSizeWorking
                                                        • String ID:
                                                        • API String ID: 3584180929-0
                                                        • Opcode ID: 7664a1764ebc47e7fff0fce2d883241d7af57b9fb3126b45fe65766d428841f0
                                                        • Instruction ID: 280bedfc68f6174a470fea2a1c251dbd86c33150d3cbc0da97cb7351a062258c
                                                        • Opcode Fuzzy Hash: 7664a1764ebc47e7fff0fce2d883241d7af57b9fb3126b45fe65766d428841f0
                                                        • Instruction Fuzzy Hash: 3C21C2715093846FD722CB21CC48FAABFA8EF46214F08C4ABFD858B152D374A948CB71
                                                        Function 0187AC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileType.KERNELBASE(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 0187ACBD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID:
                                                        • API String ID: 3081899298-0
                                                        • Opcode ID: d445727ae8b5b9ec3dee92d084bccf0c8916acc8bf7d987f765e2f1d42eeebbe
                                                        • Instruction ID: 1be114159a29436239b470e74d998cb7c62b3e3ba07698e024e2e4d6cd4e64de
                                                        • Opcode Fuzzy Hash: d445727ae8b5b9ec3dee92d084bccf0c8916acc8bf7d987f765e2f1d42eeebbe
                                                        • Instruction Fuzzy Hash: 8221D2B54093806FE7128B11DC44BE6BFB8EF47724F0880DAF9848B693D264A94AC771
                                                        Function 0187A9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNELBASE(?), ref: 0187AA44
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode
                                                        • String ID:
                                                        • API String ID: 2340568224-0
                                                        • Opcode ID: df7c1de8f07d5523c6fed8834cfd35f2087cd4d76cf85720a06eb2ee72722b90
                                                        • Instruction ID: 8dc8aab08b626df95e3f2fec962265d4e7bc699c43aaa983cf925fd52458497d
                                                        • Opcode Fuzzy Hash: df7c1de8f07d5523c6fed8834cfd35f2087cd4d76cf85720a06eb2ee72722b90
                                                        • Instruction Fuzzy Hash: 3021486540E3C09FD7138B258C64A51BFB4AF53624F0E80DBD8C4CF5A3D2689949CB72
                                                        Function 062E2065 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • shutdown.WS2_32(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 062E20E8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: shutdown
                                                        • String ID:
                                                        • API String ID: 2510479042-0
                                                        • Opcode ID: 72cfbc0912a24576c51fb1bd6c11bc4e9f77b00801d8ac8310c780c3a5574c98
                                                        • Instruction ID: 0901b3e7a804db093adabfad0071b77a6f67e5b0cde91a03e0ec25103558897d
                                                        • Opcode Fuzzy Hash: 72cfbc0912a24576c51fb1bd6c11bc4e9f77b00801d8ac8310c780c3a5574c98
                                                        • Instruction Fuzzy Hash: 202192B1409384AFDB12CB51DC44B96FFB8EF46224F0884DAE9859F252D368A549CB62
                                                        Function 0187B06A Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateMutexW.KERNELBASE(?,?), ref: 0187B0DD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: CreateMutex
                                                        • String ID:
                                                        • API String ID: 1964310414-0
                                                        • Opcode ID: ed0fb4bcd27e7408339d1a3fe8e4948a0eb1f2e69eda848703d6f4617aac39d4
                                                        • Instruction ID: d27e9ce77c85f267bc3098847a1e6a56ad9d02dc9f624e24104361a55f6aa653
                                                        • Opcode Fuzzy Hash: ed0fb4bcd27e7408339d1a3fe8e4948a0eb1f2e69eda848703d6f4617aac39d4
                                                        • Instruction Fuzzy Hash: 5121CF716042049FE721DF65DD85BA6FBE8EF04324F04846AE948CB782E774E549CB72
                                                        Function 062E043F Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 062E04B6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: LookupPrivilegeValue
                                                        • String ID:
                                                        • API String ID: 3899507212-0
                                                        • Opcode ID: 905676c7590c4be8e08cf878384c33cbe7d97f79398e7766053b43c503b605da
                                                        • Instruction ID: 92bfeb25deba4fa9a7d46e666d454676145fb16b452c77468c13b3b498b601ca
                                                        • Opcode Fuzzy Hash: 905676c7590c4be8e08cf878384c33cbe7d97f79398e7766053b43c503b605da
                                                        • Instruction Fuzzy Hash: 5121A1715093815FEB11CF25CD54B62BFF8EF06220F0884EAED84CF252D265E818CB61
                                                        Function 062E3183 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ioctlsocket.WS2_32(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 062E31FF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: ioctlsocket
                                                        • String ID:
                                                        • API String ID: 3577187118-0
                                                        • Opcode ID: fff254e3251af352dbde4eabfd7991246886b221f396a8a1ac0afc2a3ac58c49
                                                        • Instruction ID: 0d77d8a4b5b35cc61fb63c057db2392245878f0d607229e90ebefae33f43a6f6
                                                        • Opcode Fuzzy Hash: fff254e3251af352dbde4eabfd7991246886b221f396a8a1ac0afc2a3ac58c49
                                                        • Instruction Fuzzy Hash: 2B21A1714093846FD722CF51CC48F96BFA8EF46214F08849AE9859B552D374A949C7A1
                                                        Function 0187B31A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 0187B394
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: QueryValue
                                                        • String ID:
                                                        • API String ID: 3660427363-0
                                                        • Opcode ID: e60c70f33ef2a2d932d19d83b58f127d4f368232dee20c02f59e581add8957eb
                                                        • Instruction ID: 4e945f6d805233d3f42c66d53502af830a2a9c0e931c115ffb9dadc77ef0305a
                                                        • Opcode Fuzzy Hash: e60c70f33ef2a2d932d19d83b58f127d4f368232dee20c02f59e581add8957eb
                                                        • Instruction Fuzzy Hash: F7216A76600204AFE721CE55CD84FA6FBECEF04714F08845AEE45CB692D764E988CAB1
                                                        Function 0187B7B5 Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CopyFileW.KERNELBASE(?,?,?), ref: 0187B82A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: CopyFile
                                                        • String ID:
                                                        • API String ID: 1304948518-0
                                                        • Opcode ID: 82c2fbdce785a11b489ea7628992e59b0a9bb07d74922c418bd6e30ef9205dc1
                                                        • Instruction ID: 7f2d9dac6a733a7e5a466e4359d9aee458a6bac0423093c86d71fc4bbd036ece
                                                        • Opcode Fuzzy Hash: 82c2fbdce785a11b489ea7628992e59b0a9bb07d74922c418bd6e30ef9205dc1
                                                        • Instruction Fuzzy Hash: F4214F715093849FEB22CF29DC54B92BFA8EF06714F08849AED85CB653D275E444CB61
                                                        Function 0187BCB8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFileAttributesW.KERNELBASE(?,?), ref: 0187BD2B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID:
                                                        • API String ID: 3188754299-0
                                                        • Opcode ID: a44405d687fff89ba16a15d6013bb743fcd3ab7bb7a2fe07c988996a2c12fb62
                                                        • Instruction ID: c69f05d533407195d97a3ecea005995486887f1d2ac75d16b83399a4b08e8b8e
                                                        • Opcode Fuzzy Hash: a44405d687fff89ba16a15d6013bb743fcd3ab7bb7a2fe07c988996a2c12fb62
                                                        • Instruction Fuzzy Hash: C3216F715093C09FDB12CF25DC55B92BFA8EF07314F0984DAE985CF263D264A949CB62
                                                        Function 0187A140 Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: recv
                                                        • String ID:
                                                        • API String ID: 1507349165-0
                                                        • Opcode ID: b3b6912895199583bdc828b1f2e20bf23a07eaf34ac211dc4a0be8655f3865df
                                                        • Instruction ID: 57b28be63a390659067ced747caae985156c83a1dfc7112b7fe84fc6b4fac116
                                                        • Opcode Fuzzy Hash: b3b6912895199583bdc828b1f2e20bf23a07eaf34ac211dc4a0be8655f3865df
                                                        • Instruction Fuzzy Hash: 19219A7140E3C09FD7138B619C54A52BFB4AF07210F0A84DBD985CF5A3D229A809CB72
                                                        Function 062E1812 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WSASocketW.WS2_32(?,?,?,?,?), ref: 062E187E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: Socket
                                                        • String ID:
                                                        • API String ID: 38366605-0
                                                        • Opcode ID: e1d642ebb06713314bb3c0fc018753a7d54d59e3e5f4154eb31f88b415886838
                                                        • Instruction ID: 08411453d9593b20d66dc9d68c144e9b0bd53b592e0f33769fe24acfdb963685
                                                        • Opcode Fuzzy Hash: e1d642ebb06713314bb3c0fc018753a7d54d59e3e5f4154eb31f88b415886838
                                                        • Instruction Fuzzy Hash: AB21FF71500200AFEB21CF55CD84BA6FBE8EF05324F04886AED858B641D375E459CB62
                                                        Function 062E1DEE Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: FileView
                                                        • String ID:
                                                        • API String ID: 3314676101-0
                                                        • Opcode ID: c48cf4f9f045f74e30177d83267e1d0b8e37e6d6fa33a136a427af8e2f6f620f
                                                        • Instruction ID: 2ba282a4cf1676929989403cc8bcf89b59ea9b4c9a60db496fe17ad3f812e921
                                                        • Opcode Fuzzy Hash: c48cf4f9f045f74e30177d83267e1d0b8e37e6d6fa33a136a427af8e2f6f620f
                                                        • Instruction Fuzzy Hash: A621F071400204AFEB21CF55CD89FAAFBE8EF08224F088469FA458BA41D375E44DCBA1
                                                        Function 062E24FE Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 062E257A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: Connect
                                                        • String ID:
                                                        • API String ID: 3144859779-0
                                                        • Opcode ID: 582fb2bb1a6e488edde9f7475bebaebc4c7184737ef17a12b5ed7c4b7e7ad9f3
                                                        • Instruction ID: 79ea4fe3f1725ad65ec1bb31b6cd15e298387d99a7ee4e5e5d1f9c5396ed50f5
                                                        • Opcode Fuzzy Hash: 582fb2bb1a6e488edde9f7475bebaebc4c7184737ef17a12b5ed7c4b7e7ad9f3
                                                        • Instruction Fuzzy Hash: FE218E71409380AFDB22CF51DC54B62BFF8EF06210F08849AED858B562D335A918DB61
                                                        Function 0187A2D2 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowTextA.USER32(?,00000E24,?,?), ref: 0187A34E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: TextWindow
                                                        • String ID:
                                                        • API String ID: 530164218-0
                                                        • Opcode ID: f9038b0511963893a53f60ba7a7d1387686fd7a8ca1b9cdb0580dd776f8c53d4
                                                        • Instruction ID: f84b0df2e690addfdb97768c6ae5eed8b91e045e607b1d208d4dd84f7e39f0c3
                                                        • Opcode Fuzzy Hash: f9038b0511963893a53f60ba7a7d1387686fd7a8ca1b9cdb0580dd776f8c53d4
                                                        • Instruction Fuzzy Hash: E011E4715093806FD311CB25CC41F62BFB8EF86620F09849AEC849B652D235B919CBB2
                                                        Function 062E27BA Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(?,00000E24), ref: 062E2843
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 68baf6d7db39e94d7f99d6ecfcbea701be896e85f4439d91f6413b628e894223
                                                        • Instruction ID: c1194be9b0c05ba0782a952a8eaf4135af8a45ddfb1108b4ac0d4bd875427699
                                                        • Opcode Fuzzy Hash: 68baf6d7db39e94d7f99d6ecfcbea701be896e85f4439d91f6413b628e894223
                                                        • Instruction Fuzzy Hash: 4B11B171405380AFE721CB11DC85FA6FFA8DF46720F08809AFD859B692D2A4A948CB71
                                                        Function 0187B4F6 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageTimeoutA.USER32(?,00000E24), ref: 0187B571
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: MessageSendTimeout
                                                        • String ID:
                                                        • API String ID: 1599653421-0
                                                        • Opcode ID: f8badf61d9397d3f9664df7f3335870ace727697c4bf113438f1c966a3444ddb
                                                        • Instruction ID: a972b2d612b038d8ab2a0b5afb2182dd54b79888ca8868123779e0064c2393e7
                                                        • Opcode Fuzzy Hash: f8badf61d9397d3f9664df7f3335870ace727697c4bf113438f1c966a3444ddb
                                                        • Instruction Fuzzy Hash: DD21E172500204AFEB31DF10CD40FA6FBA8EF04714F04885AFE458A691D375E549CBB1
                                                        Function 062E1B52 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 062E1BC4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: QueryValue
                                                        • String ID:
                                                        • API String ID: 3660427363-0
                                                        • Opcode ID: 7c419276e88d5cfaa1efe10b573c71d240279378db82edee1b9ffdedce94b7f8
                                                        • Instruction ID: 59be9453ba6830f0f817cab337e4e21e7ee40e8f4e7586929d79d3f50dbcd4a2
                                                        • Opcode Fuzzy Hash: 7c419276e88d5cfaa1efe10b573c71d240279378db82edee1b9ffdedce94b7f8
                                                        • Instruction Fuzzy Hash: 8211AF72910204AFEB61CF16CD48FA7F7E8EF04710F08846AED458A751E374E459CAB1
                                                        Function 0187B40E Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegSetValueExW.KERNELBASE(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 0187B480
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID:
                                                        • API String ID: 3702945584-0
                                                        • Opcode ID: e539529d96b0d9dde4d72d31a0e8e243876ee35eeb41210a4831cb4bcf6a60cc
                                                        • Instruction ID: 0ce3c14ecd53642208bdf3dcdde944d47d0eb318828c0016bb070dac1f237a6a
                                                        • Opcode Fuzzy Hash: e539529d96b0d9dde4d72d31a0e8e243876ee35eeb41210a4831cb4bcf6a60cc
                                                        • Instruction Fuzzy Hash: 5911BB76500604AFEB21CE15CD84FA7FBECEF04724F08845AEE85CA652E374E5498AB1
                                                        Function 0187A61E Relevance: 1.6, APIs: 1, Instructions: 65comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: Initialize
                                                        • String ID:
                                                        • API String ID: 2538663250-0
                                                        • Opcode ID: 77cdb9ce614dee186433edae871308ba03e2bbd0ff823052e85b876845789e6e
                                                        • Instruction ID: 9b79ce0ad03f6751dd4598e49090a2016b48c6e3d990b507aa31d8a7d85bfc00
                                                        • Opcode Fuzzy Hash: 77cdb9ce614dee186433edae871308ba03e2bbd0ff823052e85b876845789e6e
                                                        • Instruction Fuzzy Hash: C821497140E3C05FDB138B259C94A52BFB49F07220F0984DBD8848F1A3D265A908CB72
                                                        Function 062E2262 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessTimes.KERNELBASE(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 062E22C1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: ProcessTimes
                                                        • String ID:
                                                        • API String ID: 1995159646-0
                                                        • Opcode ID: baf1c7dc59f78ddbf2dbbae86587910fce7a37eb6c590582ad2af7dbb5061ea6
                                                        • Instruction ID: 5440c70061b91c541bace5e1467517f5c569a38e6eaa9571bf3f6963d38bd255
                                                        • Opcode Fuzzy Hash: baf1c7dc59f78ddbf2dbbae86587910fce7a37eb6c590582ad2af7dbb5061ea6
                                                        • Instruction Fuzzy Hash: BB11D372511204AFEB21CF51DD44FAAFBECEF05314F04C46AED468A651D374A5498BB1
                                                        Function 0187AB7C Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 0187ABF0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: ChangeCloseFindNotification
                                                        • String ID:
                                                        • API String ID: 2591292051-0
                                                        • Opcode ID: 69ca61618505f38926e40426c0735b7f6f0b33d23a106ded68d97d8f2dc31418
                                                        • Instruction ID: 0cbf646029b9beb3cd330ead3cf09b2de5859431668922230cb7d1063cc24c3c
                                                        • Opcode Fuzzy Hash: 69ca61618505f38926e40426c0735b7f6f0b33d23a106ded68d97d8f2dc31418
                                                        • Instruction Fuzzy Hash: 1E21C3B55097809FD712CB29DC55792BFA8EF02320F0984DBEC858B553D224A908C761
                                                        Function 062E343A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetProcessWorkingSetSize.KERNEL32(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 062E3493
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: ProcessSizeWorking
                                                        • String ID:
                                                        • API String ID: 3584180929-0
                                                        • Opcode ID: 2a24ba6e0dae894a0e6f03aeac7c145cd2f9d7b1bdde3b8883a937fc4b85b92a
                                                        • Instruction ID: bd8e1d4347226f52611332db894fa625fd48e5b0ab83fb495d36a24c184ad971
                                                        • Opcode Fuzzy Hash: 2a24ba6e0dae894a0e6f03aeac7c145cd2f9d7b1bdde3b8883a937fc4b85b92a
                                                        • Instruction Fuzzy Hash: E2110172600204AFEB21CF11DD44BAAFBE8EF05324F08C46AEE458B641D375A4488BB1
                                                        Function 062E3356 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessWorkingSetSize.KERNEL32(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 062E33AF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: ProcessSizeWorking
                                                        • String ID:
                                                        • API String ID: 3584180929-0
                                                        • Opcode ID: 2a24ba6e0dae894a0e6f03aeac7c145cd2f9d7b1bdde3b8883a937fc4b85b92a
                                                        • Instruction ID: c68cccb6d3c9be02f13ef05a61c58a6d337a70503c100ed4755a7794de61e8e7
                                                        • Opcode Fuzzy Hash: 2a24ba6e0dae894a0e6f03aeac7c145cd2f9d7b1bdde3b8883a937fc4b85b92a
                                                        • Instruction Fuzzy Hash: D6110171500204AFEB20CF15CD45FEAFBA8EF04324F08C46AED45CB641D774A4498BB1
                                                        Function 062E090A Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetExitCodeProcess.KERNELBASE(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 062E0960
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: CodeExitProcess
                                                        • String ID:
                                                        • API String ID: 3861947596-0
                                                        • Opcode ID: b5944b8eabbd0eb304898d85c52558006e3704dbeb9c4156295873fb6d0dd49f
                                                        • Instruction ID: 9eae8ce867c84a374d499e6dab2e48a2a46ccfce31a667e5744bceaf9d5e0796
                                                        • Opcode Fuzzy Hash: b5944b8eabbd0eb304898d85c52558006e3704dbeb9c4156295873fb6d0dd49f
                                                        • Instruction Fuzzy Hash: FB11E371910204AFFB50CF15DD44BAAFBA8DF45724F08C46AED45CB641D3B4A4498AB1
                                                        Function 0187BECE Relevance: 1.6, APIs: 1, Instructions: 61registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegSetValueExW.KERNELBASE(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 0187BF38
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID:
                                                        • API String ID: 3702945584-0
                                                        • Opcode ID: 63fd18c5444a97467e4ef62b31770fe98649ca7b5e97b5559c8b6acc273d6f66
                                                        • Instruction ID: 3bb1f4302658be4276df03b194310ba71c23ff79c47c11d1927344e70320fe50
                                                        • Opcode Fuzzy Hash: 63fd18c5444a97467e4ef62b31770fe98649ca7b5e97b5559c8b6acc273d6f66
                                                        • Instruction Fuzzy Hash: EC11BF72500204AFEB218F05CD44FA6FBE9EF05B24F08C45AEE458BA52D375E549CBB1
                                                        Function 0187A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0187A5DE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 8d6a63e9a6e3853eceaa5cc782bf41731241be4c7d4a3a819b290d5db71b58de
                                                        • Instruction ID: 564a3bef301f21ffa81bd9b540c6c5ce786394650977d9af5b056748b36da8f9
                                                        • Opcode Fuzzy Hash: 8d6a63e9a6e3853eceaa5cc782bf41731241be4c7d4a3a819b290d5db71b58de
                                                        • Instruction Fuzzy Hash: 94116071409380AFDB228F55DC44A62FFF4EF4A310F08889AED858B562D275A518DB61
                                                        Function 0187AEAE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ReadFile.KERNELBASE(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 0187AF0D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: FileRead
                                                        • String ID:
                                                        • API String ID: 2738559852-0
                                                        • Opcode ID: 3ec4c8d44c0653480f2710c703c25d5c96b90a2e2c9df24f451e1dcf0db76676
                                                        • Instruction ID: 56915ac3e73b01a3356c95b7daca472cfdfd1f572a0c01b319c0ac5dc31d1a61
                                                        • Opcode Fuzzy Hash: 3ec4c8d44c0653480f2710c703c25d5c96b90a2e2c9df24f451e1dcf0db76676
                                                        • Instruction Fuzzy Hash: E811EF72500204AFEB21CF51DD84FAAFBE8EF04724F08849AFA458B681D334E5498BB1
                                                        Function 0187B885 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteFileW.KERNELBASE(?), ref: 0187B8E4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: DeleteFile
                                                        • String ID:
                                                        • API String ID: 4033686569-0
                                                        • Opcode ID: 76d0b266bd97f3e277491e4372481bf177f4eb7196534ed5201a4933294f83a8
                                                        • Instruction ID: 121b2cfaa662eed7328e312ef8d96359286cb2e86e41d38fcdcf49c4d312fb4a
                                                        • Opcode Fuzzy Hash: 76d0b266bd97f3e277491e4372481bf177f4eb7196534ed5201a4933294f83a8
                                                        • Instruction Fuzzy Hash: 7E11B2719093809FDB11CB25DC45B52BFE8EF06320F0984EAED95CB653D234E948CB61
                                                        Function 0187BB6C Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MessageBoxW.USER32(?,?,?,?), ref: 0187BBD9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: Message
                                                        • String ID:
                                                        • API String ID: 2030045667-0
                                                        • Opcode ID: a7b4e78306faf001d20cbb487c5121a50700a5bcaf3f9ed8c56b63b1fffa7175
                                                        • Instruction ID: 7915efeb68ef3c182d5915509157c55e3432cfa9defc021064a7329a141cef8c
                                                        • Opcode Fuzzy Hash: a7b4e78306faf001d20cbb487c5121a50700a5bcaf3f9ed8c56b63b1fffa7175
                                                        • Instruction Fuzzy Hash: 5B118EB1505380AFEB21CF19DC45B62BFB8EF45314F08849AED848B653D221E908CB61
                                                        Function 062E31A6 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ioctlsocket.WS2_32(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 062E31FF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: ioctlsocket
                                                        • String ID:
                                                        • API String ID: 3577187118-0
                                                        • Opcode ID: cd854a85803dcc6f4d584354556d4f60296feba102d242c266ea3cc0bce12deb
                                                        • Instruction ID: 0db8247cb2148d698a49224f8fec2e259c7f42b43d5398e42922ca8f9c7b588a
                                                        • Opcode Fuzzy Hash: cd854a85803dcc6f4d584354556d4f60296feba102d242c266ea3cc0bce12deb
                                                        • Instruction Fuzzy Hash: 7F110671500204AFEB21CF51CD44FAAFBE8EF04724F08C46AED458B641D374A4498BB1
                                                        Function 062E2092 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • shutdown.WS2_32(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 062E20E8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: shutdown
                                                        • String ID:
                                                        • API String ID: 2510479042-0
                                                        • Opcode ID: 9dc1bebcad90ec3558659a8dc592e506d21645106e8824eed55c956ea1091133
                                                        • Instruction ID: 342db544327340db8cbecb8896bd46c954118b4059d66ac2d21098889f0656d5
                                                        • Opcode Fuzzy Hash: 9dc1bebcad90ec3558659a8dc592e506d21645106e8824eed55c956ea1091133
                                                        • Instruction Fuzzy Hash: 9F110671511204AFEB21CF51DD44FAAFB9CEF04324F14C46AEE458F641D374A5498AB1
                                                        Function 062E27DA Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(?,00000E24), ref: 062E2843
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: aa13695841812c0fa0144865f9d3879f3a02503632c776e0a2e8f6f367f735a1
                                                        • Instruction ID: a81e6a774893cba01199511b3bc00439ba1c589c51a0cd7441d8d6cc550e7943
                                                        • Opcode Fuzzy Hash: aa13695841812c0fa0144865f9d3879f3a02503632c776e0a2e8f6f367f735a1
                                                        • Instruction Fuzzy Hash: 2211CE71911204AFE720DB11DD85BB6FBACDF04724F1480AAEE458A681D3B8A949CAB1
                                                        Function 062E3282 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: select
                                                        • String ID:
                                                        • API String ID: 1274211008-0
                                                        • Opcode ID: 1832b08ff24f43e41dc47d896a7a5413e6249f5cf8ecd1df02d842373cf9ce6b
                                                        • Instruction ID: f0b7c5fc0a3842e1c6718779056be959592e5357caf839749659960f44f9428b
                                                        • Opcode Fuzzy Hash: 1832b08ff24f43e41dc47d896a7a5413e6249f5cf8ecd1df02d842373cf9ce6b
                                                        • Instruction Fuzzy Hash: 79118F71A102048FEB60CF15D884FA6FBE8EF04211F4884AADD89CB652D374E848CBA1
                                                        Function 062E046E Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 062E04B6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: LookupPrivilegeValue
                                                        • String ID:
                                                        • API String ID: 3899507212-0
                                                        • Opcode ID: 1294bf6bfd67e16206e66cd46602ca88bd9d47763ccbf8ecd190a56cd6301236
                                                        • Instruction ID: 0dbbda7ce2d13390cd2a312c1c67695e73917288078f9de38cc2b41b220c409b
                                                        • Opcode Fuzzy Hash: 1294bf6bfd67e16206e66cd46602ca88bd9d47763ccbf8ecd190a56cd6301236
                                                        • Instruction Fuzzy Hash: 2C11A571A102418FEB60CF29DA44B66FBE8EF14220F08C47ADD45CB742E3B4E455CA61
                                                        Function 0187B7E2 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CopyFileW.KERNELBASE(?,?,?), ref: 0187B82A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: CopyFile
                                                        • String ID:
                                                        • API String ID: 1304948518-0
                                                        • Opcode ID: 665a08ae367a25224e109fd6ba5360e43b1dfe5c9324510634f5921519bd121b
                                                        • Instruction ID: 9f08f53023d017c60c065fcd6578a736a5b64cedddb4249925f6dbf007123005
                                                        • Opcode Fuzzy Hash: 665a08ae367a25224e109fd6ba5360e43b1dfe5c9324510634f5921519bd121b
                                                        • Instruction Fuzzy Hash: 9F11A571A012048FEB20CF29D885B66FBD8EF05764F08C4AADD45CB752D374E544CA61
                                                        Function 0187AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileType.KERNELBASE(?,00000E24,F3335DBD,00000000,00000000,00000000,00000000), ref: 0187ACBD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID:
                                                        • API String ID: 3081899298-0
                                                        • Opcode ID: 9da2c72dc5ff9e24925bde3acc1db1fccc553f90b30f696724d9350220f9fdf9
                                                        • Instruction ID: bac70dbb52b29d2acf3a096bfd9bc3c1ac703875d3251ee29a6f28c1471567f4
                                                        • Opcode Fuzzy Hash: 9da2c72dc5ff9e24925bde3acc1db1fccc553f90b30f696724d9350220f9fdf9
                                                        • Instruction Fuzzy Hash: 2A01D271504204AFE721CB05DD85FBAFBA8DF45724F08C096EE448B742D378E58D8AB1
                                                        Function 0187B718 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WaitForInputIdle.USER32(?,?), ref: 0187B76F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: IdleInputWait
                                                        • String ID:
                                                        • API String ID: 2200289081-0
                                                        • Opcode ID: 2264cb17e5073326db1e6a09b9d0fc0c49ce6d85868e2201a81c40d2eaefa4aa
                                                        • Instruction ID: 6163bdc9e08c8655250da2cf0975971d3b39d5cee7fdcc343383576c61c0db47
                                                        • Opcode Fuzzy Hash: 2264cb17e5073326db1e6a09b9d0fc0c49ce6d85868e2201a81c40d2eaefa4aa
                                                        • Instruction Fuzzy Hash: E5115E714093849FDB11CF55DC85B52FFA4EF46320F09849AED858F262D275A948CB62
                                                        Function 062E252E Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 062E257A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: Connect
                                                        • String ID:
                                                        • API String ID: 3144859779-0
                                                        • Opcode ID: 3440eb714f85de0a02e03542b691701a38e3934829a566a785ad5630c3583e13
                                                        • Instruction ID: a790cfd8594ffe3d1608e32a59c02c227e80d21ed9cba5bb41093361d1524638
                                                        • Opcode Fuzzy Hash: 3440eb714f85de0a02e03542b691701a38e3934829a566a785ad5630c3583e13
                                                        • Instruction Fuzzy Hash: 82117C71911604DFEB20CF55DA44B62FBE8EF08310F0885AAEE868B626D375E558CF61
                                                        Function 062E0AB2 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • K32EnumProcesses.KERNEL32(?,?,?,F3335DBD,00000000,?,?,?,?,?,?,?,?,6CA83C58), ref: 062E0AF2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: EnumProcesses
                                                        • String ID:
                                                        • API String ID: 84517404-0
                                                        • Opcode ID: 10273e74e8dd30a22b9a7fd41daa47f9f80d41948fe16fee1dab1ddfd8e9c26b
                                                        • Instruction ID: 55bc965ce836341405f3e3432fbb5a8cb2b092ed3613f401f92b7d01d456a6af
                                                        • Opcode Fuzzy Hash: 10273e74e8dd30a22b9a7fd41daa47f9f80d41948fe16fee1dab1ddfd8e9c26b
                                                        • Instruction Fuzzy Hash: 3511A171A102048FEB50CF25D884B66FBE8EF04324F08C4AADE49CB651D3B4E459CB62
                                                        Function 062E12D4 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DispatchMessageW.USER32(?), ref: 062E1328
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: DispatchMessage
                                                        • String ID:
                                                        • API String ID: 2061451462-0
                                                        • Opcode ID: 103c2f13993683603f95679177a7b9863d0df2fb6559a90d219a7062b072ddb6
                                                        • Instruction ID: 1f3f789e105b0e796d6aa630ed82d12e2fce1e75b21718cd8b82fc5e49efec30
                                                        • Opcode Fuzzy Hash: 103c2f13993683603f95679177a7b9863d0df2fb6559a90d219a7062b072ddb6
                                                        • Instruction Fuzzy Hash: 661188714093849FD7128F15DC44B62FFB4EF47625F0880DAED858B653D275A858CB72
                                                        Function 0187BCEE Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFileAttributesW.KERNELBASE(?,?), ref: 0187BD2B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID:
                                                        • API String ID: 3188754299-0
                                                        • Opcode ID: 26557354222f14c96d79f4541eed7a36fc733f968016f2971d2172555c451402
                                                        • Instruction ID: 11f9cde295b89a1b2ff17832df71ffd7ed97d8f8b77699132496cdc031c3a9a6
                                                        • Opcode Fuzzy Hash: 26557354222f14c96d79f4541eed7a36fc733f968016f2971d2172555c451402
                                                        • Instruction Fuzzy Hash: 0F019271A042448FEB20CF29D985B66FFE8EF05724F08C4AAED45CB752D374E548CA62
                                                        Function 0187B8AA Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteFileW.KERNELBASE(?), ref: 0187B8E4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: DeleteFile
                                                        • String ID:
                                                        • API String ID: 4033686569-0
                                                        • Opcode ID: a81579373600fd2851565eb9afc836e2af05be47de4532ec3912a3a047340963
                                                        • Instruction ID: d039610f5b09b70a3f0be8c96abbdd90dfeea8f9056f08424289a0b2b0ecd64d
                                                        • Opcode Fuzzy Hash: a81579373600fd2851565eb9afc836e2af05be47de4532ec3912a3a047340963
                                                        • Instruction Fuzzy Hash: C001B171A042488FEB10CF29D9857A6FBE8EF04324F08C4AADD59CB742E374E548CB61
                                                        Function 0187A2FE Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowTextA.USER32(?,00000E24,?,?), ref: 0187A34E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: TextWindow
                                                        • String ID:
                                                        • API String ID: 530164218-0
                                                        • Opcode ID: 0d35cc2cc1af9cbd71cc50c93eac34e4b1a2e4f536b98545d15877dff4533a76
                                                        • Instruction ID: 4bb1f487218b4a99069a0003bda32fd0b4f416c7d58be43bf7fdc1938f49d8d8
                                                        • Opcode Fuzzy Hash: 0d35cc2cc1af9cbd71cc50c93eac34e4b1a2e4f536b98545d15877dff4533a76
                                                        • Instruction Fuzzy Hash: A20175715002006FD310DF15DD46B66FBE8EB85720F14855AED089B741D731F555CBE5
                                                        Function 0187BB8E Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MessageBoxW.USER32(?,?,?,?), ref: 0187BBD9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: Message
                                                        • String ID:
                                                        • API String ID: 2030045667-0
                                                        • Opcode ID: bbc4db3586bd17a8397f2454c1bf5d409854092c3b380d474004a62cbd7d57ae
                                                        • Instruction ID: d9873951ef9e0298d1725785eb4100aecf44d88b4075e66d43f5df93ddc194d3
                                                        • Opcode Fuzzy Hash: bbc4db3586bd17a8397f2454c1bf5d409854092c3b380d474004a62cbd7d57ae
                                                        • Instruction Fuzzy Hash: DD0169719042448FEB30CF1AC885B72FBE9EF04324F08C499DD45CB756D364E948CA61
                                                        Function 0187A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0187A5DE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 2ecebb68aa830c245fd497da5dd143ea05e2b3aa29c60b1d03c9482515dc5379
                                                        • Instruction ID: bbde90ddf9e56bc9b103ee4f5a9a886190ae2212b76d693e4193d19d4327cd0f
                                                        • Opcode Fuzzy Hash: 2ecebb68aa830c245fd497da5dd143ea05e2b3aa29c60b1d03c9482515dc5379
                                                        • Instruction Fuzzy Hash: 4601AD324042049FDB21CF95D944B66FFE0EF48320F08C89AEE898B612D336E458DF62
                                                        Function 062E1776 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 062E17C6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: QueryValue
                                                        • String ID:
                                                        • API String ID: 3660427363-0
                                                        • Opcode ID: 00e26e0f83e7f10c43451b1f8e28a43dc4ec8c3af08a9ee5c12278a024a94109
                                                        • Instruction ID: a91ee87f51d5dd2db67c7b9c927d8222a15877945365fac0442f45d8a42a669a
                                                        • Opcode Fuzzy Hash: 00e26e0f83e7f10c43451b1f8e28a43dc4ec8c3af08a9ee5c12278a024a94109
                                                        • Instruction Fuzzy Hash: 4F01A271500200ABD210DF16CD86B66FBE8FB88A20F14811AEC089BB41E771F956CBE5
                                                        Function 0187A72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0187A77E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: Clipboard
                                                        • String ID:
                                                        • API String ID: 220874293-0
                                                        • Opcode ID: 68c0d0e2531acc82b792675c4b17030e752534788830cca05860dd82085432d5
                                                        • Instruction ID: efea42222d98a66e2770a49525223b5f53b9ec1e8bd8b864b57c26619b2cb085
                                                        • Opcode Fuzzy Hash: 68c0d0e2531acc82b792675c4b17030e752534788830cca05860dd82085432d5
                                                        • Instruction Fuzzy Hash: 0201A271500200ABD210DF16CD86B66FBE8FB88A20F148159EC089BB41E731F956CBE5
                                                        Function 0187ABBE Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 0187ABF0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: ChangeCloseFindNotification
                                                        • String ID:
                                                        • API String ID: 2591292051-0
                                                        • Opcode ID: b03900285a00aeb9a05ea0d952cd2ab73e892cfc3a3d3f3d16281bb2789814ea
                                                        • Instruction ID: 0b0e0898bfe933dadb5bedd6bc5faba45f8c4bdc85acd0346cc94085c93b99e3
                                                        • Opcode Fuzzy Hash: b03900285a00aeb9a05ea0d952cd2ab73e892cfc3a3d3f3d16281bb2789814ea
                                                        • Instruction Fuzzy Hash: 6301DF719042049FEB10CF19D9847AAFBE4DF40324F08C4AADD49CB652D379E548CA62
                                                        Function 0187BAF2 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnumThreadWindows.USER32(?,00000E24,?,?), ref: 0187BB42
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: EnumThreadWindows
                                                        • String ID:
                                                        • API String ID: 2941952884-0
                                                        • Opcode ID: a96875980297a1190ce1703ba868ba54e5ac2bffa5d23e00fca97df95aff7b0e
                                                        • Instruction ID: 7c8355b7cddf288a582bfb520f7c6a52115eb16163ec16a72ad0fd28be85f9f0
                                                        • Opcode Fuzzy Hash: a96875980297a1190ce1703ba868ba54e5ac2bffa5d23e00fca97df95aff7b0e
                                                        • Instruction Fuzzy Hash: 4A01A271500200ABD210DF16CD86B66FBE8FB88A20F14811AEC089BB41E731F95ACBE5
                                                        Function 0187B73A Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WaitForInputIdle.USER32(?,?), ref: 0187B76F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: IdleInputWait
                                                        • String ID:
                                                        • API String ID: 2200289081-0
                                                        • Opcode ID: 55707e0cac4ea81a34c860f0c2d51b312d3a6568a4306d1ab502831695f75a9d
                                                        • Instruction ID: 252d06b821b44303d2343c0d041ff6bd4941b50542a6ac476bf67438effbc261
                                                        • Opcode Fuzzy Hash: 55707e0cac4ea81a34c860f0c2d51b312d3a6568a4306d1ab502831695f75a9d
                                                        • Instruction Fuzzy Hash: 5001DB318042048FEB20CF19D984B62FBE4EF04324F0CC8AADD488F652D379E548CBA2
                                                        Function 0187A65E Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: Initialize
                                                        • String ID:
                                                        • API String ID: 2538663250-0
                                                        • Opcode ID: 81d484095652183630c7684ff3e8dd4f3e635e8897f341e35711ee8cd749dfaa
                                                        • Instruction ID: c0b1ebe84d98795897ab25e9b03b40d74c79eb1fb3951187c10a679494303ba9
                                                        • Opcode Fuzzy Hash: 81d484095652183630c7684ff3e8dd4f3e635e8897f341e35711ee8cd749dfaa
                                                        • Instruction Fuzzy Hash: 1A01AD719052448FDB10DF15D984B6AFBE4EF44324F08C4AADD498F752D379E548CEA2
                                                        Function 062E12F6 Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DispatchMessageW.USER32(?), ref: 062E1328
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4442827300.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_62e0000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: DispatchMessage
                                                        • String ID:
                                                        • API String ID: 2061451462-0
                                                        • Opcode ID: 36223224d16b123511825d9d1572e71a6075eecb8897d05fde41cce30a8f5c2c
                                                        • Instruction ID: d0cac31dd9b1c0270c755d05f8fe82fbc48b6545e3e4d97141f29bc4d669703e
                                                        • Opcode Fuzzy Hash: 36223224d16b123511825d9d1572e71a6075eecb8897d05fde41cce30a8f5c2c
                                                        • Instruction Fuzzy Hash: 6EF0FF30814244CFEB20CF05D988BA1FBE4EF05320F48C0BACD494BB52D3B8E458CAA2
                                                        Function 0187AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNELBASE(?), ref: 0187AA44
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438429585.000000000187A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_187a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode
                                                        • String ID:
                                                        • API String ID: 2340568224-0
                                                        • Opcode ID: 898ded7fff7c415a3f626e80e0cfe7644e7063f87e2173a418105898b6c78c20
                                                        • Instruction ID: 7ec5889118eb8094ab1964abc78d1b6f0c8c7f7731ed051a144a6fa0ba9b2a51
                                                        • Opcode Fuzzy Hash: 898ded7fff7c415a3f626e80e0cfe7644e7063f87e2173a418105898b6c78c20
                                                        • Instruction Fuzzy Hash: 6EF069358042449FDB20DF05DA84B65FBA4EB05724F08C09ADD498B652D279E648CFA2
                                                        Function 05769890 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :@k
                                                        • API String ID: 0-2277858631
                                                        • Opcode ID: 3d62b20193a1cef7ab277b2baa72ad0d74b5763c0ed1f18a617656163e6c4f93
                                                        • Instruction ID: e47f6a55d2600038f74e7c5e12eafa23067b133c1438454126211e8f032499ae
                                                        • Opcode Fuzzy Hash: 3d62b20193a1cef7ab277b2baa72ad0d74b5763c0ed1f18a617656163e6c4f93
                                                        • Instruction Fuzzy Hash: 75A13C34A01604DFCB19DFB4E450AAD77B2FF88748B108069E806977A4DF39AC49EF90
                                                        Function 057699A5 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :@k
                                                        • API String ID: 0-2277858631
                                                        • Opcode ID: 63f17d655486ad37177a78cd39b7a538793661f7c166d7d2bab9456074400d6b
                                                        • Instruction ID: 6761b7842521e7f9a5720f5460cef04eaa3b044850a366b8bcc3cabb6d2fe633
                                                        • Opcode Fuzzy Hash: 63f17d655486ad37177a78cd39b7a538793661f7c166d7d2bab9456074400d6b
                                                        • Instruction Fuzzy Hash: FE911E34A00604DFCB19DFB4E450AAD77B2FF88758B108169E816977A4DF39AC49EF90
                                                        Function 05769A03 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :@k
                                                        • API String ID: 0-2277858631
                                                        • Opcode ID: e60a37d5929192001bbcc2b6fbe059de84b4a12c1b28e57df0abe17c398965b7
                                                        • Instruction ID: 4d97bf1f5bb7e52538c35222ee2ea73eb4c3c0acf045f28643b28d9100c5f111
                                                        • Opcode Fuzzy Hash: e60a37d5929192001bbcc2b6fbe059de84b4a12c1b28e57df0abe17c398965b7
                                                        • Instruction Fuzzy Hash: 72912134A00604DFCB19DFB4E550AAD73B2FF88758B108169E816977A4DF39AC49EF90
                                                        Function 05769A53 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :@k
                                                        • API String ID: 0-2277858631
                                                        • Opcode ID: d66a7ab97a9d0b99b7fdea4935be9aff5125da82263f8fb3af6f04526c634f5e
                                                        • Instruction ID: e963e07251b635ac053418174e8aa624195ddf66869156baa90913c471d1f0a5
                                                        • Opcode Fuzzy Hash: d66a7ab97a9d0b99b7fdea4935be9aff5125da82263f8fb3af6f04526c634f5e
                                                        • Instruction Fuzzy Hash: 3B812134A00604DFCB19DFB4E450AAD73B2FF85758B108169E816977A4DF39AC49EF90
                                                        Function 05769AD5 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :@k
                                                        • API String ID: 0-2277858631
                                                        • Opcode ID: 69564e92cd1e8f050e2f7f354bcb4efb8ac671b31a518341e61a9fb2296bec58
                                                        • Instruction ID: 7b8b9075f017c86eb1cd841f774d0d2e3840bfced3871f48aa9479992fd1e35f
                                                        • Opcode Fuzzy Hash: 69564e92cd1e8f050e2f7f354bcb4efb8ac671b31a518341e61a9fb2296bec58
                                                        • Instruction Fuzzy Hash: 4C713E34B00A04DFCB19DFB4E550A6D73B2FB88758B108169E812977A4DF39AC49EF90
                                                        Function 05769BC5 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :@k
                                                        • API String ID: 0-2277858631
                                                        • Opcode ID: b02b90e12a0f2c1c756b85de6a21ea620f39750d4681541c58a5686416ba4f10
                                                        • Instruction ID: 0dcc9a3ba1887bc6742243751e0da4ed1f70908b02873361055587ffec5c7152
                                                        • Opcode Fuzzy Hash: b02b90e12a0f2c1c756b85de6a21ea620f39750d4681541c58a5686416ba4f10
                                                        • Instruction Fuzzy Hash: DA516D34B006149FCB18EBB4E550BAD73A6FF84758F108129E912977A4DF39AC49EF90
                                                        Function 05760958 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :@k
                                                        • API String ID: 0-2277858631
                                                        • Opcode ID: b165152429b1fea1bd4fed21cd909da4b5b99c0c98b6eaa85f6f362852458db5
                                                        • Instruction ID: 1549a507e6b162e88f9034882be74c64882663426550290336c37b78ccd15a5c
                                                        • Opcode Fuzzy Hash: b165152429b1fea1bd4fed21cd909da4b5b99c0c98b6eaa85f6f362852458db5
                                                        • Instruction Fuzzy Hash: 6E31E330B016018FC714ABB4D9157BE37A7EB88208F004029D805D77A4EF7D9D5EDB91
                                                        Function 05763802 Relevance: .5, Instructions: 497COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c98b83e993d751ad318c91b033bf38aaf328bdd798c2bc5e02ff0ef96dc36733
                                                        • Instruction ID: 080acd3224d757cfceca4a47d5859055eebe5a886551157a5aa2f6a86a7ade5b
                                                        • Opcode Fuzzy Hash: c98b83e993d751ad318c91b033bf38aaf328bdd798c2bc5e02ff0ef96dc36733
                                                        • Instruction Fuzzy Hash: 30321570A016188FDB24DF74C854BEDB7B2FB49308F1045A9D80AAB794DB399E89DF50
                                                        Function 05767E40 Relevance: .3, Instructions: 287COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 22f485aa6dddc1d7a78ea01a7e385f41cc57f3a2e988f3cf40b80e677d6f302f
                                                        • Instruction ID: 435ab3803c1aaf86865c06b833c400cb91e38b1c9cb221b47b84f76cd382e6f9
                                                        • Opcode Fuzzy Hash: 22f485aa6dddc1d7a78ea01a7e385f41cc57f3a2e988f3cf40b80e677d6f302f
                                                        • Instruction Fuzzy Hash: 05A1CE30604A018FD718DB39D954BAD33E2FB85358F144668E812AB3D1DF39DD4AEB61
                                                        Function 057639BF Relevance: .2, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fae6dee0a611f8dee4ae5de8f19e890792cfc5bc12e8278a625bc26627d3cd82
                                                        • Instruction ID: f88c446bc4d1669e55a135a51c222c7f890a1b548cddf55b0a4755ceb6c16a63
                                                        • Opcode Fuzzy Hash: fae6dee0a611f8dee4ae5de8f19e890792cfc5bc12e8278a625bc26627d3cd82
                                                        • Instruction Fuzzy Hash: 1C814670A012188FDB18DFB4C954BEDB7B2FF85308F0045A9D50AAB294DB799E88DF51
                                                        Function 05767E2F Relevance: .2, Instructions: 150COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b85f53efba946a0c07bded77f47266181f02ca753ba88fa0cbca04b7f9847a32
                                                        • Instruction ID: 94d1d03657deea4ccf8346497eb7e0bf4abb6b4f66f740ae42250bec2c1c2920
                                                        • Opcode Fuzzy Hash: b85f53efba946a0c07bded77f47266181f02ca753ba88fa0cbca04b7f9847a32
                                                        • Instruction Fuzzy Hash: B751C230604602DFD718CB36D801BA977E2FB45394F588169E852EB2D1EB38DD4AEF21
                                                        Function 0576821E Relevance: .1, Instructions: 137COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1c57c07e3b0cab108dc6634e98aeac73d1d0a1045ff101990af3616dcb1563b9
                                                        • Instruction ID: 0706d530b4725d533d88927dbef67ee85dcb5c08202b3e405007ff8f6b9a4800
                                                        • Opcode Fuzzy Hash: 1c57c07e3b0cab108dc6634e98aeac73d1d0a1045ff101990af3616dcb1563b9
                                                        • Instruction Fuzzy Hash: 7D419070604A029FD718CB36D811BA937E2FB45398F588169D811EB2D1DF38DE4AEF25
                                                        Function 05763B18 Relevance: .1, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1bec435773b265f3f69f3a3d90fdfc995a6d1b9630ee8f3e73e12e1569e3ae1a
                                                        • Instruction ID: 6d94f6bf584abac4fb366d65e8387042cd8c8c7f82f6df49ae0a1115975dbc2f
                                                        • Opcode Fuzzy Hash: 1bec435773b265f3f69f3a3d90fdfc995a6d1b9630ee8f3e73e12e1569e3ae1a
                                                        • Instruction Fuzzy Hash: 39413970A002188FDB14DFB9C9547ECB7F2BF85308F0045AAD409AB694DB799E88DF61
                                                        Function 0576A1A0 Relevance: .1, Instructions: 107COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 641f1c58df7f28963290ff07a326a5ca2650441a3c763043894a0d4ef251cd84
                                                        • Instruction ID: 52ef318c63e178116ea7217db9f9601fbd760c0ba673d95821604aaf69cc6d6a
                                                        • Opcode Fuzzy Hash: 641f1c58df7f28963290ff07a326a5ca2650441a3c763043894a0d4ef251cd84
                                                        • Instruction Fuzzy Hash: 2831DD34B00205DFDB04DB79C954BAEBBF2BF88304F148029E905AB7A1DF719C499B90
                                                        Function 057600B8 Relevance: .1, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7967d775e954a5df4d133f6243a2a595d1997413f187461926685ad42dc090c7
                                                        • Instruction ID: 345a46ea5e5a1d468d48037232735ad518fb7b7f87c8462be3086d19b85e3c30
                                                        • Opcode Fuzzy Hash: 7967d775e954a5df4d133f6243a2a595d1997413f187461926685ad42dc090c7
                                                        • Instruction Fuzzy Hash: CC3103307043409FC719EB75D811BAE3BA7BBC2658F0480AAD445DB791CF799D4E87A2
                                                        Function 05760007 Relevance: .1, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1fcf0e5bf96be52a652e0644d8e12d412371535f777476f0aeaa9690868f8050
                                                        • Instruction ID: e94926c7d9a5ac961f3d17fef29d436ccb8bc1227b130e6cde6870a66a70d006
                                                        • Opcode Fuzzy Hash: 1fcf0e5bf96be52a652e0644d8e12d412371535f777476f0aeaa9690868f8050
                                                        • Instruction Fuzzy Hash: 092129A584E7C18FC3138B7498295903FB0BF1721870F80DBD480CB1A3D268495EDB32
                                                        Function 05622500 Relevance: .1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441881751.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5620000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 08665ed60c0413689ad51084cd6bfe8f8f94fd22297682cead31d19f776d65cf
                                                        • Instruction ID: 91fc8425764511f45c373861a11b5df53d429127996964e5ecc426e3fc088bd0
                                                        • Opcode Fuzzy Hash: 08665ed60c0413689ad51084cd6bfe8f8f94fd22297682cead31d19f776d65cf
                                                        • Instruction Fuzzy Hash: 3011CCB5909341AFD340CF19D840A5BFBE4FB88664F04895EF998D7311E335E9088FA2
                                                        Function 01B60A34 Relevance: .1, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438985351.0000000001B60000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1b60000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 42d254b8a2fa686921d9cb1840028db72719447b3b10400f87a2ff23ac3a3416
                                                        • Instruction ID: f53200480e41fc2f68d91b21f2a493cb43864c439c355cb38986487468c11847
                                                        • Opcode Fuzzy Hash: 42d254b8a2fa686921d9cb1840028db72719447b3b10400f87a2ff23ac3a3416
                                                        • Instruction Fuzzy Hash: 4611E1312442809FD719DB15C940B2ABBA9EB98708F28CADCF9490B753C77FD842CA51
                                                        Function 05760118 Relevance: .1, Instructions: 58COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f3ca897f1a03bd492c912fe7922e2f36a8259146ddd6018dd8e20d94a0c01d6e
                                                        • Instruction ID: ec309dc4ef59cb064cb00b5c3574687ee48b30f007ad5992a5cce361f1833239
                                                        • Opcode Fuzzy Hash: f3ca897f1a03bd492c912fe7922e2f36a8259146ddd6018dd8e20d94a0c01d6e
                                                        • Instruction Fuzzy Hash: 1F1102306006004FC329A77AE0107AD37EBBBC26587048069D445CB745CF79DD4E9BB2
                                                        Function 05769EC1 Relevance: .1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 79bdf277d9550566ab935f20664a63400882ab83d71474509293c726c919aacb
                                                        • Instruction ID: 898b45a0cc7853eab4a022c99c94647ba41446fa0fb3426305f3b12ac1f4cf89
                                                        • Opcode Fuzzy Hash: 79bdf277d9550566ab935f20664a63400882ab83d71474509293c726c919aacb
                                                        • Instruction Fuzzy Hash: C711C270F006159FCB44DF78D8105AEBBF6EF8A2547108079D505E7751EB359D06CB90
                                                        Function 057671C1 Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 78abfbbf016f2c227590ebd77c5f0a70e3930eb9a534ffa2b515f0ff6b24f66a
                                                        • Instruction ID: f42115529e3cc5fcbe51320ed452232e56c68bf81f997e3a4618b4303fae367d
                                                        • Opcode Fuzzy Hash: 78abfbbf016f2c227590ebd77c5f0a70e3930eb9a534ffa2b515f0ff6b24f66a
                                                        • Instruction Fuzzy Hash: E20124392147419FC3162778E8250693BA6EBC726670480AAE580CB362DF3D8D1EC7B2
                                                        Function 0188B698 Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438500887.000000000188A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_188a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8d5b3d4c1488413a5e7699d68daba6e8a3e68bc41e9b6b6dc3368ef206780193
                                                        • Instruction ID: d1130942466fc42ebb459a99506aa370ed47d1ef2bf06668a4c834c176844778
                                                        • Opcode Fuzzy Hash: 8d5b3d4c1488413a5e7699d68daba6e8a3e68bc41e9b6b6dc3368ef206780193
                                                        • Instruction Fuzzy Hash: 3C11FAB5908301AFD350CF09DC40E5BFBE8EB88660F04891EF99897311E231E9088FA2
                                                        Function 056223A4 Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441881751.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5620000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 27c4a81ce0237c7e2f05254ba0b965a7d647bd4353ec9bd41d6738c1a5019e4b
                                                        • Instruction ID: 6624ec229571831ad5869d6442ef43ff1acbb3846e995a2fa5b27261a10454b4
                                                        • Opcode Fuzzy Hash: 27c4a81ce0237c7e2f05254ba0b965a7d647bd4353ec9bd41d6738c1a5019e4b
                                                        • Instruction Fuzzy Hash: 0011FEB5909301AFD750CF09DC40E57FBE8EB88660F04881EF95897311D231E9088FA2
                                                        Function 01B60A13 Relevance: .0, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438985351.0000000001B60000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1b60000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a4786fc9743da79bae8102102cfd7cd0a4949508094cabbb35afc367fd442263
                                                        • Instruction ID: 47f85a9889bf0c84fa63d39fe6a4854e0e44d83354e3b861d85107800e96b4d0
                                                        • Opcode Fuzzy Hash: a4786fc9743da79bae8102102cfd7cd0a4949508094cabbb35afc367fd442263
                                                        • Instruction Fuzzy Hash: 2B1119305093C09FC717CB15C990B16BFB1EF56608F2986DEE4899B6A3C33A9856CB52
                                                        Function 01B605DF Relevance: .0, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438985351.0000000001B60000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1b60000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b958981fe207fdfdf7320688d46c346e67776070358c5d64739a837cb35f2130
                                                        • Instruction ID: 8dee6eace5143da4aecea6598dd810450b1160f9974599bacff417b0f2044f46
                                                        • Opcode Fuzzy Hash: b958981fe207fdfdf7320688d46c346e67776070358c5d64739a837cb35f2130
                                                        • Instruction Fuzzy Hash: CE01AEB650D7845FD711CB069C41862FFF8DF86520709C49FED498B752D125A809CB72
                                                        Function 05760879 Relevance: .0, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5bab24a6a2d7e9f9f0570a2d378bc3cbfe538289b6e5a6f6325ff2701ceb1ce7
                                                        • Instruction ID: 3f581465bf3b7dfd3a167ed721272c02162e1b7e0afc36b34d3a96f32abc5b2f
                                                        • Opcode Fuzzy Hash: 5bab24a6a2d7e9f9f0570a2d378bc3cbfe538289b6e5a6f6325ff2701ceb1ce7
                                                        • Instruction Fuzzy Hash: 9A01133560A643CFCB01FB78D15856D7BE2EF84208B44895CE185CB35AEA749E1CEF52
                                                        Function 057600A8 Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 474143091a92a15573c24c3a52647eb6c6826c18cf71582d784d4f8bc91f4214
                                                        • Instruction ID: 5f6aafcb0169afa0837158ddd75ea6aed87daced5820c61f98e08d5387120390
                                                        • Opcode Fuzzy Hash: 474143091a92a15573c24c3a52647eb6c6826c18cf71582d784d4f8bc91f4214
                                                        • Instruction Fuzzy Hash: ACF0F072B00304AFEB08EF70CC12BAE7B63EF81324F1481AEA541DB2C0EE3199468740
                                                        Function 01B60AF0 Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438985351.0000000001B60000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1b60000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 07dcd34f4dd6098958272176fe8b0d01bcbd30a820aeeea74a2672d383e970e9
                                                        • Instruction ID: f270e79d7935c77a47034eecfdb5161d01777115a5e2ae2b168630d7bb5bbbe0
                                                        • Opcode Fuzzy Hash: 07dcd34f4dd6098958272176fe8b0d01bcbd30a820aeeea74a2672d383e970e9
                                                        • Instruction Fuzzy Hash: 9FF01D35144644DFC306CF04D540B19FBA6EB89718F24CBADE94907762C73BD813DA81
                                                        Function 01B60606 Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438985351.0000000001B60000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1b60000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1d4447592d630edba8e4cf35b1f8c1936e9d8bfff8018813df566d6c3bd5962c
                                                        • Instruction ID: 5c2f0b6b308591d0a3296299c5a2b00b36843ff65bef74de7b8611f4b41e3a77
                                                        • Opcode Fuzzy Hash: 1d4447592d630edba8e4cf35b1f8c1936e9d8bfff8018813df566d6c3bd5962c
                                                        • Instruction Fuzzy Hash: B5E092B66046044B9650DF0AEC41462F7D8EB88630718C07FDC0D8BB11E235B509CAA5
                                                        Function 0188B6E7 Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438500887.000000000188A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188A000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_188a000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6f16bdde6c82de3224bca1e892a87e18c883d51f183d0cc9c421985f0168390b
                                                        • Instruction ID: 72981bf27b252d4c7f668513eb3b89c25a377e7918faad3c8fb5af00dd2b6828
                                                        • Opcode Fuzzy Hash: 6f16bdde6c82de3224bca1e892a87e18c883d51f183d0cc9c421985f0168390b
                                                        • Instruction Fuzzy Hash: ABE0DFB29412046BD2109E06AC46F62FB98EB40A30F08C56BEE085B742E272B5088AF1
                                                        Function 0562256B Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441881751.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5620000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9cdbc1db21e86c556ac90b83215e0b7e3d5b824eaac17ad239d3d7af9c8f7a37
                                                        • Instruction ID: d75b9841cdce3833ee952d11fe44df879af5e614f5596e078c7ace4fb3193983
                                                        • Opcode Fuzzy Hash: 9cdbc1db21e86c556ac90b83215e0b7e3d5b824eaac17ad239d3d7af9c8f7a37
                                                        • Instruction Fuzzy Hash: 72E0DFB29412006BD6109E06AC46F62FB98EB84A30F08C46BED081B742E172B5188AE1
                                                        Function 05621E17 Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441881751.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5620000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0dae362fd3bfec414518118e8fe9b8ad441652c14983b8ae09264d0a35de9a15
                                                        • Instruction ID: 84f79ad5c6e08ae61542397a8a9f21850475c33f064baf153bd722c8fb23d31c
                                                        • Opcode Fuzzy Hash: 0dae362fd3bfec414518118e8fe9b8ad441652c14983b8ae09264d0a35de9a15
                                                        • Instruction Fuzzy Hash: 80E0D8B294120067D210DE06AC45F63FB98DB40930F04C457ED081B702E172B514CAE1
                                                        Function 056223F3 Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441881751.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5620000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8bad4ee307b1d4e51befde4dbf922b9a6bc903fffb1529fdb11af97f0a753235
                                                        • Instruction ID: 483e89afebc88a388c57d74604bafaff6733a499fde9da5877973b4ed423a112
                                                        • Opcode Fuzzy Hash: 8bad4ee307b1d4e51befde4dbf922b9a6bc903fffb1529fdb11af97f0a753235
                                                        • Instruction Fuzzy Hash: 7AE0D8B294120467D6509E06AC45F63FB98DB40930F04C457ED081B702E172B5048AF5
                                                        Function 05764200 Relevance: .0, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 87e42adcfdc58eefa9721022626fd1524f6cd9304e1456ce067d511583181b0f
                                                        • Instruction ID: 77f0d9a25cb9825bfea4957403779ca0215ce23fe293a0c356285cc5de4217f4
                                                        • Opcode Fuzzy Hash: 87e42adcfdc58eefa9721022626fd1524f6cd9304e1456ce067d511583181b0f
                                                        • Instruction Fuzzy Hash: E3E04F3195A3889FC741CFB89C114987BB9DB06218B1400FAD849C7262EA751E15DBA2
                                                        Function 057636A8 Relevance: .0, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c7c164f1672b827f4c24ff003834141c85bf9cab1885b6f0616ef07f56c65bc2
                                                        • Instruction ID: 214c69eff8c3280a64b17b4e3f76e318ce24f3dd51bd5079624ef6204afe1fa5
                                                        • Opcode Fuzzy Hash: c7c164f1672b827f4c24ff003834141c85bf9cab1885b6f0616ef07f56c65bc2
                                                        • Instruction Fuzzy Hash: A5E0C271187341CFC71B1BB8A0240183BB5AF4720834008FEC4418B366DA7A9896CF14
                                                        Function 0576A15F Relevance: .0, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 102483c16201cfa055079c3911a04901c6985fc8ecc250b7804765ec0f8c596a
                                                        • Instruction ID: 0df3a125042702aadeec918b55b5b8179377968343e062898f08f4762eb3137c
                                                        • Opcode Fuzzy Hash: 102483c16201cfa055079c3911a04901c6985fc8ecc250b7804765ec0f8c596a
                                                        • Instruction Fuzzy Hash: 22E08C3040E384AFC7429BB4A81509C7FF9AA42220B2004EED884D7272E92A0E1CCB52
                                                        Function 018723F4 Relevance: .0, Instructions: 15COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438404993.0000000001872000.00000040.00000800.00020000.00000000.sdmp, Offset: 01872000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1872000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fae87b4c7cc003e4d94a543b2f8f7cf55afb5812a6bcba4dddc8dee9fc1fccce
                                                        • Instruction ID: ecd2033b07a9630af0f153ac7850b0ffc5884fca823361f4b1243f9df1c04419
                                                        • Opcode Fuzzy Hash: fae87b4c7cc003e4d94a543b2f8f7cf55afb5812a6bcba4dddc8dee9fc1fccce
                                                        • Instruction Fuzzy Hash: FCD05E7A2056C18FE316DA1CC2A8B953BE9BB51714F4A44F9A840CB763C769D6C5D600
                                                        Function 018723BC Relevance: .0, Instructions: 14COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4438404993.0000000001872000.00000040.00000800.00020000.00000000.sdmp, Offset: 01872000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1872000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e0e51a0c5a288f2019731f52997b5f62a55b490a619e46167c640ec6c230ad27
                                                        • Instruction ID: eca72619c9ecf59871665d77609940a9a74584c46b6a6d9b707e8a0789368cef
                                                        • Opcode Fuzzy Hash: e0e51a0c5a288f2019731f52997b5f62a55b490a619e46167c640ec6c230ad27
                                                        • Instruction Fuzzy Hash: 86D05E342006814BD715DA0CC2D4F597BD9AB40714F0644ECAC10CB772C7B4D9C4CA00
                                                        Function 05764210 Relevance: .0, Instructions: 14COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4441962133.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5760000_1iZH7aeO5F.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ef21edf4b637d7d8f011fe3cdc6ca80be2945fe205afdf2882251dbb7c7c0056
                                                        • Instruction ID: d24c29e37be6d642a81e39d98b9ba9b0378af50baf2c2a3c9769e226f45df08e
                                                        • Opcode Fuzzy Hash: ef21edf4b637d7d8f011fe3cdc6ca80be2945fe205afdf2882251dbb7c7c0056
                                                        • Instruction Fuzzy Hash: 5AD0C972A15208EF8744DFA8ED1199DBBF9EB45219B1041EAA809D3750EE315F04DB91