Edit tour

Windows Analysis Report
PQ2.exe

Overview

General Information

Sample name:	PQ2.exe
Analysis ID:	1583199
MD5:	77b621c8ae246da4619c8315c6996576
SHA1:	43b19a006a6e8c864b33f63604c3d5b94b26a410
SHA256:	0cb5c8e6987f74a213353851dc12b7b3a08130fd5ebb18f4455c659e8f46442f
Tags:	Backdoorexemalwaretrojanuser-Joker
Infos:

Detection

Mimikatz

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Mimikatz

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Opens the same file many times (likely Sandbox evasion)

Self deletion via cmd or bat file

Tries to delay execution (extensive OutputDebugStringW loop)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Drops PE files to the program root directory (C:\Program Files)

Entry point lies outside standard sections

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

PQ2.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\PQ2.exe" MD5: 77B621C8AE246DA4619C8315C6996576)

cmd.exe (PID: 7324 cmdline: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\PQ2.exe > nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7404 cmdline: ping -n 2 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)

Deuvw.exe (PID: 7300 cmdline: "C:\\Program Files\\Deuvw.exe" -auto MD5: 77B621C8AE246DA4619C8315C6996576)

Deuvw.exe (PID: 7332 cmdline: "C:\Program Files\Deuvw.exe" -acsi MD5: 77B621C8AE246DA4619C8315C6996576)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
MimiKatz	Varonis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.	APT32 Anunak GALLIUM	http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks http://www.secureworks.com/research/threat-profiles/gold-burlap http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Gh0st_ee6de6bc	Identifies a variant of Gh0st Rat	unknown	0xe0e:$a1: :]%d-%d-%d %d:%d:%d 0xbd4:$a2: [Pause Break] 0x24b14:$a3: f-secure.exe 0x1158:$a4: Accept-Language: zh-cn 0x11f1:$a4: Accept-Language: zh-cn 0x1324:$a4: Accept-Language: zh-cn 0x1467:$a4: Accept-Language: zh-cn 0x16bc:$a4: Accept-Language: zh-cn
00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Gh0st_ee6de6bc	Identifies a variant of Gh0st Rat	unknown	0xe0e:$a1: :]%d-%d-%d %d:%d:%d 0xbd4:$a2: [Pause Break] 0x24b14:$a3: f-secure.exe 0x1158:$a4: Accept-Language: zh-cn 0x11f1:$a4: Accept-Language: zh-cn 0x1324:$a4: Accept-Language: zh-cn 0x1467:$a4: Accept-Language: zh-cn 0x16bc:$a4: Accept-Language: zh-cn
00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Gh0st_ee6de6bc	Identifies a variant of Gh0st Rat	unknown	0xe0e:$a1: :]%d-%d-%d %d:%d:%d 0xbd4:$a2: [Pause Break] 0x24b14:$a3: f-secure.exe 0x1158:$a4: Accept-Language: zh-cn 0x11f1:$a4: Accept-Language: zh-cn 0x1324:$a4: Accept-Language: zh-cn 0x1467:$a4: Accept-Language: zh-cn 0x16bc:$a4: Accept-Language: zh-cn
Process Memory Space: PQ2.exe PID: 7280	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
Process Memory Space: PQ2.exe PID: 7280	Windows_Trojan_Gh0st_ee6de6bc	Identifies a variant of Gh0st Rat	unknown	0x91ff:$a1: :]%d-%d-%d %d:%d:%d 0x8fb9:$a2: [Pause Break] 0x9098:$a2: [Pause Break] 0xfb7f:$a3: f-secure.exe 0x969b:$a4: Accept-Language: zh-cn
Process Memory Space: Deuvw.exe PID: 7300	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
Process Memory Space: Deuvw.exe PID: 7300	Windows_Trojan_Gh0st_ee6de6bc	Identifies a variant of Gh0st Rat	unknown	0x128a5:$a1: :]%d-%d-%d %d:%d:%d 0x1265f:$a2: [Pause Break] 0x1273e:$a2: [Pause Break] 0x19225:$a3: f-secure.exe 0x12d41:$a4: Accept-Language: zh-cn
Process Memory Space: Deuvw.exe PID: 7332	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
Process Memory Space: Deuvw.exe PID: 7332	Windows_Trojan_Gh0st_ee6de6bc	Identifies a variant of Gh0st Rat	unknown	0x23cf2:$a1: :]%d-%d-%d %d:%d:%d 0x23aac:$a2: [Pause Break] 0x23b8b:$a2: [Pause Break] 0x2a672:$a3: f-secure.exe 0x2418e:$a4: Accept-Language: zh-cn
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.Deuvw.exe.100ff940.2.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x7b12:$h1: Hid_State 0x7b26:$h2: Hid_StealthMode 0x7b46:$h3: Hid_HideFsDirs 0x7b64:$h4: Hid_HideFsFiles 0x7b84:$h5: Hid_HideRegKeys 0x7ba4:$h6: Hid_HideRegValues 0x7bc8:$h7: Hid_IgnoredImages 0x7bec:$h8: Hid_ProtectedImages 0xc42e:$s1: FLTMGR.SYS 0xc9aa:$s2: HAL.dll 0x954e:$s3: \SystemRoot\System32\csrss.exe 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ 0x258:$s5: INIT 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
3.2.Deuvw.exe.100ff940.3.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x7b12:$h1: Hid_State 0x7b26:$h2: Hid_StealthMode 0x7b46:$h3: Hid_HideFsDirs 0x7b64:$h4: Hid_HideFsFiles 0x7b84:$h5: Hid_HideRegKeys 0x7ba4:$h6: Hid_HideRegValues 0x7bc8:$h7: Hid_IgnoredImages 0x7bec:$h8: Hid_ProtectedImages 0xc42e:$s1: FLTMGR.SYS 0xc9aa:$s2: HAL.dll 0x954e:$s3: \SystemRoot\System32\csrss.exe 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ 0x258:$s5: INIT 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
0.2.PQ2.exe.100ff940.3.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x7b12:$h1: Hid_State 0x7b26:$h2: Hid_StealthMode 0x7b46:$h3: Hid_HideFsDirs 0x7b64:$h4: Hid_HideFsFiles 0x7b84:$h5: Hid_HideRegKeys 0x7ba4:$h6: Hid_HideRegValues 0x7bc8:$h7: Hid_IgnoredImages 0x7bec:$h8: Hid_ProtectedImages 0xc42e:$s1: FLTMGR.SYS 0xc9aa:$s2: HAL.dll 0x954e:$s3: \SystemRoot\System32\csrss.exe 0xad84:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ 0x258:$s5: INIT 0xbe7e:$s6: \hidden-master\Debug\QAssist.pdb
1.2.Deuvw.exe.1010ef88.4.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x110a8:$x4: Http/1.1 403 Forbidden 0x110a8:$s5: Http/1.1 403 Forbidden
1.2.Deuvw.exe.1010ef88.4.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x1105f:$x1: sekurlsa::logonpasswords
1.2.Deuvw.exe.1010ef88.4.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xaa30:$h1: Hid_State 0xaa50:$h2: Hid_StealthMode 0xaa70:$h3: Hid_HideFsDirs 0xaa90:$h4: Hid_HideFsFiles 0xaab0:$h5: Hid_HideRegKeys 0xaad0:$h6: Hid_HideRegValues 0xab00:$h7: Hid_IgnoredImages 0xab30:$h8: Hid_ProtectedImages 0xfb5a:$s1: FLTMGR.SYS 0xc6b0:$s3: \SystemRoot\System32\csrss.exe 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
0.2.PQ2.exe.1010ef88.4.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x110a8:$x4: Http/1.1 403 Forbidden 0x110a8:$s5: Http/1.1 403 Forbidden
0.2.PQ2.exe.1010ef88.4.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x1105f:$x1: sekurlsa::logonpasswords
0.2.PQ2.exe.1010ef88.4.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xaa30:$h1: Hid_State 0xaa50:$h2: Hid_StealthMode 0xaa70:$h3: Hid_HideFsDirs 0xaa90:$h4: Hid_HideFsFiles 0xaab0:$h5: Hid_HideRegKeys 0xaad0:$h6: Hid_HideRegValues 0xab00:$h7: Hid_IgnoredImages 0xab30:$h8: Hid_ProtectedImages 0xfb5a:$s1: FLTMGR.SYS 0xc6b0:$s3: \SystemRoot\System32\csrss.exe 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
3.2.Deuvw.exe.1010ef88.4.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x110a8:$x4: Http/1.1 403 Forbidden 0x110a8:$s5: Http/1.1 403 Forbidden
3.2.Deuvw.exe.1010ef88.4.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x1105f:$x1: sekurlsa::logonpasswords
3.2.Deuvw.exe.1010ef88.4.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xaa30:$h1: Hid_State 0xaa50:$h2: Hid_StealthMode 0xaa70:$h3: Hid_HideFsDirs 0xaa90:$h4: Hid_HideFsFiles 0xaab0:$h5: Hid_HideRegKeys 0xaad0:$h6: Hid_HideRegValues 0xab00:$h7: Hid_IgnoredImages 0xab30:$h8: Hid_ProtectedImages 0xfb5a:$s1: FLTMGR.SYS 0xc6b0:$s3: \SystemRoot\System32\csrss.exe 0xe080:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
1.2.Deuvw.exe.100ff940.2.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
1.2.Deuvw.exe.100ff940.2.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x236f0:$x4: Http/1.1 403 Forbidden 0x236f0:$s5: Http/1.1 403 Forbidden
1.2.Deuvw.exe.100ff940.2.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x236a7:$x1: sekurlsa::logonpasswords
1.2.Deuvw.exe.100ff940.2.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x8712:$h1: Hid_State 0x1ac78:$h1: Hid_State 0x8726:$h2: Hid_StealthMode 0x1ac98:$h2: Hid_StealthMode 0x8746:$h3: Hid_HideFsDirs 0x1acb8:$h3: Hid_HideFsDirs 0x8764:$h4: Hid_HideFsFiles 0x1acd8:$h4: Hid_HideFsFiles 0x8784:$h5: Hid_HideRegKeys 0x1acf8:$h5: Hid_HideRegKeys 0x87a4:$h6: Hid_HideRegValues 0x1ad18:$h6: Hid_HideRegValues 0x87c8:$h7: Hid_IgnoredImages 0x1ad48:$h7: Hid_IgnoredImages 0x87ec:$h8: Hid_ProtectedImages 0x1ad78:$h8: Hid_ProtectedImages 0xd02e:$s1: FLTMGR.SYS 0x209a2:$s1: FLTMGR.SYS 0xd5aa:$s2: HAL.dll 0xa14e:$s3: \SystemRoot\System32\csrss.exe 0x1c8f8:$s3: \SystemRoot\System32\csrss.exe
0.2.PQ2.exe.1010ef88.4.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
0.2.PQ2.exe.1010ef88.4.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x140a8:$x4: Http/1.1 403 Forbidden 0x140a8:$s5: Http/1.1 403 Forbidden
0.2.PQ2.exe.1010ef88.4.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x1405f:$x1: sekurlsa::logonpasswords
0.2.PQ2.exe.1010ef88.4.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xb630:$h1: Hid_State 0xb650:$h2: Hid_StealthMode 0xb670:$h3: Hid_HideFsDirs 0xb690:$h4: Hid_HideFsFiles 0xb6b0:$h5: Hid_HideRegKeys 0xb6d0:$h6: Hid_HideRegValues 0xb700:$h7: Hid_IgnoredImages 0xb730:$h8: Hid_ProtectedImages 0x1135a:$s1: FLTMGR.SYS 0xd2b0:$s3: \SystemRoot\System32\csrss.exe 0xec80:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
3.2.Deuvw.exe.1010ef88.4.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
3.2.Deuvw.exe.1010ef88.4.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x140a8:$x4: Http/1.1 403 Forbidden 0x140a8:$s5: Http/1.1 403 Forbidden
3.2.Deuvw.exe.1010ef88.4.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x1405f:$x1: sekurlsa::logonpasswords
3.2.Deuvw.exe.1010ef88.4.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xb630:$h1: Hid_State 0xb650:$h2: Hid_StealthMode 0xb670:$h3: Hid_HideFsDirs 0xb690:$h4: Hid_HideFsFiles 0xb6b0:$h5: Hid_HideRegKeys 0xb6d0:$h6: Hid_HideRegValues 0xb700:$h7: Hid_IgnoredImages 0xb730:$h8: Hid_ProtectedImages 0x1135a:$s1: FLTMGR.SYS 0xd2b0:$s3: \SystemRoot\System32\csrss.exe 0xec80:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
0.2.PQ2.exe.100ff940.3.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
0.2.PQ2.exe.100ff940.3.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x236f0:$x4: Http/1.1 403 Forbidden 0x236f0:$s5: Http/1.1 403 Forbidden
0.2.PQ2.exe.100ff940.3.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x236a7:$x1: sekurlsa::logonpasswords
0.2.PQ2.exe.100ff940.3.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x8712:$h1: Hid_State 0x1ac78:$h1: Hid_State 0x8726:$h2: Hid_StealthMode 0x1ac98:$h2: Hid_StealthMode 0x8746:$h3: Hid_HideFsDirs 0x1acb8:$h3: Hid_HideFsDirs 0x8764:$h4: Hid_HideFsFiles 0x1acd8:$h4: Hid_HideFsFiles 0x8784:$h5: Hid_HideRegKeys 0x1acf8:$h5: Hid_HideRegKeys 0x87a4:$h6: Hid_HideRegValues 0x1ad18:$h6: Hid_HideRegValues 0x87c8:$h7: Hid_IgnoredImages 0x1ad48:$h7: Hid_IgnoredImages 0x87ec:$h8: Hid_ProtectedImages 0x1ad78:$h8: Hid_ProtectedImages 0xd02e:$s1: FLTMGR.SYS 0x209a2:$s1: FLTMGR.SYS 0xd5aa:$s2: HAL.dll 0xa14e:$s3: \SystemRoot\System32\csrss.exe 0x1c8f8:$s3: \SystemRoot\System32\csrss.exe
3.2.Deuvw.exe.100ff940.3.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
3.2.Deuvw.exe.100ff940.3.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x236f0:$x4: Http/1.1 403 Forbidden 0x236f0:$s5: Http/1.1 403 Forbidden
3.2.Deuvw.exe.100ff940.3.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x236a7:$x1: sekurlsa::logonpasswords
3.2.Deuvw.exe.100ff940.3.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0x8712:$h1: Hid_State 0x1ac78:$h1: Hid_State 0x8726:$h2: Hid_StealthMode 0x1ac98:$h2: Hid_StealthMode 0x8746:$h3: Hid_HideFsDirs 0x1acb8:$h3: Hid_HideFsDirs 0x8764:$h4: Hid_HideFsFiles 0x1acd8:$h4: Hid_HideFsFiles 0x8784:$h5: Hid_HideRegKeys 0x1acf8:$h5: Hid_HideRegKeys 0x87a4:$h6: Hid_HideRegValues 0x1ad18:$h6: Hid_HideRegValues 0x87c8:$h7: Hid_IgnoredImages 0x1ad48:$h7: Hid_IgnoredImages 0x87ec:$h8: Hid_ProtectedImages 0x1ad78:$h8: Hid_ProtectedImages 0xd02e:$s1: FLTMGR.SYS 0x209a2:$s1: FLTMGR.SYS 0xd5aa:$s2: HAL.dll 0xa14e:$s3: \SystemRoot\System32\csrss.exe 0x1c8f8:$s3: \SystemRoot\System32\csrss.exe
1.2.Deuvw.exe.1010ef88.4.raw.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
1.2.Deuvw.exe.1010ef88.4.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x140a8:$x4: Http/1.1 403 Forbidden 0x140a8:$s5: Http/1.1 403 Forbidden
1.2.Deuvw.exe.1010ef88.4.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x1405f:$x1: sekurlsa::logonpasswords
1.2.Deuvw.exe.1010ef88.4.raw.unpack	INDICATOR_TOOL_RTK_HiddenRootKit	Detects the Hidden public rootkit	ditekSHen	0xb630:$h1: Hid_State 0xb650:$h2: Hid_StealthMode 0xb670:$h3: Hid_HideFsDirs 0xb690:$h4: Hid_HideFsFiles 0xb6b0:$h5: Hid_HideRegKeys 0xb6d0:$h6: Hid_HideRegValues 0xb700:$h7: Hid_IgnoredImages 0xb730:$h8: Hid_ProtectedImages 0x1135a:$s1: FLTMGR.SYS 0xd2b0:$s3: \SystemRoot\System32\csrss.exe 0xec80:$s4: \REGISTRY\MACHINE\SYSTEM\ControlSet001\%wZ
Click to see the 31 entries

Suricata Signatures

ETPRO MALWARE Win32/Farfli.CTT CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T08:43:02.233971+0100	2842048	1	Malware Command and Control Activity Detected	192.168.2.5	49704	38.6.164.159	14994	TCP
2025-01-02T08:43:06.535380+0100	2842048	1	Malware Command and Control Activity Detected	192.168.2.5	49704	38.6.164.159	14994	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PQ2.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files\Deuvw.exe

Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Deuvw.exe

ReversingLabs: Detection: 84%

Multi AV Scanner detection for submitted file

Source: PQ2.exe	ReversingLabs: Detection: 84%
Source: PQ2.exe	Virustotal: Detection: 70%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Program Files\Deuvw.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PQ2.exe

Joe Sandbox ML: detected

Source: PQ2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\PQ2.exe

Directory created: C:\Program Files\Deuvw.exe

Jump to behavior

Source:	Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: F:\hidden-master\Debug\QAssist.pdb source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Program Files\Deuvw.exe	File opened: z:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: x:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: v:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: t:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: r:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: p:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: n:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: l:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: j:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: h:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: f:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: b:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: y:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: w:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: u:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: s:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: q:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: o:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: m:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: k:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: i:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: g:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: e:	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: [:	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2842048 - Severity 1 - ETPRO MALWARE Win32/Farfli.CTT CnC Activity : 192.168.2.5:49704 -> 38.6.164.159:14994

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 38.6.164.159:14994

Source: Joe Sandbox View

ASN Name: COGENT-174US COGENT-174US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: hzh.0xox0xox0.com
Source: global traffic	DNS traffic detected: DNS query: ulai888.ydns.eu

Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ptlogin2.qun.qq.com%s
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://qun.qq.com%s
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://localhost.ptlogin2.qq.com:4301%s
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ssl.ptlogin2.qq.com%s
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.Deuvw.exe.100ff940.2.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 3.2.Deuvw.exe.100ff940.3.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.PQ2.exe.100ff940.3.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 1.2.Deuvw.exe.1010ef88.4.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 1.2.Deuvw.exe.1010ef88.4.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 1.2.Deuvw.exe.1010ef88.4.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.PQ2.exe.1010ef88.4.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 0.2.PQ2.exe.1010ef88.4.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 0.2.PQ2.exe.1010ef88.4.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 3.2.Deuvw.exe.1010ef88.4.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 3.2.Deuvw.exe.1010ef88.4.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 3.2.Deuvw.exe.1010ef88.4.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 1.2.Deuvw.exe.100ff940.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 1.2.Deuvw.exe.100ff940.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 1.2.Deuvw.exe.100ff940.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.PQ2.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 0.2.PQ2.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 0.2.PQ2.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 3.2.Deuvw.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 3.2.Deuvw.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 3.2.Deuvw.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 0.2.PQ2.exe.100ff940.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 0.2.PQ2.exe.100ff940.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 0.2.PQ2.exe.100ff940.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 3.2.Deuvw.exe.100ff940.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 3.2.Deuvw.exe.100ff940.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 3.2.Deuvw.exe.100ff940.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 1.2.Deuvw.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 1.2.Deuvw.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 1.2.Deuvw.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the Hidden public rootkit Author: ditekSHen
Source: 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies a variant of Gh0st Rat Author: unknown
Source: 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies a variant of Gh0st Rat Author: unknown
Source: 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies a variant of Gh0st Rat Author: unknown
Source: Process Memory Space: PQ2.exe PID: 7280, type: MEMORYSTR	Matched rule: Identifies a variant of Gh0st Rat Author: unknown
Source: Process Memory Space: Deuvw.exe PID: 7300, type: MEMORYSTR	Matched rule: Identifies a variant of Gh0st Rat Author: unknown
Source: Process Memory Space: Deuvw.exe PID: 7332, type: MEMORYSTR	Matched rule: Identifies a variant of Gh0st Rat Author: unknown

Source: PQ2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 1.2.Deuvw.exe.100ff940.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 3.2.Deuvw.exe.100ff940.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.PQ2.exe.100ff940.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 1.2.Deuvw.exe.1010ef88.4.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Deuvw.exe.1010ef88.4.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Deuvw.exe.1010ef88.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.PQ2.exe.1010ef88.4.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PQ2.exe.1010ef88.4.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PQ2.exe.1010ef88.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 3.2.Deuvw.exe.1010ef88.4.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Deuvw.exe.1010ef88.4.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Deuvw.exe.1010ef88.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 1.2.Deuvw.exe.100ff940.2.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Deuvw.exe.100ff940.2.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Deuvw.exe.100ff940.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.PQ2.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PQ2.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PQ2.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 3.2.Deuvw.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Deuvw.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Deuvw.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 0.2.PQ2.exe.100ff940.3.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PQ2.exe.100ff940.3.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PQ2.exe.100ff940.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 3.2.Deuvw.exe.100ff940.3.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Deuvw.exe.100ff940.3.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Deuvw.exe.100ff940.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 1.2.Deuvw.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Deuvw.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, score = , reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Deuvw.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_RTK_HiddenRootKit author = ditekSHen, description = Detects the Hidden public rootkit
Source: 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
Source: 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
Source: 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
Source: Process Memory Space: PQ2.exe PID: 7280, type: MEMORYSTR	Matched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
Source: Process Memory Space: Deuvw.exe PID: 7300, type: MEMORYSTR	Matched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23
Source: Process Memory Space: Deuvw.exe PID: 7332, type: MEMORYSTR	Matched rule: Windows_Trojan_Gh0st_ee6de6bc reference_sample = ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d, os = windows, severity = x86, description = Identifies a variant of Gh0st Rat, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gh0st, fingerprint = 3c529043f34ad8a8692b051ad7c03206ce1aafc3a0eb8fcf7f5bcfdcb8c1b455, id = ee6de6bc-1648-4a77-9607-e2a211c7bda4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/3@24/2

Source: C:\Users\user\Desktop\PQ2.exe

File created: C:\Program Files\Deuvw.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Program Files\Deuvw.exe	Mutant created: \Sessions\1\BaseNamedObjects\ulai888.ydns.eu:14994

Source: C:\Users\user\Desktop\PQ2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PQ2.exe	ReversingLabs: Detection: 84%
Source: PQ2.exe	Virustotal: Detection: 70%

Source: C:\Users\user\Desktop\PQ2.exe

File read: C:\Users\user\Desktop\PQ2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PQ2.exe "C:\Users\user\Desktop\PQ2.exe"
Source: unknown	Process created: C:\Program Files\Deuvw.exe "C:\\Program Files\\Deuvw.exe" -auto
Source: C:\Users\user\Desktop\PQ2.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\PQ2.exe > nul
Source: C:\Program Files\Deuvw.exe	Process created: C:\Program Files\Deuvw.exe "C:\Program Files\Deuvw.exe" -acsi
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
Source: C:\Users\user\Desktop\PQ2.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\PQ2.exe > nul	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Process created: C:\Program Files\Deuvw.exe "C:\Program Files\Deuvw.exe" -acsi	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1	Jump to behavior

Source: C:\Users\user\Desktop\PQ2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PQ2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PQ2.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PQ2.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PQ2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PQ2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PQ2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PQ2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PQ2.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PQ2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PQ2.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PQ2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Program Files\Deuvw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PQ2.exe

Directory created: C:\Program Files\Deuvw.exe

Jump to behavior

Source:	Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: F:\hidden-master\Debug\QAssist.pdb source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PQ2.exe

Code function: 0_2_004670B7 LoadLibraryA,GetProcAddress,

0_2_004670B7

Source: initial sample

Static PE information: section where entry point is pointing to: .data

Source: Deuvw.exe.0.dr	Static PE information: real checksum: 0x7f4b0 should be: 0x87fe3
Source: PQ2.exe	Static PE information: real checksum: 0x7f4b0 should be: 0x87fe3

Source: C:\Users\user\Desktop\PQ2.exe	Code function: 0_2_00460132 push FFFFFFC7h; ret	0_2_00460155
Source: C:\Users\user\Desktop\PQ2.exe	Code function: 0_2_00469660 push eax; ret	0_2_0046968E
Source: C:\Program Files\Deuvw.exe	Code function: 1_2_00460132 push FFFFFFC7h; ret	1_2_00460155
Source: C:\Program Files\Deuvw.exe	Code function: 1_2_00469660 push eax; ret	1_2_0046968E
Source: C:\Program Files\Deuvw.exe	Code function: 3_2_00460132 push FFFFFFC7h; ret	3_2_00460155
Source: C:\Program Files\Deuvw.exe	Code function: 3_2_00469660 push eax; ret	3_2_0046968E

Source: C:\Users\user\Desktop\PQ2.exe

File created: C:\Program Files\Deuvw.exe

Jump to dropped file

Source: C:\Users\user\Desktop\PQ2.exe

File created: C:\Program Files\Deuvw.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\PQ2.exe	Process created: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\PQ2.exe > nul
Source: C:\Users\user\Desktop\PQ2.exe	Process created: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\PQ2.exe > nul			Jump to behavior

Source: C:\Users\user\Desktop\PQ2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Opens the same file many times (likely Sandbox evasion)

Source: C:\Program Files\Deuvw.exe	File opened: \Device\RasAcd count: 104733	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: \Device\Afd\Endpoint count: 43141	Jump to behavior
Source: C:\Program Files\Deuvw.exe	File opened: \Device\Afd\Endpoint count: 47984	Jump to behavior

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Program Files\Deuvw.exe

Section loaded: OutputDebugStringW count: 1936

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1			Jump to behavior

Source: C:\Program Files\Deuvw.exe TID: 7388	Thread sleep count: 81 > 30	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7388	Thread sleep time: -40500s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -48928s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32391s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -39436s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -86109s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31322s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30333s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -102188s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32662s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32757s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -60212s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -38528s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -54892s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31101s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -48786s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32439s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31115s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31673s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -38144s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -39870s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -43448s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31107s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30191s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -64418s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32591s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -56286s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -61672s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -48968s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -41200s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -33038s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31556s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30303s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32609s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -65404s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30523s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30562s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -40656s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -56866s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -59738s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -40284s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -43762s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31998s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -55784s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30510s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -62852s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -47514s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30932s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31329s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30145s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -36120s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -48417s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -61248s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31316s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -41342s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31185s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -55964s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -52878s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30606s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -40318s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -56594s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32270s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -34384s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30527s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31003s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -34444s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31286s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30974s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -61666s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -45186s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -42238s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31060s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32170s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -60454s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31928s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -65050s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -58022s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30771s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30188s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30900s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -35426s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31111s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32356s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -41112s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -47508s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31934s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31783s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31762s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -33282s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30877s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32678s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30695s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -58584s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -118224s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -51122s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31627s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31240s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32604s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31818s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -42196s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -46490s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -51309s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -64120s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -42860s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32226s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32257s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32726s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31001s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31196s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32404s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30093s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30814s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30838s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -36460s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32637s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31361s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30674s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30003s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32685s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31461s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -75807s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30234s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30212s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32170s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -41420s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32168s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -60160s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -36747s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -58842s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -40830s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -47882s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32745s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31762s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31907s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -42272s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -42586s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30114s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -36476s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -55836s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -35318s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32498s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -36474s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30807s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -62397s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -36704s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -40896s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -56630s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -44672s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31418s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -51656s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -75486s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -63508s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -53892s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30524s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31923s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -56700s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30714s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31591s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30568s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -47652s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -43920s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32611s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31450s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -40527s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30300s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -39390s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31172s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -54716s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30774s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30910s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -60390s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -57064s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30556s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30974s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -36566s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -52444s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -57166s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31111s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -64364s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -38980s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31068s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32196s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -33656s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30238s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -45002s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -75384s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -64358s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -40338s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -62620s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32528s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -56916s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32756s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -40556s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32075s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31982s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31244s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -82947s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -66045s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -53682s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -48300s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30648s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -48948s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32544s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31497s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31540s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -37610s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -57582s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -53958s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -61942s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31276s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -52978s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30740s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32607s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -57522s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31163s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32584s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31758s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31577s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31582s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -45824s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30693s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31226s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30180s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31947s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31810s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31351s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30189s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30422s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -55332s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31348s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -57776s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31561s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32372s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30032s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -34412s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -36332s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31020s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30109s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -43234s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -35812s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -48780s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -45597s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -84222s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30271s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31311s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -38826s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30038s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31647s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -38190s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30221s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31531s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -55872s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -45770s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -42160s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31202s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31493s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -49546s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -38194s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -41332s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -45280s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -43958s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32029s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -40166s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32718s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31063s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30470s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -42094s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32588s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -58542s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -53835s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -58442s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -40366s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -40270s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32671s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -63084s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31601s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31812s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -65414s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -44580s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31339s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31981s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -84669s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -58260s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -63840s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31056s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -60864s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32119s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -45590s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -42368s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -40952s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -60082s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31574s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31490s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32468s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31690s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -52520s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32195s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -64850s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -43094s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30502s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31203s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30048s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31495s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30591s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -51582s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -36600s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -34466s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -37980s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30338s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32683s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31357s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31913s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32703s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31552s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32074s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -39104s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -43194s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -51358s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31088s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31635s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31717s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -37262s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -59362s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31071s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -61929s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -33680s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -55266s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -54074s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32203s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -39324s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31151s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32651s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32765s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -39202s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30581s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -49958s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30614s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -42952s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -33520s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32255s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30548s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30137s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32627s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30931s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30875s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30953s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30308s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -61584s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32469s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30811s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -35950s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30066s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -50790s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -42218s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31250s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -51004s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30862s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30885s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31260s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -45350s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -64160s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -64290s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -60462s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32072s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -41472s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30259s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -42708s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -35858s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -65258s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -81255s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -46210s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32018s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30424s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -53628s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30104s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -52770s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -63240s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -52248s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30412s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32676s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32503s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32729s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -56784s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -51478s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -41332s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31687s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30466s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -53838s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -48014s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30947s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31376s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30664s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -50636s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31461s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31453s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -34314s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31245s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32764s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32657s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -36518s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -64437s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -49186s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30806s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -52320s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32261s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32506s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30783s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32053s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -36270s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32389s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -63488s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -37826s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -55154s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30211s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -42642s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31000s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -42744s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30731s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -47974s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32557s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -40340s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -54364s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32331s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31004s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30052s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -39602s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30323s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31896s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31805s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -38570s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32471s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31034s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -65438s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30435s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32686s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -33178s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -37518s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32677s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31641s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30335s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -49236s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32094s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31522s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31896s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -56426s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32621s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31547s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32444s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -48580s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31918s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31269s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31993s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -41754s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -44670s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30476s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -35446s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -37412s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30345s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31550s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -39570s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30775s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -54592s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -51672s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -65304s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30397s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32125s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -39735s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32488s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -55598s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32612s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31864s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31708s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32499s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32701s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30024s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -56031s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30712s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30624s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31122s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -52106s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -38794s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -44394s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30742s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30037s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -31036s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -46122s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32736s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30470s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -50382s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30858s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -61812s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -35552s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32301s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32570s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -30643s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -36122s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32618s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -37226s >= -30000s	Jump to behavior
Source: C:\Program Files\Deuvw.exe TID: 7392	Thread sleep time: -32621s >= -30000s	Jump to behavior

Source: C:\Program Files\Deuvw.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed

Source: C:\Program Files\Deuvw.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32391	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31322	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30333	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32662	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32757	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30106	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31101	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32439	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31115	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31673	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31107	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30191	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32209	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32591	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30836	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31556	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30303	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32609	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32702	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30523	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31998	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31426	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30932	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31329	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30145	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31316	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31185	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32270	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30527	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31003	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31286	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30974	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30833	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31060	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32170	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30227	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31928	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32525	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30771	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30188	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30900	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31111	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32356	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31934	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31783	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30877	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32678	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30695	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31627	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31240	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32604	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31818	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32060	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32226	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32257	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32726	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31001	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31196	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32404	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30093	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30814	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30838	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32637	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31361	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30674	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30003	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32685	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31461	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30212	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32168	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30080	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32745	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31762	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31907	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30114	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32498	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30807	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31418	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31754	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30524	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31923	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30714	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31591	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30568	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32611	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31450	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30300	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31172	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30774	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30910	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30195	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30556	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30974	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31111	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32182	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31068	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32196	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30238	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32179	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31310	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32528	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32756	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32075	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31982	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31244	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30648	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32544	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31497	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31540	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30971	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31276	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32607	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31163	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32584	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31758	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31577	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30693	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31226	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30180	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31947	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31810	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31351	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30189	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30422	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31348	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31561	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32372	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30032	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31020	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30109	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30271	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31311	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30038	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31647	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30221	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31531	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31202	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31493	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32029	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32718	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31063	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30470	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32588	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32671	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31601	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31812	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32707	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31339	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31981	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31920	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31056	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30432	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32119	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30041	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31490	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32468	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31690	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32195	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32425	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30502	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31203	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30048	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31495	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30591	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30338	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32683	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31357	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31913	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32703	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31552	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32074	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31088	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31635	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31717	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31071	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32203	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31151	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32651	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32765	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30581	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30614	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32255	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30548	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30137	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32627	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30931	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30875	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30953	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30308	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30792	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32469	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30811	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30066	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31250	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30862	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30885	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31260	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32080	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32145	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30231	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32072	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30259	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32629	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32018	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30424	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30104	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31620	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30412	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32676	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32503	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32729	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31687	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30466	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30947	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31376	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30664	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31461	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31453	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31245	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32764	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32657	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30806	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32261	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32506	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30783	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32053	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32389	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31744	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30211	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31000	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30731	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32557	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32331	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31004	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30323	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31805	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32471	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31034	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32719	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30435	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32686	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32677	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31641	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30335	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32094	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31522	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31896	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32621	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31547	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32444	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31918	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31269	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31993	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30345	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31550	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30775	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32652	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30397	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32125	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32488	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32612	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31864	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31708	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32499	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32701	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30712	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30624	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31122	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30742	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30037	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31036	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32736	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30470	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30858	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30906	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32301	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32570	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30643	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32618	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32621	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31313	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32271	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31441	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32668	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31015	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32240	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31641	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31505	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31502	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32046	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31901	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30350	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31476	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31155	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30946	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31065	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32715	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32200	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32106	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31302	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30175	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31597	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32036	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30169	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32097	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32176	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30260	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30721	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31447	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31723	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31506	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30270	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30245	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31283	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32389	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31785	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30935	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30883	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31496	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31539	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31654	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30510	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30499	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31256	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31665	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30630	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32517	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31066	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32371	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31102	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31417	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31463	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30519	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31585	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31371	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32019	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30843	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31274	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30511	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32702	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31467	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32091	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31159	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31314	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30134	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31478	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30301	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31676	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30062	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30665	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31999	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31413	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31175	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32501	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31622	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31988	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30977	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30876	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30816	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30654	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30574	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30538	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30623	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31149	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31741	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32628	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32471	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31180	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32482	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30732	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31165	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32143	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31768	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31347	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32000	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30786	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31597	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31579	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30787	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30837	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31626	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30336	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32405	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30049	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31270	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30119	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32521	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32050	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32020	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31098	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30406	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31033	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30096	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32190	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30580	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30285	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30571	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30916	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31539	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31099	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32057	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31148	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32655	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30582	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30794	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31884	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30432	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32530	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30393	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30121	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31870	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31794	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30144	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30388	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31395	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30542	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30487	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31668	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32361	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32313	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32128	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32235	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30014	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30884	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30759	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31655	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30219	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30283	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30265	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30160	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32666	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32048	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32514	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30856	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30180	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31987	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30503	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30057	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31210	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31565	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32692	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30103	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32169	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31958	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32174	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30076	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30129	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32647	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31623	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30132	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32177	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30528	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31593	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30079	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30185	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31077	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31499	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30554	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30522	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31826	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32485	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32364	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31657	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30867	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30369	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32212	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32759	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30943	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30954	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31504	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32589	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31230	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31520	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31782	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32705	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30870	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32684	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32151	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31184	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32271	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31825	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31173	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31238	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31197	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30589	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30382	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30339	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30633	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32134	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32071	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 32487	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31139	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30268	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31684	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31103	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30973	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30118	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 30209	Jump to behavior
Source: C:\Program Files\Deuvw.exe	Thread delayed: delay time: 31032	Jump to behavior

Source: Deuvw.exe, 00000003.00000002.3327552604.00000000005B8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PQ2.exe	API call chain: ExitProcess graph end node	graph_0-5987
Source: C:\Program Files\Deuvw.exe	API call chain: ExitProcess graph end node	graph_1-5860
Source: C:\Program Files\Deuvw.exe	API call chain: ExitProcess graph end node	graph_3-5862

Source: C:\Program Files\Deuvw.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PQ2.exe

Code function: 0_2_004670B7 LoadLibraryA,GetProcAddress,

0_2_004670B7

Source: C:\Users\user\Desktop\PQ2.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\PQ2.exe > nul			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1			Jump to behavior

Source: Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndProgman%s.exeBITSlpszHostdoor -inst.sys\system32\drivers\\sysnative\drivers\SYSTEM\CurrentControlSet\Services\BITSSYSTEM\SelectMarkTimeSYSTEM\CurrentControlSet\Services\\Registry\Machine\System\CurrentControlSet\Services\%SZwUnloadDriverNTDLL.DLLRtlInitUnicodeStringSeLoadDriverPrivilegeCreateEventACloseHandleWaitForSingleObject
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Progman

Source: C:\Users\user\Desktop\PQ2.exe

Code function: 0_2_00467598 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

0_2_00467598

Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: acs.exe
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avcenter.exe
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: kxetray.exe
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cfp.exe
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: KSafeTray.exe
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: rtvscan.exe
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 360tray.exe
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ashDisp.exe
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgwdsvc.exe
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: AYAgent.aye
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: RavMonD.exe
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Mcshield.exe
Source: PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Yara detected Mimikatz

Source: Yara match	File source: 1.2.Deuvw.exe.100ff940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PQ2.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Deuvw.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PQ2.exe.100ff940.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Deuvw.exe.100ff940.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Deuvw.exe.1010ef88.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PQ2.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Deuvw.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Deuvw.exe PID: 7332, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	12 Process Injection	12 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Virtualization/Sandbox Evasion	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	12 Process Injection	Security Account Manager	211 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	3 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PQ2.exe	84%	ReversingLabs	Win32.Backdoor.Farfli
PQ2.exe	71%	Virustotal		Browse
PQ2.exe	100%	Avira	TR/Crypt.XPACK.Gen
PQ2.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\Deuvw.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Program Files\Deuvw.exe	100%	Joe Sandbox ML
C:\Program Files\Deuvw.exe	84%	ReversingLabs	Win32.Backdoor.Farfli

URLs

Source	Detection	Scanner	Label
http://ptlogin2.qun.qq.com%s	0%	Avira URL Cloud	safe
http://qun.qq.com%s	0%	Avira URL Cloud	safe
https://localhost.ptlogin2.qq.com:4301%s	0%	Avira URL Cloud	safe
https://ssl.ptlogin2.qq.com%s	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ulai888.ydns.eu	38.6.164.159	true	true		unknown
hzh.0xox0xox0.com	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ssl.ptlogin2.qq.com%s	PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_	PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ptlogin2.qun.qq.com%s	PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://qun.qq.com%s	PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://localhost.ptlogin2.qq.com:4301%s	PQ2.exe, 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Deuvw.exe, 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
38.6.164.159	ulai888.ydns.eu	United States		174	COGENT-174US	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583199
Start date and time:	2025-01-02 08:42:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PQ2.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/3@24/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 64% Number of executed functions: 29 Number of non-executed functions: 34
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
02:43:04	API Interceptor	116742x Sleep call for process: Deuvw.exe modified

Created / dropped Files

C:\Program Files\Deuvw.exe

Download File

Process:	C:\Users\user\Desktop\PQ2.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	502784
Entropy (8bit):	7.540324281637106
Encrypted:	false
SSDEEP:	6144:GpoMkequERu8qQ1fjYMMW9eKZH+IdISTUL24qL9cPKcPzR2RD6lZv:oDR+u8pfjYMMWNvdhUSByFPzdv
MD5:	77B621C8AE246DA4619C8315C6996576
SHA1:	43B19A006A6E8C864B33F63604C3D5B94B26A410
SHA-256:	0CB5C8E6987F74A213353851DC12B7B3A08130FD5EBB18F4455C659E8F46442F
SHA-512:	A28BDB4B08C732558E97C6EFC71A32D2E7681D770C68EACC78E2DACE03F78E2DBF4ABFAA66D1B2E0E69CEFE05955D7A2CBFFB88DBAD3957E48D63D68AF4F0F46
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.x...+...+...+s..+...+.<.+...+3..+...+...+...+.<.+...+7..+...+Rich...+................PE..L....M.a.............................u............@.........................................................................\...(.......8............................................................................................................data..............................@....rsrc...8...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Deuvw.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\PQ2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	331
Entropy (8bit):	4.92149009030101
Encrypted:	false
SSDEEP:	6:PzLSLzMRfmWxHLThx2LThx0sW26VY7FwAFeMmvVOIHJFxMVlmJHaVFEG1vv:PKMRJpTeT0sBSAFSkIrxMVlmJHaVzvv
MD5:	2E512EE24AAB186D09E9A1F9B72A0569
SHA1:	C5BA2E0C0338FFEE13ED1FB6DA0CC9C000824B0B
SHA-256:	DB41050CA723A06D95B73FFBE40B32DE941F5EE474F129B2B33E91C67B72674F
SHA-512:	6B4487A088155E34FE5C642E1C3D46F63CB2DDD9E4092809CE6F3BEEFDEF0D1F8AA67F8E733EDE70B07F467ED5BB6F07104EEA4C1E7AC7E1A502A772F56F7DE9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

GetProcAddress, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetCurrentThreadId, TlsSetValue, TlsAlloc, SetLastError, TlsGetValue, GetLastError, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, HeapFree, RtlUnwind, WriteFile, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetCPInfo, GetACP, GetOEMCP, HeapAlloc, VirtualAlloc, HeapReAlloc, LoadLibraryA, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, InterlockedDecrement, InterlockedIncrement

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T08:43:02.233971+0100	2842048	ETPRO MALWARE Win32/Farfli.CTT CnC Activity	1	192.168.2.5	49704	38.6.164.159	14994	TCP
2025-01-02T08:43:06.535380+0100	2842048	ETPRO MALWARE Win32/Farfli.CTT CnC Activity	1	192.168.2.5	49704	38.6.164.159	14994	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 08:43:06.007914066 CET	49704	14994	192.168.2.5	38.6.164.159
Jan 2, 2025 08:43:06.012661934 CET	14994	49704	38.6.164.159	192.168.2.5
Jan 2, 2025 08:43:06.012726068 CET	49704	14994	192.168.2.5	38.6.164.159
Jan 2, 2025 08:43:06.535379887 CET	49704	14994	192.168.2.5	38.6.164.159
Jan 2, 2025 08:43:06.542584896 CET	14994	49704	38.6.164.159	192.168.2.5
Jan 2, 2025 08:43:06.876585960 CET	14994	49704	38.6.164.159	192.168.2.5
Jan 2, 2025 08:43:06.921283960 CET	49704	14994	192.168.2.5	38.6.164.159
Jan 2, 2025 08:43:36.890039921 CET	49704	14994	192.168.2.5	38.6.164.159
Jan 2, 2025 08:43:36.894896030 CET	14994	49704	38.6.164.159	192.168.2.5
Jan 2, 2025 08:44:06.905698061 CET	49704	14994	192.168.2.5	38.6.164.159
Jan 2, 2025 08:44:06.910491943 CET	14994	49704	38.6.164.159	192.168.2.5
Jan 2, 2025 08:44:36.999460936 CET	49704	14994	192.168.2.5	38.6.164.159
Jan 2, 2025 08:44:37.004578114 CET	14994	49704	38.6.164.159	192.168.2.5
Jan 2, 2025 08:45:07.077657938 CET	49704	14994	192.168.2.5	38.6.164.159
Jan 2, 2025 08:45:07.082607031 CET	14994	49704	38.6.164.159	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 08:43:05.989190102 CET	58517	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:43:05.989330053 CET	49433	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:43:05.997095108 CET	53	58517	1.1.1.1	192.168.2.5
Jan 2, 2025 08:43:06.002485037 CET	53	49433	1.1.1.1	192.168.2.5
Jan 2, 2025 08:43:11.250313997 CET	60412	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:43:11.257792950 CET	53	60412	1.1.1.1	192.168.2.5
Jan 2, 2025 08:43:16.203536987 CET	54262	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:43:16.211005926 CET	53	54262	1.1.1.1	192.168.2.5
Jan 2, 2025 08:43:21.000205040 CET	57699	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:43:21.007615089 CET	53	57699	1.1.1.1	192.168.2.5
Jan 2, 2025 08:43:29.524172068 CET	55475	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:43:29.534425974 CET	53	55475	1.1.1.1	192.168.2.5
Jan 2, 2025 08:43:34.890849113 CET	62787	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:43:34.897902966 CET	53	62787	1.1.1.1	192.168.2.5
Jan 2, 2025 08:43:42.096738100 CET	57140	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:43:42.105556965 CET	53	57140	1.1.1.1	192.168.2.5
Jan 2, 2025 08:43:46.968919992 CET	59968	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:43:46.977406979 CET	53	59968	1.1.1.1	192.168.2.5
Jan 2, 2025 08:43:51.968873024 CET	53844	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:43:51.976227999 CET	53	53844	1.1.1.1	192.168.2.5
Jan 2, 2025 08:43:58.062782049 CET	64660	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:43:58.070607901 CET	53	64660	1.1.1.1	192.168.2.5
Jan 2, 2025 08:44:03.051552057 CET	62951	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:44:03.058600903 CET	53	62951	1.1.1.1	192.168.2.5
Jan 2, 2025 08:44:08.125370026 CET	61312	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:44:08.151927948 CET	53	61312	1.1.1.1	192.168.2.5
Jan 2, 2025 08:44:16.218957901 CET	56367	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:44:16.391292095 CET	53	56367	1.1.1.1	192.168.2.5
Jan 2, 2025 08:44:20.937691927 CET	52093	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:44:20.948575020 CET	53	52093	1.1.1.1	192.168.2.5
Jan 2, 2025 08:44:25.937429905 CET	58924	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:44:25.944783926 CET	53	58924	1.1.1.1	192.168.2.5
Jan 2, 2025 08:44:31.365525007 CET	57467	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:44:31.372514009 CET	53	57467	1.1.1.1	192.168.2.5
Jan 2, 2025 08:44:35.937458992 CET	57460	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:44:35.945101976 CET	53	57460	1.1.1.1	192.168.2.5
Jan 2, 2025 08:44:41.185120106 CET	54917	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:44:41.192297935 CET	53	54917	1.1.1.1	192.168.2.5
Jan 2, 2025 08:44:45.946690083 CET	49326	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:44:45.953912973 CET	53	49326	1.1.1.1	192.168.2.5
Jan 2, 2025 08:44:50.939282894 CET	59168	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:44:50.948000908 CET	53	59168	1.1.1.1	192.168.2.5
Jan 2, 2025 08:44:55.940181971 CET	60174	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:44:55.947726965 CET	53	60174	1.1.1.1	192.168.2.5
Jan 2, 2025 08:45:01.015829086 CET	54618	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:45:01.023004055 CET	53	54618	1.1.1.1	192.168.2.5
Jan 2, 2025 08:45:05.937344074 CET	61294	53	192.168.2.5	1.1.1.1
Jan 2, 2025 08:45:05.945245028 CET	53	61294	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 08:43:05.989190102 CET	192.168.2.5	1.1.1.1	0x2eec	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:05.989330053 CET	192.168.2.5	1.1.1.1	0x8bd1	Standard query (0)	ulai888.ydns.eu	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:11.250313997 CET	192.168.2.5	1.1.1.1	0x8e18	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:16.203536987 CET	192.168.2.5	1.1.1.1	0xace	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:21.000205040 CET	192.168.2.5	1.1.1.1	0x11f	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:29.524172068 CET	192.168.2.5	1.1.1.1	0xc0fb	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:34.890849113 CET	192.168.2.5	1.1.1.1	0x73ae	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:42.096738100 CET	192.168.2.5	1.1.1.1	0xeffa	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:46.968919992 CET	192.168.2.5	1.1.1.1	0xdf4b	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:51.968873024 CET	192.168.2.5	1.1.1.1	0x39dd	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:58.062782049 CET	192.168.2.5	1.1.1.1	0x7126	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:03.051552057 CET	192.168.2.5	1.1.1.1	0xe4f	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:08.125370026 CET	192.168.2.5	1.1.1.1	0x3eda	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:16.218957901 CET	192.168.2.5	1.1.1.1	0x8726	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:20.937691927 CET	192.168.2.5	1.1.1.1	0xa707	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:25.937429905 CET	192.168.2.5	1.1.1.1	0x881b	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:31.365525007 CET	192.168.2.5	1.1.1.1	0xf0fa	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:35.937458992 CET	192.168.2.5	1.1.1.1	0x4dab	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:41.185120106 CET	192.168.2.5	1.1.1.1	0x1829	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:45.946690083 CET	192.168.2.5	1.1.1.1	0x83b4	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:50.939282894 CET	192.168.2.5	1.1.1.1	0xea43	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:55.940181971 CET	192.168.2.5	1.1.1.1	0x1768	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:45:01.015829086 CET	192.168.2.5	1.1.1.1	0x799a	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:45:05.937344074 CET	192.168.2.5	1.1.1.1	0x81e9	Standard query (0)	hzh.0xox0xox0.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 08:43:05.997095108 CET	1.1.1.1	192.168.2.5	0x2eec	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:06.002485037 CET	1.1.1.1	192.168.2.5	0x8bd1	No error (0)	ulai888.ydns.eu		38.6.164.159	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:11.257792950 CET	1.1.1.1	192.168.2.5	0x8e18	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:16.211005926 CET	1.1.1.1	192.168.2.5	0xace	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:21.007615089 CET	1.1.1.1	192.168.2.5	0x11f	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:29.534425974 CET	1.1.1.1	192.168.2.5	0xc0fb	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:34.897902966 CET	1.1.1.1	192.168.2.5	0x73ae	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:42.105556965 CET	1.1.1.1	192.168.2.5	0xeffa	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:46.977406979 CET	1.1.1.1	192.168.2.5	0xdf4b	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:51.976227999 CET	1.1.1.1	192.168.2.5	0x39dd	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:43:58.070607901 CET	1.1.1.1	192.168.2.5	0x7126	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:03.058600903 CET	1.1.1.1	192.168.2.5	0xe4f	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:08.151927948 CET	1.1.1.1	192.168.2.5	0x3eda	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:16.391292095 CET	1.1.1.1	192.168.2.5	0x8726	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:20.948575020 CET	1.1.1.1	192.168.2.5	0xa707	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:25.944783926 CET	1.1.1.1	192.168.2.5	0x881b	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:31.372514009 CET	1.1.1.1	192.168.2.5	0xf0fa	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:35.945101976 CET	1.1.1.1	192.168.2.5	0x4dab	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:41.192297935 CET	1.1.1.1	192.168.2.5	0x1829	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:45.953912973 CET	1.1.1.1	192.168.2.5	0x83b4	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:50.948000908 CET	1.1.1.1	192.168.2.5	0xea43	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:44:55.947726965 CET	1.1.1.1	192.168.2.5	0x1768	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:45:01.023004055 CET	1.1.1.1	192.168.2.5	0x799a	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 08:45:05.945245028 CET	1.1.1.1	192.168.2.5	0x81e9	Name error (3)	hzh.0xox0xox0.com	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	02:43:04
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\PQ2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PQ2.exe"
Imagebase:	0x400000
File size:	502'784 bytes
MD5 hash:	77B621C8AE246DA4619C8315C6996576
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gh0st_ee6de6bc, Description: Identifies a variant of Gh0st Rat, Source: 00000000.00000002.2081272915.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:43:04
Start date:	02/01/2025
Path:	C:\Program Files\Deuvw.exe
Wow64 process (32bit):	true
Commandline:	"C:\\Program Files\\Deuvw.exe" -auto
Imagebase:	0x400000
File size:	502'784 bytes
MD5 hash:	77B621C8AE246DA4619C8315C6996576
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gh0st_ee6de6bc, Description: Identifies a variant of Gh0st Rat, Source: 00000001.00000002.2081904947.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:43:04
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\PQ2.exe > nul
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:43:04
Start date:	02/01/2025
Path:	C:\Program Files\Deuvw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Deuvw.exe" -acsi
Imagebase:	0x400000
File size:	502'784 bytes
MD5 hash:	77B621C8AE246DA4619C8315C6996576
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gh0st_ee6de6bc, Description: Identifies a variant of Gh0st Rat, Source: 00000003.00000002.3328143326.00000000100FE000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	02:43:04
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:43:04
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping -n 2 127.0.0.1
Imagebase:	0x3b0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.8%
Dynamic/Decrypted Code Coverage:	1.2%
Signature Coverage:	6.3%
Total number of Nodes:	412
Total number of Limit Nodes:	18

Executed Functions

Function 004670B7 Relevance: 50.9, APIs: 2, Strings: 27, Instructions: 149
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(?,00062000,00000000,004010F0), ref: 0046693F
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000), ref: 00466948
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000,?), ref: 00466958

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(Libr), ref: 0046695F

LoadLibraryA.KERNEL32(?,?,?,?,00000016,00000000,?), ref: 004671C7
GetProcAddress.KERNEL32(?,GmF), ref: 0046723C

Strings

s, xrefs: 00467107
r, xrefs: 00467163
A, xrefs: 00467173
t, xrefs: 0046712B
a, xrefs: 0046710F
r, xrefs: 0046716B
B, xrefs: 0046710B
GmF, xrefs: 0046717C, 00467219, 00467238
e, xrefs: 0046711B
GmF, xrefs: 004671B6, 00467209, 00467230
KERNEL32.dll, xrefs: 00467146, 00467149
d, xrefs: 00467113
b, xrefs: 0046715F
R, xrefs: 00467117
a, xrefs: 0046711F
i, xrefs: 0046715B
L, xrefs: 00467157
L, xrefs: 00467141
d, xrefs: 00467153
P, xrefs: 00467127
I, xrefs: 00467103
o, xrefs: 0046714B
a, xrefs: 0046714F
y, xrefs: 0046716F
r, xrefs: 0046712F
d, xrefs: 00467123
a, xrefs: 00467167

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: A$B$GmF$GmF$I$KERNEL32.dll$L$L$P$R$a$a$a$a$b$d$d$d$e$i$o$r$r$r$s$t$y
API String ID: 551388010-1369886350
Opcode ID: 9146fd96053e2050b3294d5e699eb0beb02dc719ea692024da2c8e9b1210d4cc
Instruction ID: 73e0fe1b8e5c6c9f5f942eac17084d9bf6255d1aace67817413c182afa2f5bd3
Opcode Fuzzy Hash: 9146fd96053e2050b3294d5e699eb0beb02dc719ea692024da2c8e9b1210d4cc
Instruction Fuzzy Hash: 30615470D08289DEEB11CBA8C8447DEBFF56F15358F184099E584A7382D3BD9944C776

Function 00467598 Relevance: 6.1, APIs: 4, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 004675BE

Part of subcall function 00468210: HeapCreate.KERNEL32(00000000,00001000,00000000,004675F6,00000001), ref: 00468221
Part of subcall function 00468210: HeapDestroy.KERNEL32 ref: 00468260

GetCommandLineA.KERNEL32 ref: 0046761E
GetStartupInfoA.KERNEL32(?), ref: 00467649
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0046766C

Part of subcall function 004676C5: ExitProcess.KERNEL32 ref: 004676E2

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 74ae398f86775484538032804f60e5769ebf57acb35412f92e8c4fd7a89ff731
Instruction ID: f877db75b34aef535155fa93e1ad8a33f9cc10bfb3bd4b0f6148cfe794d3ada0
Opcode Fuzzy Hash: 74ae398f86775484538032804f60e5769ebf57acb35412f92e8c4fd7a89ff731
Instruction Fuzzy Hash: 902165B19447059ED704AFB5DD46A6E7BA8EF0471CF10452FF501972A2FB784880CB9B

Function 00466B6A Relevance: 60.2, APIs: 2, Strings: 38, Instructions: 189
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(?,00062000,00000000,004010F0), ref: 0046693F
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000), ref: 00466948
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000,?), ref: 00466958

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(Libr), ref: 0046695F

VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,?,?,?,?,?,?,004010F0), ref: 00466CA3
VirtualAlloc.KERNEL32(00000016,?,00001000,00000004,?,?,?,?,?,?,?,004010F0), ref: 00466CEE

Strings

o, xrefs: 00466C64
a, xrefs: 00466C50
l, xrefs: 00466BDA
KERNEL32.dll, xrefs: 00466BFA, 00466BFD
e, xrefs: 00466BFF
VirtualAlloc, xrefs: 00466B7A
HeapAlloc, xrefs: 00466C3F
G, xrefs: 00466BF5
a, xrefs: 00466C2B
o, xrefs: 00466C0F
V, xrefs: 00466BB6
A, xrefs: 00466C58
u, xrefs: 00466BC6
p, xrefs: 00466C54
a, xrefs: 00466BCA
P, xrefs: 00466C07
H, xrefs: 00466C42
e, xrefs: 00466C17
s, xrefs: 00466C1B
r, xrefs: 00466C0B
i, xrefs: 00466BBA
e, xrefs: 00466C27
A, xrefs: 00466BD2
l, xrefs: 00466C60
t, xrefs: 00466BC2
l, xrefs: 00466BD6
p, xrefs: 00466C2F
H, xrefs: 00466C23
c, xrefs: 00466C13
e, xrefs: 00466C4C
o, xrefs: 00466BDE
c, xrefs: 00466BE2
r, xrefs: 00466BBE
l, xrefs: 00466C5C
c, xrefs: 00466C68
t, xrefs: 00466C03
l, xrefs: 00466BCE
s, xrefs: 00466C1F

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: AddressAllocHandleModuleProcVirtual
String ID: A$A$G$H$H$HeapAlloc$KERNEL32.dll$P$V$VirtualAlloc$a$a$a$c$c$c$e$e$e$e$i$l$l$l$l$l$o$o$o$p$p$r$r$s$s$t$t$u
API String ID: 3695083113-2890414303
Opcode ID: eea5828057d8a8a3ca217eb1021cde760f26655aafc521580391e7091950ef6c
Instruction ID: 56dfe851e749cfa52889f2bfcfc8cef8fedfa8cb50ddae72ef14544c6a3e4736
Opcode Fuzzy Hash: eea5828057d8a8a3ca217eb1021cde760f26655aafc521580391e7091950ef6c
Instruction Fuzzy Hash: 06814271D08288DEEB11DBA8C844BDEBFF55F16708F084089E5807B282D7BE5549C77A

Function 00466EB1 Relevance: 52.6, APIs: 1, Strings: 29, Instructions: 128
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(?,00062000,00000000,004010F0), ref: 0046693F
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000), ref: 00466948
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000,?), ref: 00466958

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(Libr), ref: 0046695F

VirtualProtect.KERNEL32(?,?,00000000,?,00000016,00000000,?,?,?,?,?,?), ref: 00467017

Strings

t, xrefs: 00466F6A
i, xrefs: 00466EFA
t, xrefs: 00466F02
u, xrefs: 00466F46
i, xrefs: 00466F3A
l, xrefs: 00466F0E
e, xrefs: 00466F1E
RmF, xrefs: 00466F79, 0046701D
o, xrefs: 00466F5A
e, xrefs: 00466F1A
KERNEL32.dll, xrefs: 00466F31, 00466F34
e, xrefs: 00466F62
a, xrefs: 00466F4A
l, xrefs: 00466F4E
c, xrefs: 00466F66
t, xrefs: 00466F5E
P, xrefs: 00466F52
V, xrefs: 00466EF6
RmF, xrefs: 0046701A
r, xrefs: 00466F3E
F, xrefs: 00466F12
r, xrefs: 00466F16
V, xrefs: 00466F36
r, xrefs: 00466EFE
t, xrefs: 00466F42
a, xrefs: 00466F0A
@, xrefs: 00466FF6
r, xrefs: 00466F56
u, xrefs: 00466F06

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: AddressHandleModuleProc$ProtectVirtual
String ID: @$F$KERNEL32.dll$P$RmF$RmF$V$V$a$a$c$e$e$e$i$i$l$l$o$r$r$r$r$t$t$t$t$u$u
API String ID: 2080333215-3833892956
Opcode ID: cb608eef3711ebfc93400a4942087660b63e14b03940701ee4406093afd551ff
Instruction ID: 72b4ce0505e3628847bb6db0ce6ea59a5e3d376deda158c5c7a16eff45700afd
Opcode Fuzzy Hash: cb608eef3711ebfc93400a4942087660b63e14b03940701ee4406093afd551ff
Instruction Fuzzy Hash: 60513270C082C8DEDB02CBA8D5887DEBFB56F16348F184099D5847B292D3BE5A09C776

Function 00466D84 Relevance: 37.6, APIs: 1, Strings: 24, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(?,00062000,00000000,004010F0), ref: 0046693F
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000), ref: 00466948
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000,?), ref: 00466958

VirtualAlloc.KERNEL32(?,?,00001000,00000004,00000016,00000000,?), ref: 00466E7A

Strings

2, xrefs: 00466DBC
3, xrefs: 00466DB8
i, xrefs: 00466DD4
c, xrefs: 00466DFC
N, xrefs: 00466DAC
A, xrefs: 00466DEC
L, xrefs: 00466DB4
., xrefs: 00466DC0
t, xrefs: 00466DDC
E, xrefs: 00466DB0
l, xrefs: 00466DE8
K, xrefs: 00466DA0
a, xrefs: 00466DE4
l, xrefs: 00466DC8
l, xrefs: 00466DCC
r, xrefs: 00466DD8
E, xrefs: 00466DA4
o, xrefs: 00466DF8
l, xrefs: 00466DF0
R, xrefs: 00466DA8
u, xrefs: 00466DE0
V, xrefs: 00466DD0
l, xrefs: 00466DF4
d, xrefs: 00466DC4

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: AddressProc$AllocHandleModuleVirtual
String ID: .$2$3$A$E$E$K$L$N$R$V$a$c$d$i$l$l$l$l$l$o$r$t$u
API String ID: 3787274985-1410553462
Opcode ID: 9a20da68c6a90be79534ff80353c2f0603882a79139077a3888f10a88befb3b9
Instruction ID: b7ee7351b5069f9bbbcd0e3288277ca9420c032c07cd61825cf92ba50ad0a3c8
Opcode Fuzzy Hash: 9a20da68c6a90be79534ff80353c2f0603882a79139077a3888f10a88befb3b9
Instruction Fuzzy Hash: 02416171D04288DBDF01CBA8C448BDEBFF1AF55704F084099D584AB382D3BA5A58C779

Function 0046A68E Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringW.KERNEL32(00000000,00000100,00466730,00000001,00000000,00000000,7591E860,0046B7E4,?,?,?,0046AB02,?,?,?,00000000), ref: 0046A6D0
LCMapStringA.KERNEL32(00000000,00000100,0046672C,00000001,00000000,00000000,?,?,0046AB02,?,?,?,00000000,00000001), ref: 0046A6EC
LCMapStringA.KERNEL32(?,?,?,0046AB02,?,?,7591E860,0046B7E4,?,?,?,0046AB02,?,?,?,00000000), ref: 0046A735
MultiByteToWideChar.KERNEL32(?,0046B7E5,?,0046AB02,00000000,00000000,7591E860,0046B7E4,?,?,?,0046AB02,?,?,?,00000000), ref: 0046A76D
MultiByteToWideChar.KERNEL32(00000000,00000001,?,0046AB02,?,00000000,?,?,0046AB02,?), ref: 0046A7C5
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0046AB02,?), ref: 0046A7DB
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0046AB02,?), ref: 0046A80E
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0046AB02,?), ref: 0046A876

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: a28fd5e3e5a475bf9b6a264a68c1a845a1e8dddc284e8329ea69289aa823242b
Instruction ID: 12cc6b9feb3d9a71118cc58f801efc8483379fe271ac96587175e3a828ac97c7
Opcode Fuzzy Hash: a28fd5e3e5a475bf9b6a264a68c1a845a1e8dddc284e8329ea69289aa823242b
Instruction Fuzzy Hash: F4516B71900649ABCF219F94CD49AAF7FB9FB48750F10412AF910B2261E3398C61DF6B

Function 00468900 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00468914

Strings

, xrefs: 0046895D
, xrefs: 00468939

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 8a739a128cb405312d00240f0076b108f8cfc1bf0800c8ea65d5b8b068e5d4fd
Instruction ID: b91b7a80f5c212ae6bf3e4eeca3f6c145e7dbed152764a56bdc0ce5edf8456d9
Opcode Fuzzy Hash: 8a739a128cb405312d00240f0076b108f8cfc1bf0800c8ea65d5b8b068e5d4fd
Instruction Fuzzy Hash: 1D4156310042581AEB119694CD59BF63FE8DB06700F1801EBDA85D7152FB7A49989BFF

Function 101C0330 Relevance: 3.2, APIs: 2, Instructions: 210
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(10000000,00001000,00000004,?,00000000), ref: 101C04F7
VirtualProtect.KERNEL32(10000000,00001000), ref: 101C050C

Memory Dump Source

Source File: 00000000.00000002.2081566139.00000000101BB000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2081272915.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PQ2.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f30959f0f6a4eb4032516a435b7a182ae7d14d45056fa550e5aeef4c246b8788
Instruction ID: 844558c3945075b3369738829a84c8e651ef885c73b90527f10f3a1f81f79590
Opcode Fuzzy Hash: f30959f0f6a4eb4032516a435b7a182ae7d14d45056fa550e5aeef4c246b8788
Instruction Fuzzy Hash: 4251F972A543D24FD7168AB88FD07567794FB63260B2A0738E6E1C73C5E7A8D8068760

Function 00468210 Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,004675F6,00000001), ref: 00468221

Part of subcall function 004680C8: GetVersionExA.KERNEL32 ref: 004680E7

HeapDestroy.KERNEL32 ref: 00468260

Part of subcall function 0046968F: HeapAlloc.KERNEL32(00000000,00000140,00468249,000003F8), ref: 0046969C

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 00308e250556f24be53d22c4c1e5b2513877d9e21008081d955c28075247dc7a
Instruction ID: 6e6482bd650207ad86c54233ac2670d8762018555e74c8298600f12d13cd5025
Opcode Fuzzy Hash: 00308e250556f24be53d22c4c1e5b2513877d9e21008081d955c28075247dc7a
Instruction Fuzzy Hash: D1F0ED70B58B019BEB206B719C4133A3794DB44792F104A7FF500D81A0FFB888C0965F

Function 004686AD Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004685F5: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0046922B,00000009,00000000,00000000,00000001,00468059,00000001,00000074,?,?,00000000,00000001), ref: 00468632
Part of subcall function 004685F5: EnterCriticalSection.KERNEL32(?,?,?,0046922B,00000009,00000000,00000000,00000001,00468059,00000001,00000074,?,?,00000000,00000001), ref: 0046864D

GetCPInfo.KERNEL32(00000000,?,?,00000000,00000000,?,?,00467638), ref: 004686FE

Part of subcall function 00468656: LeaveCriticalSection.KERNEL32(?,00468D8B,00000009,00468D77,00000000,?,00000000,00000000,00000000), ref: 00468663

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: CriticalSection$EnterInfoInitializeLeave
String ID:
API String ID: 1866836854-0
Opcode ID: d544553c3794957d79ceab9ece9c6795c21eceff83caea486740067c3f9cd554
Instruction ID: 72f3e8e95f47c0a7d074f3bfbe55f138b4f0ed167d66031de908a5d040259cbe
Opcode Fuzzy Hash: d544553c3794957d79ceab9ece9c6795c21eceff83caea486740067c3f9cd554
Instruction Fuzzy Hash: 294144719142509EEB10EBA4CC8436A7BA1DB05316F28423FD245CB292FF794986878F

Function 00468CBE Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 00468DA5

Part of subcall function 004685F5: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0046922B,00000009,00000000,00000000,00000001,00468059,00000001,00000074,?,?,00000000,00000001), ref: 00468632
Part of subcall function 004685F5: EnterCriticalSection.KERNEL32(?,?,?,0046922B,00000009,00000000,00000000,00000001,00468059,00000001,00000074,?,?,00000000,00000001), ref: 0046864D

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: d61b49250cba0679e96cc4cfd21523a09ec566e2447095eb700d5c577036a16c
Instruction ID: 023bd7e95caace73af2066e80e319a55485bbdef7d29d97c7b16ee4f705c963f
Opcode Fuzzy Hash: d61b49250cba0679e96cc4cfd21523a09ec566e2447095eb700d5c577036a16c
Instruction Fuzzy Hash: 4521AC71640608ABDB10EF65DC41B9E7774EB10724F14431FF410EB2D1FB7899418A6E

Non-executed Functions

Function 004668C0 Relevance: 54.3, APIs: 4, Strings: 27, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00062000,00000000,004010F0), ref: 0046693F
GetProcAddress.KERNEL32(00000000), ref: 00466948
GetProcAddress.KERNEL32(00000000,?), ref: 00466958
GetModuleHandleA.KERNEL32(Libr), ref: 0046695F

Strings

l, xrefs: 00466907
a, xrefs: 0046692F
N, xrefs: 004668EB
r, xrefs: 00466933
K, xrefs: 004668DE
LoadLibr, xrefs: 004668D6, 004668DA
3, xrefs: 004668F7
E, xrefs: 004668EF
E, xrefs: 004668E3
y, xrefs: 00466937
Libr, xrefs: 0046695C
a, xrefs: 00466917
o, xrefs: 00466913
b, xrefs: 00466927
r, xrefs: 0046692B
A, xrefs: 0046693B
d, xrefs: 00466903
LoadLibr, xrefs: 00466952
L, xrefs: 0046691F
i, xrefs: 00466923
d, xrefs: 0046691B
2, xrefs: 004668FB
L, xrefs: 004668F3
., xrefs: 004668FF
R, xrefs: 004668E7
L, xrefs: 0046690F
l, xrefs: 0046690B

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: .$2$3$A$E$E$K$L$L$L$Libr$LoadLibr$LoadLibr$N$R$a$a$b$d$d$i$l$l$o$r$r$y
API String ID: 1646373207-713136220
Opcode ID: ab11df402e6262a6cd0bd32f4206eccbc3d47516eb2c55da4dfc699759f1ff03
Instruction ID: 408384f28f9ef53e4cf42fff1d531f2f4c792ab3fc2232b330d19c68f6871aa3
Opcode Fuzzy Hash: ab11df402e6262a6cd0bd32f4206eccbc3d47516eb2c55da4dfc699759f1ff03
Instruction Fuzzy Hash: D621DF519082DDEDEF0297A8C8087EEBFA65F12348F184099D58476292D3FE4658C7BA

Function 00467CDF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0046762E), ref: 00467CFA
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0046762E), ref: 00467D0E
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0046762E), ref: 00467D3A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0046762E), ref: 00467D72
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0046762E), ref: 00467D94
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0046762E), ref: 00467DAD
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0046762E), ref: 00467DC0
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00467DFE

Strings

.vF, xrefs: 00467DA8, 00467D9A

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID: .vF
API String ID: 1823725401-726173741
Opcode ID: 21081ef7853c4b6e1e71b35f9d3aba763abd31334b7cf08a66a00147fecdca15
Instruction ID: e0ff4c1f4c83d16eda3da060816b460531535d088a5a1c2de0a90e5b0c67148f
Opcode Fuzzy Hash: 21081ef7853c4b6e1e71b35f9d3aba763abd31334b7cf08a66a00147fecdca15
Instruction Fuzzy Hash: E93103B250D2656FD7217F789C8487B7A9CEE4535C7150E3BF582C3200FA298C8182AB

Function 0046A504 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0046859D,?,Microsoft Visual C++ Runtime Library,00012010,?,00466618,?,00466668,?,?,?,Runtime Error!Program: ), ref: 0046A516
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0046A52E
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0046A53F
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0046A54C

Strings

hfF, xrefs: 0046A572
GetLastActivePopup, xrefs: 0046A541
MessageBoxA, xrefs: 0046A528
GetActiveWindow, xrefs: 0046A539
user32.dll, xrefs: 0046A511

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$hfF$user32.dll
API String ID: 2238633743-3168188537
Opcode ID: cfa0cc50ece0866b78a170ab5342ea6b85cd7e283ba0fb2aa1623d024210fd94
Instruction ID: 744f6a593e7a9add090b9772e32a29f883b75c07cff326d20426f5d76b4cd1ff
Opcode Fuzzy Hash: cfa0cc50ece0866b78a170ab5342ea6b85cd7e283ba0fb2aa1623d024210fd94
Instruction Fuzzy Hash: 02011E72600651AB8711DFB5DC80A5B7BE8EB54795714443BF102E2221F7B8CCA19FAF

Function 00468479 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 004684E6
GetStdHandle.KERNEL32(000000F4,00466618,00000000,00000000,00000000,?), ref: 004685BC
WriteFile.KERNEL32(00000000), ref: 004685C3

Strings

<program name unknown>, xrefs: 004684F6
Microsoft Visual C++ Runtime Library, xrefs: 00468592
..., xrefs: 00468538
Runtime Error!Program: , xrefs: 0046854C

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: e2e85c8ef0b16a8288ff27266e0de427043c067a522af83105a15374f6e707cc
Instruction ID: 2056a4cf523c6c61efd455e582aa4bd90fb20045327001bf824e2cedd7879936
Opcode Fuzzy Hash: e2e85c8ef0b16a8288ff27266e0de427043c067a522af83105a15374f6e707cc
Instruction Fuzzy Hash: 6631C5B2600218AFEF20EB60DD45F9A736CEB55704F10065FF545E6051FA78EA418A6F

Function 0046A8DD Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,00466730,00000001,?,7591E860,0046B7E4,?,?,0046AB02,?,?,?,00000000,00000001), ref: 0046A91C
GetStringTypeA.KERNEL32(00000000,00000001,0046672C,00000001,?,?,0046AB02,?,?,?,00000000,00000001), ref: 0046A936
GetStringTypeA.KERNEL32(?,?,?,?,0046AB02,7591E860,0046B7E4,?,?,0046AB02,?,?,?,00000000,00000001), ref: 0046A96A
MultiByteToWideChar.KERNEL32(?,0046B7E5,?,?,00000000,00000000,7591E860,0046B7E4,?,?,0046AB02,?,?,?,00000000,00000001), ref: 0046A9A2
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0046AB02,?), ref: 0046A9F8
GetStringTypeW.KERNEL32(?,?,00000000,0046AB02,?,?,?,?,?,?,0046AB02,?), ref: 0046AA0A

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: ab4217411143ffe3254ca9e7388d5397779f7d60e845bb51e8d462f5dba7c91c
Instruction ID: 5d04ebb630ede76be34a412984aa30ef206bdfb02e237f80f5ded91fe66f7989
Opcode Fuzzy Hash: ab4217411143ffe3254ca9e7388d5397779f7d60e845bb51e8d462f5dba7c91c
Instruction Fuzzy Hash: 3F417EB1600609BFCF108F94DD85EAF3B69EB05754F204526F915F2260E3398DA4DBAB

Function 004680C8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 004680E7
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 0046811C
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0046817C

Strings

__MSVCRT_HEAP_SELECT, xrefs: 00468117
__GLOBAL_HEAP_SELECTED, xrefs: 00468156

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 53528356a6435874c4cea8836d0c504b681df6164dbf9ca25d22a8d434fd30e9
Instruction ID: 5b987649a18d894d0e495aeb664bcd7067431a9f38e5e2f94aadff08a1f212ff
Opcode Fuzzy Hash: 53528356a6435874c4cea8836d0c504b681df6164dbf9ca25d22a8d434fd30e9
Instruction Fuzzy Hash: 3331F3719452886AEB3186709C51BDB37689B03308F1402DFE185E5242FE788EC7CB1B

Function 00467E11 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 00467E6F
GetFileType.KERNEL32(?,?,00000000), ref: 00467F1A
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00467F7D
GetFileType.KERNEL32(00000000,?,00000000), ref: 00467F8B
SetHandleCount.KERNEL32 ref: 00467FC2

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 34c641e5c7566a4f61e51126171c732304a31f5bcaff118d0c42436aae4cc374
Instruction ID: 904a1bf5860a3ccec006ab94641980349b31f95e458b6625cd4b51425871e72e
Opcode Fuzzy Hash: 34c641e5c7566a4f61e51126171c732304a31f5bcaff118d0c42436aae4cc374
Instruction Fuzzy Hash: AD5134315083058FD724CF28C884B667BA0EB1172CF2446AED5A6DB6E1F7389C49C75B

Function 00468034 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,0046AAAD,00469480,00000000,?,?,00000000,00000001), ref: 00468036
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00468044
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00468090

Part of subcall function 00469175: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00468059,00000001,00000074,?,?,00000000,00000001), ref: 0046926B

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00468068
GetCurrentThreadId.KERNEL32 ref: 00468079

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 8052f77e0d2cf52281169dad796c00c49ce1532b00fa052d94a585fd97d9bf58
Instruction ID: b74b10b1bdd3e7229d6419e3796b190ce8a51909fc87ae4804f62f1af361191e
Opcode Fuzzy Hash: 8052f77e0d2cf52281169dad796c00c49ce1532b00fa052d94a585fd97d9bf58
Instruction Fuzzy Hash: B4F0F6316002515BD7302B75BD0956A3B649B01771B150B3EF5C2E56B0EF788CC5466A

Function 00469EE0 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,00463C80,00463C80,?,?,0046A3AC,00000000,00000010,00000000,00000009,00000009,?,00468D6A,00000010,00000000), ref: 00469F01
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,0046A3AC,00000000,00000010,00000000,00000009,00000009,?,00468D6A,00000010,00000000), ref: 00469F25
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,0046A3AC,00000000,00000010,00000000,00000009,00000009,?,00468D6A,00000010,00000000), ref: 00469F3F
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0046A3AC,00000000,00000010,00000000,00000009,00000009,?,00468D6A,00000010,00000000,?), ref: 0046A000
HeapFree.KERNEL32(00000000,00000000,?,?,0046A3AC,00000000,00000010,00000000,00000009,00000009,?,00468D6A,00000010,00000000,?,00000000), ref: 0046A017

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 2bf0c84c70cf4df8327d2a3aebbceef8d6b212f0e4515c6402ae096c437e29aa
Instruction ID: 445181fbcf65ce7e9d39d92d2b604eca806c0f8a9288605ab4d6bb1f59089151
Opcode Fuzzy Hash: 2bf0c84c70cf4df8327d2a3aebbceef8d6b212f0e4515c6402ae096c437e29aa
Instruction Fuzzy Hash: 1C31D072600701ABE3308F24DC44B66BBA8EB44755F11423BF156E7790FBB8AD409B4E

Function 00469D34 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00469AFC,00000000,00000000,00000000,00468D0C,00000000,00000000,?,00000000,00000000,00000000), ref: 00469D5C
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00469AFC,00000000,00000000,00000000,00468D0C,00000000,00000000,?,00000000,00000000,00000000), ref: 00469D90
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00469DAA
HeapFree.KERNEL32(00000000,?), ref: 00469DC1

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 85db0018b5f02a0a531da6da56e99f1b82eb4dab677bd662bfc4afaa2d152d60
Instruction ID: a1c2a3597b2230bcaeaffa70772468b135f739cde47e51b730ca6c90506df880
Opcode Fuzzy Hash: 85db0018b5f02a0a531da6da56e99f1b82eb4dab677bd662bfc4afaa2d152d60
Instruction Fuzzy Hash: AE114F70600701EFC7218F2AEC45D627BB9FB85721711493AF1A2D65B0E3B198C2CF8A

Function 004685CC Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,00467FD3,?,00467608), ref: 004685D9
InitializeCriticalSection.KERNEL32(?,00467FD3,?,00467608), ref: 004685E1
InitializeCriticalSection.KERNEL32(?,00467FD3,?,00467608), ref: 004685E9
InitializeCriticalSection.KERNEL32(?,00467FD3,?,00467608), ref: 004685F1

Memory Dump Source

Source File: 00000000.00000002.2080870374.0000000000465000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2080798679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080822459.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080890901.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2080911048.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PQ2.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 503c6c650575022db7612a51c23a455fa7bd590d9805bfc3dac3f36800976718
Instruction ID: 0ad9e4f4a03855f4481bac37ad47b37e425ca202d897247833f3bf621bba40d6
Opcode Fuzzy Hash: 503c6c650575022db7612a51c23a455fa7bd590d9805bfc3dac3f36800976718
Instruction Fuzzy Hash: 6BC002318040B49ACF126F95FE06946BF25EB447A23050077F5845143497A21D50FFD9

Analysis Process: Deuvw.exePID: 7300, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	406
Total number of Limit Nodes:	17

Executed Functions

Function 00466B6A Relevance: 60.2, APIs: 2, Strings: 38, Instructions: 189
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(?,00062000,00000000,004010F0), ref: 0046693F
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000), ref: 00466948
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000,?), ref: 00466958

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(Libr), ref: 0046695F

VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,?,?,?,?,?,?,004010F0), ref: 00466CA3
VirtualAlloc.KERNEL32(00000016,?,00001000,00000004,?,?,?,?,?,?,?,004010F0), ref: 00466CEE

Strings

t, xrefs: 00466BC2
r, xrefs: 00466C0B
V, xrefs: 00466BB6
o, xrefs: 00466C64
HeapAlloc, xrefs: 00466C3F
s, xrefs: 00466C1B
e, xrefs: 00466C27
e, xrefs: 00466BFF
o, xrefs: 00466BDE
l, xrefs: 00466C60
a, xrefs: 00466C2B
a, xrefs: 00466BCA
e, xrefs: 00466C4C
p, xrefs: 00466C2F
s, xrefs: 00466C1F
l, xrefs: 00466C5C
c, xrefs: 00466C13
t, xrefs: 00466C03
VirtualAlloc, xrefs: 00466B7A
l, xrefs: 00466BD6
r, xrefs: 00466BBE
i, xrefs: 00466BBA
a, xrefs: 00466C50
c, xrefs: 00466BE2
A, xrefs: 00466BD2
P, xrefs: 00466C07
l, xrefs: 00466BCE
KERNEL32.dll, xrefs: 00466BFA, 00466BFD
A, xrefs: 00466C58
e, xrefs: 00466C17
p, xrefs: 00466C54
H, xrefs: 00466C23
l, xrefs: 00466BDA
u, xrefs: 00466BC6
c, xrefs: 00466C68
H, xrefs: 00466C42
G, xrefs: 00466BF5
o, xrefs: 00466C0F

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: AddressAllocHandleModuleProcVirtual
String ID: A$A$G$H$H$HeapAlloc$KERNEL32.dll$P$V$VirtualAlloc$a$a$a$c$c$c$e$e$e$e$i$l$l$l$l$l$o$o$o$p$p$r$r$s$s$t$t$u
API String ID: 3695083113-2890414303
Opcode ID: eea5828057d8a8a3ca217eb1021cde760f26655aafc521580391e7091950ef6c
Instruction ID: 56dfe851e749cfa52889f2bfcfc8cef8fedfa8cb50ddae72ef14544c6a3e4736
Opcode Fuzzy Hash: eea5828057d8a8a3ca217eb1021cde760f26655aafc521580391e7091950ef6c
Instruction Fuzzy Hash: 06814271D08288DEEB11DBA8C844BDEBFF55F16708F084089E5807B282D7BE5549C77A

Function 00466EB1 Relevance: 52.6, APIs: 1, Strings: 29, Instructions: 128
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(?,00062000,00000000,004010F0), ref: 0046693F
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000), ref: 00466948
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000,?), ref: 00466958

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(Libr), ref: 0046695F

VirtualProtect.KERNEL32(?,?,00000000,?,00000016,00000000,?,?,?,?,?,?), ref: 00467017

Strings

u, xrefs: 00466F46
o, xrefs: 00466F5A
P, xrefs: 00466F52
RmF, xrefs: 00466F79, 0046701D
e, xrefs: 00466F1E
l, xrefs: 00466F4E
t, xrefs: 00466F5E
i, xrefs: 00466EFA
a, xrefs: 00466F4A
r, xrefs: 00466F56
t, xrefs: 00466F02
r, xrefs: 00466EFE
V, xrefs: 00466EF6
e, xrefs: 00466F62
e, xrefs: 00466F1A
i, xrefs: 00466F3A
@, xrefs: 00466FF6
r, xrefs: 00466F3E
l, xrefs: 00466F0E
c, xrefs: 00466F66
r, xrefs: 00466F16
RmF, xrefs: 0046701A
a, xrefs: 00466F0A
KERNEL32.dll, xrefs: 00466F31, 00466F34
u, xrefs: 00466F06
V, xrefs: 00466F36
t, xrefs: 00466F6A
F, xrefs: 00466F12
t, xrefs: 00466F42

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: AddressHandleModuleProc$ProtectVirtual
String ID: @$F$KERNEL32.dll$P$RmF$RmF$V$V$a$a$c$e$e$e$i$i$l$l$o$r$r$r$r$t$t$t$t$u$u
API String ID: 2080333215-3833892956
Opcode ID: cb608eef3711ebfc93400a4942087660b63e14b03940701ee4406093afd551ff
Instruction ID: 72b4ce0505e3628847bb6db0ce6ea59a5e3d376deda158c5c7a16eff45700afd
Opcode Fuzzy Hash: cb608eef3711ebfc93400a4942087660b63e14b03940701ee4406093afd551ff
Instruction Fuzzy Hash: 60513270C082C8DEDB02CBA8D5887DEBFB56F16348F184099D5847B292D3BE5A09C776

Function 004670B7 Relevance: 50.9, APIs: 2, Strings: 27, Instructions: 149
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(?,00062000,00000000,004010F0), ref: 0046693F
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000), ref: 00466948
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000,?), ref: 00466958

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(Libr), ref: 0046695F

LoadLibraryA.KERNEL32(?,?,?,?,00000016,00000000,?), ref: 004671C7
GetProcAddress.KERNEL32(?,GmF), ref: 0046723C

Strings

r, xrefs: 0046712F
KERNEL32.dll, xrefs: 00467146, 00467149
o, xrefs: 0046714B
a, xrefs: 00467167
a, xrefs: 0046711F
s, xrefs: 00467107
P, xrefs: 00467127
y, xrefs: 0046716F
t, xrefs: 0046712B
d, xrefs: 00467153
L, xrefs: 00467141
GmF, xrefs: 004671B6, 00467209, 00467230
I, xrefs: 00467103
d, xrefs: 00467123
B, xrefs: 0046710B
b, xrefs: 0046715F
i, xrefs: 0046715B
GmF, xrefs: 0046717C, 00467219, 00467238
R, xrefs: 00467117
e, xrefs: 0046711B
a, xrefs: 0046714F
A, xrefs: 00467173
a, xrefs: 0046710F
d, xrefs: 00467113
r, xrefs: 00467163
L, xrefs: 00467157
r, xrefs: 0046716B

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: A$B$GmF$GmF$I$KERNEL32.dll$L$L$P$R$a$a$a$a$b$d$d$d$e$i$o$r$r$r$s$t$y
API String ID: 551388010-1369886350
Opcode ID: 9146fd96053e2050b3294d5e699eb0beb02dc719ea692024da2c8e9b1210d4cc
Instruction ID: 73e0fe1b8e5c6c9f5f942eac17084d9bf6255d1aace67817413c182afa2f5bd3
Opcode Fuzzy Hash: 9146fd96053e2050b3294d5e699eb0beb02dc719ea692024da2c8e9b1210d4cc
Instruction Fuzzy Hash: 30615470D08289DEEB11CBA8C8447DEBFF56F15358F184099E584A7382D3BD9944C776

Function 00466D84 Relevance: 37.6, APIs: 1, Strings: 24, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(?,00062000,00000000,004010F0), ref: 0046693F
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000), ref: 00466948
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000,?), ref: 00466958

VirtualAlloc.KERNEL32(?,?,00001000,00000004,00000016,00000000,?), ref: 00466E7A

Strings

l, xrefs: 00466DE8
d, xrefs: 00466DC4
i, xrefs: 00466DD4
l, xrefs: 00466DF0
2, xrefs: 00466DBC
l, xrefs: 00466DF4
r, xrefs: 00466DD8
3, xrefs: 00466DB8
L, xrefs: 00466DB4
u, xrefs: 00466DE0
o, xrefs: 00466DF8
l, xrefs: 00466DCC
E, xrefs: 00466DB0
A, xrefs: 00466DEC
a, xrefs: 00466DE4
V, xrefs: 00466DD0
., xrefs: 00466DC0
c, xrefs: 00466DFC
R, xrefs: 00466DA8
K, xrefs: 00466DA0
l, xrefs: 00466DC8
t, xrefs: 00466DDC
N, xrefs: 00466DAC
E, xrefs: 00466DA4

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: AddressProc$AllocHandleModuleVirtual
String ID: .$2$3$A$E$E$K$L$N$R$V$a$c$d$i$l$l$l$l$l$o$r$t$u
API String ID: 3787274985-1410553462
Opcode ID: 9a20da68c6a90be79534ff80353c2f0603882a79139077a3888f10a88befb3b9
Instruction ID: b7ee7351b5069f9bbbcd0e3288277ca9420c032c07cd61825cf92ba50ad0a3c8
Opcode Fuzzy Hash: 9a20da68c6a90be79534ff80353c2f0603882a79139077a3888f10a88befb3b9
Instruction Fuzzy Hash: 02416171D04288DBDF01CBA8C448BDEBFF1AF55704F084099D584AB382D3BA5A58C779

Function 0046A68E Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringW.KERNEL32(00000000,00000100,00466730,00000001,00000000,00000000,7591E860,0046B7E4,?,?,?,0046AB02,?,?,?,00000000), ref: 0046A6D0
LCMapStringA.KERNEL32(00000000,00000100,0046672C,00000001,00000000,00000000,?,?,0046AB02,?,?,?,00000000,00000001), ref: 0046A6EC
LCMapStringA.KERNEL32(?,?,?,0046AB02,?,?,7591E860,0046B7E4,?,?,?,0046AB02,?,?,?,00000000), ref: 0046A735
MultiByteToWideChar.KERNEL32(?,0046B7E5,?,0046AB02,00000000,00000000,7591E860,0046B7E4,?,?,?,0046AB02,?,?,?,00000000), ref: 0046A76D
MultiByteToWideChar.KERNEL32(00000000,00000001,?,0046AB02,?,00000000,?,?,0046AB02,?), ref: 0046A7C5
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0046AB02,?), ref: 0046A7DB
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0046AB02,?), ref: 0046A80E
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0046AB02,?), ref: 0046A876

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: a28fd5e3e5a475bf9b6a264a68c1a845a1e8dddc284e8329ea69289aa823242b
Instruction ID: 12cc6b9feb3d9a71118cc58f801efc8483379fe271ac96587175e3a828ac97c7
Opcode Fuzzy Hash: a28fd5e3e5a475bf9b6a264a68c1a845a1e8dddc284e8329ea69289aa823242b
Instruction Fuzzy Hash: F4516B71900649ABCF219F94CD49AAF7FB9FB48750F10412AF910B2261E3398C61DF6B

Function 00467598 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 004675BE

Part of subcall function 00468210: HeapCreate.KERNEL32(00000000,00001000,00000000,004675F6,00000001), ref: 00468221
Part of subcall function 00468210: HeapDestroy.KERNEL32 ref: 00468260

GetCommandLineA.KERNEL32 ref: 0046761E
GetStartupInfoA.KERNEL32(?), ref: 00467649
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0046766C

Part of subcall function 004676C5: ExitProcess.KERNEL32 ref: 004676E2

Strings

x1m, xrefs: 00467624

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID: x1m
API String ID: 2057626494-1358822061
Opcode ID: 74ae398f86775484538032804f60e5769ebf57acb35412f92e8c4fd7a89ff731
Instruction ID: f877db75b34aef535155fa93e1ad8a33f9cc10bfb3bd4b0f6148cfe794d3ada0
Opcode Fuzzy Hash: 74ae398f86775484538032804f60e5769ebf57acb35412f92e8c4fd7a89ff731
Instruction Fuzzy Hash: 902165B19447059ED704AFB5DD46A6E7BA8EF0471CF10452FF501972A2FB784880CB9B

Function 00468900 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00468914

Strings

, xrefs: 0046895D
, xrefs: 00468939

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 8a739a128cb405312d00240f0076b108f8cfc1bf0800c8ea65d5b8b068e5d4fd
Instruction ID: b91b7a80f5c212ae6bf3e4eeca3f6c145e7dbed152764a56bdc0ce5edf8456d9
Opcode Fuzzy Hash: 8a739a128cb405312d00240f0076b108f8cfc1bf0800c8ea65d5b8b068e5d4fd
Instruction Fuzzy Hash: 1D4156310042581AEB119694CD59BF63FE8DB06700F1801EBDA85D7152FB7A49989BFF

Function 00468210 Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,004675F6,00000001), ref: 00468221

Part of subcall function 004680C8: GetVersionExA.KERNEL32 ref: 004680E7

HeapDestroy.KERNEL32 ref: 00468260

Part of subcall function 0046968F: HeapAlloc.KERNEL32(00000000,00000140,00468249,000003F8), ref: 0046969C

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 00308e250556f24be53d22c4c1e5b2513877d9e21008081d955c28075247dc7a
Instruction ID: 6e6482bd650207ad86c54233ac2670d8762018555e74c8298600f12d13cd5025
Opcode Fuzzy Hash: 00308e250556f24be53d22c4c1e5b2513877d9e21008081d955c28075247dc7a
Instruction Fuzzy Hash: D1F0ED70B58B019BEB206B719C4133A3794DB44792F104A7FF500D81A0FFB888C0965F

Function 004686AD Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004685F5: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0046922B,00000009,00000000,00000000,00000001,00468059,00000001,00000074,?,?,00000000,00000001), ref: 00468632
Part of subcall function 004685F5: EnterCriticalSection.KERNEL32(?,?,?,0046922B,00000009,00000000,00000000,00000001,00468059,00000001,00000074,?,?,00000000,00000001), ref: 0046864D

GetCPInfo.KERNEL32(00000000,?,?,00000000,00000000,?,?,00467638), ref: 004686FE

Part of subcall function 00468656: LeaveCriticalSection.KERNEL32(?,00468D8B,00000009,00468D77,00000000,?,00000000,00000000,00000000), ref: 00468663

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: CriticalSection$EnterInfoInitializeLeave
String ID:
API String ID: 1866836854-0
Opcode ID: d544553c3794957d79ceab9ece9c6795c21eceff83caea486740067c3f9cd554
Instruction ID: 72f3e8e95f47c0a7d074f3bfbe55f138b4f0ed167d66031de908a5d040259cbe
Opcode Fuzzy Hash: d544553c3794957d79ceab9ece9c6795c21eceff83caea486740067c3f9cd554
Instruction Fuzzy Hash: 294144719142509EEB10EBA4CC8436A7BA1DB05316F28423FD245CB292FF794986878F

Non-executed Functions

Function 004668C0 Relevance: 54.3, APIs: 4, Strings: 27, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,00062000,00000000,004010F0), ref: 0046693F
GetProcAddress.KERNEL32(00000000), ref: 00466948
GetProcAddress.KERNEL32(00000000,?), ref: 00466958
GetModuleHandleA.KERNEL32(Libr), ref: 0046695F

Strings

3, xrefs: 004668F7
K, xrefs: 004668DE
l, xrefs: 0046690B
L, xrefs: 0046690F
a, xrefs: 00466917
d, xrefs: 0046691B
b, xrefs: 00466927
A, xrefs: 0046693B
2, xrefs: 004668FB
i, xrefs: 00466923
r, xrefs: 00466933
Libr, xrefs: 0046695C
LoadLibr, xrefs: 004668D6, 004668DA
., xrefs: 004668FF
r, xrefs: 0046692B
a, xrefs: 0046692F
E, xrefs: 004668EF
R, xrefs: 004668E7
N, xrefs: 004668EB
d, xrefs: 00466903
l, xrefs: 00466907
y, xrefs: 00466937
LoadLibr, xrefs: 00466952
L, xrefs: 0046691F
E, xrefs: 004668E3
L, xrefs: 004668F3
o, xrefs: 00466913

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: .$2$3$A$E$E$K$L$L$L$Libr$LoadLibr$LoadLibr$N$R$a$a$b$d$d$i$l$l$o$r$r$y
API String ID: 1646373207-713136220
Opcode ID: ab11df402e6262a6cd0bd32f4206eccbc3d47516eb2c55da4dfc699759f1ff03
Instruction ID: 408384f28f9ef53e4cf42fff1d531f2f4c792ab3fc2232b330d19c68f6871aa3
Opcode Fuzzy Hash: ab11df402e6262a6cd0bd32f4206eccbc3d47516eb2c55da4dfc699759f1ff03
Instruction Fuzzy Hash: D621DF519082DDEDEF0297A8C8087EEBFA65F12348F184099D58476292D3FE4658C7BA

Function 00467CDF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0046762E), ref: 00467CFA
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0046762E), ref: 00467D0E
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0046762E), ref: 00467D3A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0046762E), ref: 00467D72
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0046762E), ref: 00467D94
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0046762E), ref: 00467DAD
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0046762E), ref: 00467DC0
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00467DFE

Strings

.vF, xrefs: 00467DA8, 00467D9A

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID: .vF
API String ID: 1823725401-726173741
Opcode ID: 21081ef7853c4b6e1e71b35f9d3aba763abd31334b7cf08a66a00147fecdca15
Instruction ID: e0ff4c1f4c83d16eda3da060816b460531535d088a5a1c2de0a90e5b0c67148f
Opcode Fuzzy Hash: 21081ef7853c4b6e1e71b35f9d3aba763abd31334b7cf08a66a00147fecdca15
Instruction Fuzzy Hash: E93103B250D2656FD7217F789C8487B7A9CEE4535C7150E3BF582C3200FA298C8182AB

Function 0046A504 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0046859D,?,Microsoft Visual C++ Runtime Library,00012010,?,00466618,?,00466668,?,?,?,Runtime Error!Program: ), ref: 0046A516
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0046A52E
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0046A53F
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0046A54C

Strings

GetActiveWindow, xrefs: 0046A539
GetLastActivePopup, xrefs: 0046A541
hfF, xrefs: 0046A572
MessageBoxA, xrefs: 0046A528
user32.dll, xrefs: 0046A511

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$hfF$user32.dll
API String ID: 2238633743-3168188537
Opcode ID: cfa0cc50ece0866b78a170ab5342ea6b85cd7e283ba0fb2aa1623d024210fd94
Instruction ID: 744f6a593e7a9add090b9772e32a29f883b75c07cff326d20426f5d76b4cd1ff
Opcode Fuzzy Hash: cfa0cc50ece0866b78a170ab5342ea6b85cd7e283ba0fb2aa1623d024210fd94
Instruction Fuzzy Hash: 02011E72600651AB8711DFB5DC80A5B7BE8EB54795714443BF102E2221F7B8CCA19FAF

Function 00468479 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 004684E6
GetStdHandle.KERNEL32(000000F4,00466618,00000000,00000000,00000000,?), ref: 004685BC
WriteFile.KERNEL32(00000000), ref: 004685C3

Strings

Microsoft Visual C++ Runtime Library, xrefs: 00468592
<program name unknown>, xrefs: 004684F6
Runtime Error!Program: , xrefs: 0046854C
..., xrefs: 00468538

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: e2e85c8ef0b16a8288ff27266e0de427043c067a522af83105a15374f6e707cc
Instruction ID: 2056a4cf523c6c61efd455e582aa4bd90fb20045327001bf824e2cedd7879936
Opcode Fuzzy Hash: e2e85c8ef0b16a8288ff27266e0de427043c067a522af83105a15374f6e707cc
Instruction Fuzzy Hash: 6631C5B2600218AFEF20EB60DD45F9A736CEB55704F10065FF545E6051FA78EA418A6F

Function 0046A8DD Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,00466730,00000001,?,7591E860,0046B7E4,?,?,0046AB02,?,?,?,00000000,00000001), ref: 0046A91C
GetStringTypeA.KERNEL32(00000000,00000001,0046672C,00000001,?,?,0046AB02,?,?,?,00000000,00000001), ref: 0046A936
GetStringTypeA.KERNEL32(?,?,?,?,0046AB02,7591E860,0046B7E4,?,?,0046AB02,?,?,?,00000000,00000001), ref: 0046A96A
MultiByteToWideChar.KERNEL32(?,0046B7E5,?,?,00000000,00000000,7591E860,0046B7E4,?,?,0046AB02,?,?,?,00000000,00000001), ref: 0046A9A2
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0046AB02,?), ref: 0046A9F8
GetStringTypeW.KERNEL32(?,?,00000000,0046AB02,?,?,?,?,?,?,0046AB02,?), ref: 0046AA0A

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: ab4217411143ffe3254ca9e7388d5397779f7d60e845bb51e8d462f5dba7c91c
Instruction ID: 5d04ebb630ede76be34a412984aa30ef206bdfb02e237f80f5ded91fe66f7989
Opcode Fuzzy Hash: ab4217411143ffe3254ca9e7388d5397779f7d60e845bb51e8d462f5dba7c91c
Instruction Fuzzy Hash: 3F417EB1600609BFCF108F94DD85EAF3B69EB05754F204526F915F2260E3398DA4DBAB

Function 004680C8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 004680E7
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 0046811C
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0046817C

Strings

__MSVCRT_HEAP_SELECT, xrefs: 00468117
__GLOBAL_HEAP_SELECTED, xrefs: 00468156

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 53528356a6435874c4cea8836d0c504b681df6164dbf9ca25d22a8d434fd30e9
Instruction ID: 5b987649a18d894d0e495aeb664bcd7067431a9f38e5e2f94aadff08a1f212ff
Opcode Fuzzy Hash: 53528356a6435874c4cea8836d0c504b681df6164dbf9ca25d22a8d434fd30e9
Instruction Fuzzy Hash: 3331F3719452886AEB3186709C51BDB37689B03308F1402DFE185E5242FE788EC7CB1B

Function 00467E11 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 00467E6F
GetFileType.KERNEL32(?,?,00000000), ref: 00467F1A
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00467F7D
GetFileType.KERNEL32(00000000,?,00000000), ref: 00467F8B
SetHandleCount.KERNEL32 ref: 00467FC2

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 34c641e5c7566a4f61e51126171c732304a31f5bcaff118d0c42436aae4cc374
Instruction ID: 904a1bf5860a3ccec006ab94641980349b31f95e458b6625cd4b51425871e72e
Opcode Fuzzy Hash: 34c641e5c7566a4f61e51126171c732304a31f5bcaff118d0c42436aae4cc374
Instruction Fuzzy Hash: AD5134315083058FD724CF28C884B667BA0EB1172CF2446AED5A6DB6E1F7389C49C75B

Function 00468034 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,0046AAAD,00469480,00000000,?,?,00000000,00000001), ref: 00468036
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00468044
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00468090

Part of subcall function 00469175: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00468059,00000001,00000074,?,?,00000000,00000001), ref: 0046926B

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00468068
GetCurrentThreadId.KERNEL32 ref: 00468079

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 8052f77e0d2cf52281169dad796c00c49ce1532b00fa052d94a585fd97d9bf58
Instruction ID: b74b10b1bdd3e7229d6419e3796b190ce8a51909fc87ae4804f62f1af361191e
Opcode Fuzzy Hash: 8052f77e0d2cf52281169dad796c00c49ce1532b00fa052d94a585fd97d9bf58
Instruction Fuzzy Hash: B4F0F6316002515BD7302B75BD0956A3B649B01771B150B3EF5C2E56B0EF788CC5466A

Function 00469EE0 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,00463C80,00463C80,?,?,0046A3AC,00000000,00000010,00000000,00000009,00000009,?,00468D6A,00000010,00000000), ref: 00469F01
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,0046A3AC,00000000,00000010,00000000,00000009,00000009,?,00468D6A,00000010,00000000), ref: 00469F25
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,0046A3AC,00000000,00000010,00000000,00000009,00000009,?,00468D6A,00000010,00000000), ref: 00469F3F
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0046A3AC,00000000,00000010,00000000,00000009,00000009,?,00468D6A,00000010,00000000,?), ref: 0046A000
HeapFree.KERNEL32(00000000,00000000,?,?,0046A3AC,00000000,00000010,00000000,00000009,00000009,?,00468D6A,00000010,00000000,?,00000000), ref: 0046A017

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 2bf0c84c70cf4df8327d2a3aebbceef8d6b212f0e4515c6402ae096c437e29aa
Instruction ID: 445181fbcf65ce7e9d39d92d2b604eca806c0f8a9288605ab4d6bb1f59089151
Opcode Fuzzy Hash: 2bf0c84c70cf4df8327d2a3aebbceef8d6b212f0e4515c6402ae096c437e29aa
Instruction Fuzzy Hash: 1C31D072600701ABE3308F24DC44B66BBA8EB44755F11423BF156E7790FBB8AD409B4E

Function 00467A92 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Program Files\Deuvw.exe,00000104,?,00000000,?,?,?,?,00467638), ref: 00467AB5

Strings

C:\Program Files\Deuvw.exe, xrefs: 00467AA9, 00467AB3, 00467AD8, 00467B0E
x1m, xrefs: 00467ABB

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: FileModuleName
String ID: C:\Program Files\Deuvw.exe$x1m
API String ID: 514040917-541418664
Opcode ID: d83c7c4e9e1193ae3d3f180d9194bdeb499f7cac9df07e2eddc262459bf5ec96
Instruction ID: 5c724fa40256d467c63a20c8c08852a6288f263fca8b5ddd64194d7735452be0
Opcode Fuzzy Hash: d83c7c4e9e1193ae3d3f180d9194bdeb499f7cac9df07e2eddc262459bf5ec96
Instruction Fuzzy Hash: 9C114CB2904108BFD711EBD9DD81CAB77ACEB44758B14016BF605D3202FA74AE458BEA

Function 00469D34 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00469AFC,00000000,00000000,00000000,00468D0C,00000000,00000000,?,00000000,00000000,00000000), ref: 00469D5C
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00469AFC,00000000,00000000,00000000,00468D0C,00000000,00000000,?,00000000,00000000,00000000), ref: 00469D90
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00469DAA
HeapFree.KERNEL32(00000000,?), ref: 00469DC1

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 85db0018b5f02a0a531da6da56e99f1b82eb4dab677bd662bfc4afaa2d152d60
Instruction ID: a1c2a3597b2230bcaeaffa70772468b135f739cde47e51b730ca6c90506df880
Opcode Fuzzy Hash: 85db0018b5f02a0a531da6da56e99f1b82eb4dab677bd662bfc4afaa2d152d60
Instruction Fuzzy Hash: AE114F70600701EFC7218F2AEC45D627BB9FB85721711493AF1A2D65B0E3B198C2CF8A

Function 004685CC Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,00467FD3,?,00467608), ref: 004685D9
InitializeCriticalSection.KERNEL32(?,00467FD3,?,00467608), ref: 004685E1
InitializeCriticalSection.KERNEL32(?,00467FD3,?,00467608), ref: 004685E9
InitializeCriticalSection.KERNEL32(?,00467FD3,?,00467608), ref: 004685F1

Memory Dump Source

Source File: 00000001.00000002.2081387905.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2081006469.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081043241.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081417446.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2081438266.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Deuvw.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 503c6c650575022db7612a51c23a455fa7bd590d9805bfc3dac3f36800976718
Instruction ID: 0ad9e4f4a03855f4481bac37ad47b37e425ca202d897247833f3bf621bba40d6
Opcode Fuzzy Hash: 503c6c650575022db7612a51c23a455fa7bd590d9805bfc3dac3f36800976718
Instruction Fuzzy Hash: 6BC002318040B49ACF126F95FE06946BF25EB447A23050077F5845143497A21D50FFD9

Analysis Process: Deuvw.exePID: 7332, Parent PID: 7300COMMON

Execution Graph

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	406
Total number of Limit Nodes:	17

Executed Functions

Function 00466B6A Relevance: 60.2, APIs: 2, Strings: 38, Instructions: 189
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(?,00062000,00000000,004010F0), ref: 0046693F
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000), ref: 00466948
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000,?), ref: 00466958

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(Libr), ref: 0046695F

VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,?,?,?,?,?,?,004010F0), ref: 00466CA3
VirtualAlloc.KERNEL32(00000016,?,00001000,00000004,?,?,?,?,?,?,?,004010F0), ref: 00466CEE

Strings

G, xrefs: 00466BF5
P, xrefs: 00466C07
i, xrefs: 00466BBA
o, xrefs: 00466BDE
KERNEL32.dll, xrefs: 00466BFA, 00466BFD
VirtualAlloc, xrefs: 00466B7A
t, xrefs: 00466BC2
e, xrefs: 00466C4C
l, xrefs: 00466BCE
HeapAlloc, xrefs: 00466C3F
l, xrefs: 00466BDA
c, xrefs: 00466BE2
a, xrefs: 00466C50
a, xrefs: 00466C2B
e, xrefs: 00466BFF
l, xrefs: 00466BD6
s, xrefs: 00466C1B
p, xrefs: 00466C54
c, xrefs: 00466C13
l, xrefs: 00466C60
s, xrefs: 00466C1F
u, xrefs: 00466BC6
H, xrefs: 00466C42
e, xrefs: 00466C17
H, xrefs: 00466C23
l, xrefs: 00466C5C
r, xrefs: 00466C0B
o, xrefs: 00466C0F
o, xrefs: 00466C64
p, xrefs: 00466C2F
e, xrefs: 00466C27
A, xrefs: 00466BD2
t, xrefs: 00466C03
r, xrefs: 00466BBE
V, xrefs: 00466BB6
c, xrefs: 00466C68
a, xrefs: 00466BCA
A, xrefs: 00466C58

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: AddressAllocHandleModuleProcVirtual
String ID: A$A$G$H$H$HeapAlloc$KERNEL32.dll$P$V$VirtualAlloc$a$a$a$c$c$c$e$e$e$e$i$l$l$l$l$l$o$o$o$p$p$r$r$s$s$t$t$u
API String ID: 3695083113-2890414303
Opcode ID: eea5828057d8a8a3ca217eb1021cde760f26655aafc521580391e7091950ef6c
Instruction ID: 56dfe851e749cfa52889f2bfcfc8cef8fedfa8cb50ddae72ef14544c6a3e4736
Opcode Fuzzy Hash: eea5828057d8a8a3ca217eb1021cde760f26655aafc521580391e7091950ef6c
Instruction Fuzzy Hash: 06814271D08288DEEB11DBA8C844BDEBFF55F16708F084089E5807B282D7BE5549C77A

Function 00466EB1 Relevance: 52.6, APIs: 1, Strings: 29, Instructions: 128
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(?,00062000,00000000,004010F0), ref: 0046693F
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000), ref: 00466948
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000,?), ref: 00466958

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(Libr), ref: 0046695F

VirtualProtect.KERNEL32(?,?,00000000,?,00000016,00000000,?,?,?,?,?,?), ref: 00467017

Strings

r, xrefs: 00466EFE
V, xrefs: 00466F36
i, xrefs: 00466F3A
e, xrefs: 00466F1E
RmF, xrefs: 0046701A
c, xrefs: 00466F66
r, xrefs: 00466F56
P, xrefs: 00466F52
i, xrefs: 00466EFA
V, xrefs: 00466EF6
l, xrefs: 00466F0E
r, xrefs: 00466F3E
r, xrefs: 00466F16
t, xrefs: 00466F6A
l, xrefs: 00466F4E
e, xrefs: 00466F1A
RmF, xrefs: 00466F79, 0046701D
KERNEL32.dll, xrefs: 00466F31, 00466F34
u, xrefs: 00466F06
@, xrefs: 00466FF6
e, xrefs: 00466F62
t, xrefs: 00466F5E
F, xrefs: 00466F12
t, xrefs: 00466F02
a, xrefs: 00466F4A
a, xrefs: 00466F0A
o, xrefs: 00466F5A
t, xrefs: 00466F42
u, xrefs: 00466F46

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: AddressHandleModuleProc$ProtectVirtual
String ID: @$F$KERNEL32.dll$P$RmF$RmF$V$V$a$a$c$e$e$e$i$i$l$l$o$r$r$r$r$t$t$t$t$u$u
API String ID: 2080333215-3833892956
Opcode ID: cb608eef3711ebfc93400a4942087660b63e14b03940701ee4406093afd551ff
Instruction ID: 72b4ce0505e3628847bb6db0ce6ea59a5e3d376deda158c5c7a16eff45700afd
Opcode Fuzzy Hash: cb608eef3711ebfc93400a4942087660b63e14b03940701ee4406093afd551ff
Instruction Fuzzy Hash: 60513270C082C8DEDB02CBA8D5887DEBFB56F16348F184099D5847B292D3BE5A09C776

Function 004670B7 Relevance: 50.9, APIs: 2, Strings: 27, Instructions: 149
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(?,00062000,00000000,004010F0), ref: 0046693F
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000), ref: 00466948
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000,?), ref: 00466958

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(Libr), ref: 0046695F

LoadLibraryA.KERNEL32(?,?,?,?,00000016,00000000,?), ref: 004671C7
GetProcAddress.KERNEL32(?,GmF), ref: 0046723C

Strings

r, xrefs: 0046712F
R, xrefs: 00467117
d, xrefs: 00467113
r, xrefs: 0046716B
GmF, xrefs: 0046717C, 00467219, 00467238
r, xrefs: 00467163
L, xrefs: 00467157
a, xrefs: 0046714F
I, xrefs: 00467103
i, xrefs: 0046715B
e, xrefs: 0046711B
a, xrefs: 00467167
y, xrefs: 0046716F
s, xrefs: 00467107
b, xrefs: 0046715F
d, xrefs: 00467123
A, xrefs: 00467173
GmF, xrefs: 004671B6, 00467209, 00467230
o, xrefs: 0046714B
L, xrefs: 00467141
d, xrefs: 00467153
KERNEL32.dll, xrefs: 00467146, 00467149
a, xrefs: 0046711F
a, xrefs: 0046710F
t, xrefs: 0046712B
B, xrefs: 0046710B
P, xrefs: 00467127

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: A$B$GmF$GmF$I$KERNEL32.dll$L$L$P$R$a$a$a$a$b$d$d$d$e$i$o$r$r$r$s$t$y
API String ID: 551388010-1369886350
Opcode ID: 9146fd96053e2050b3294d5e699eb0beb02dc719ea692024da2c8e9b1210d4cc
Instruction ID: 73e0fe1b8e5c6c9f5f942eac17084d9bf6255d1aace67817413c182afa2f5bd3
Opcode Fuzzy Hash: 9146fd96053e2050b3294d5e699eb0beb02dc719ea692024da2c8e9b1210d4cc
Instruction Fuzzy Hash: 30615470D08289DEEB11CBA8C8447DEBFF56F15358F184099E584A7382D3BD9944C776

Function 00466D84 Relevance: 37.6, APIs: 1, Strings: 24, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004668C0: GetModuleHandleA.KERNEL32(?,00062000,00000000,004010F0), ref: 0046693F
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000), ref: 00466948
Part of subcall function 004668C0: GetProcAddress.KERNEL32(00000000,?), ref: 00466958

VirtualAlloc.KERNEL32(?,?,00001000,00000004,00000016,00000000,?), ref: 00466E7A

Strings

c, xrefs: 00466DFC
r, xrefs: 00466DD8
u, xrefs: 00466DE0
., xrefs: 00466DC0
l, xrefs: 00466DF0
i, xrefs: 00466DD4
l, xrefs: 00466DCC
E, xrefs: 00466DB0
K, xrefs: 00466DA0
l, xrefs: 00466DF4
R, xrefs: 00466DA8
V, xrefs: 00466DD0
2, xrefs: 00466DBC
A, xrefs: 00466DEC
N, xrefs: 00466DAC
t, xrefs: 00466DDC
E, xrefs: 00466DA4
a, xrefs: 00466DE4
3, xrefs: 00466DB8
L, xrefs: 00466DB4
l, xrefs: 00466DE8
l, xrefs: 00466DC8
d, xrefs: 00466DC4
o, xrefs: 00466DF8

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: AddressProc$AllocHandleModuleVirtual
String ID: .$2$3$A$E$E$K$L$N$R$V$a$c$d$i$l$l$l$l$l$o$r$t$u
API String ID: 3787274985-1410553462
Opcode ID: 9a20da68c6a90be79534ff80353c2f0603882a79139077a3888f10a88befb3b9
Instruction ID: b7ee7351b5069f9bbbcd0e3288277ca9420c032c07cd61825cf92ba50ad0a3c8
Opcode Fuzzy Hash: 9a20da68c6a90be79534ff80353c2f0603882a79139077a3888f10a88befb3b9
Instruction Fuzzy Hash: 02416171D04288DBDF01CBA8C448BDEBFF1AF55704F084099D584AB382D3BA5A58C779

Function 0046A68E Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringW.KERNEL32(00000000,00000100,00466730,00000001,00000000,00000000,7591E860,0046B7E4,?,?,?,0046AB02,?,?,?,00000000), ref: 0046A6D0
LCMapStringA.KERNEL32(00000000,00000100,0046672C,00000001,00000000,00000000,?,?,0046AB02,?,?,?,00000000,00000001), ref: 0046A6EC
LCMapStringA.KERNEL32(?,?,?,0046AB02,?,?,7591E860,0046B7E4,?,?,?,0046AB02,?,?,?,00000000), ref: 0046A735
MultiByteToWideChar.KERNEL32(?,0046B7E5,?,0046AB02,00000000,00000000,7591E860,0046B7E4,?,?,?,0046AB02,?,?,?,00000000), ref: 0046A76D
MultiByteToWideChar.KERNEL32(00000000,00000001,?,0046AB02,?,00000000,?,?,0046AB02,?), ref: 0046A7C5
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0046AB02,?), ref: 0046A7DB
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0046AB02,?), ref: 0046A80E
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0046AB02,?), ref: 0046A876

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: a28fd5e3e5a475bf9b6a264a68c1a845a1e8dddc284e8329ea69289aa823242b
Instruction ID: 12cc6b9feb3d9a71118cc58f801efc8483379fe271ac96587175e3a828ac97c7
Opcode Fuzzy Hash: a28fd5e3e5a475bf9b6a264a68c1a845a1e8dddc284e8329ea69289aa823242b
Instruction Fuzzy Hash: F4516B71900649ABCF219F94CD49AAF7FB9FB48750F10412AF910B2261E3398C61DF6B

Function 00467598 Relevance: 6.1, APIs: 4, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 004675BE

Part of subcall function 00468210: HeapCreate.KERNEL32(00000000,00001000,00000000,004675F6,00000001), ref: 00468221
Part of subcall function 00468210: HeapDestroy.KERNEL32 ref: 00468260

GetCommandLineA.KERNEL32 ref: 0046761E
GetStartupInfoA.KERNEL32(?), ref: 00467649
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0046766C

Part of subcall function 004676C5: ExitProcess.KERNEL32 ref: 004676E2

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 74ae398f86775484538032804f60e5769ebf57acb35412f92e8c4fd7a89ff731
Instruction ID: f877db75b34aef535155fa93e1ad8a33f9cc10bfb3bd4b0f6148cfe794d3ada0
Opcode Fuzzy Hash: 74ae398f86775484538032804f60e5769ebf57acb35412f92e8c4fd7a89ff731
Instruction Fuzzy Hash: 902165B19447059ED704AFB5DD46A6E7BA8EF0471CF10452FF501972A2FB784880CB9B

Function 00468900 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00468914

Strings

, xrefs: 00468939
, xrefs: 0046895D

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 8a739a128cb405312d00240f0076b108f8cfc1bf0800c8ea65d5b8b068e5d4fd
Instruction ID: b91b7a80f5c212ae6bf3e4eeca3f6c145e7dbed152764a56bdc0ce5edf8456d9
Opcode Fuzzy Hash: 8a739a128cb405312d00240f0076b108f8cfc1bf0800c8ea65d5b8b068e5d4fd
Instruction Fuzzy Hash: 1D4156310042581AEB119694CD59BF63FE8DB06700F1801EBDA85D7152FB7A49989BFF

Function 00468210 Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,004675F6,00000001), ref: 00468221

Part of subcall function 004680C8: GetVersionExA.KERNEL32 ref: 004680E7

HeapDestroy.KERNEL32 ref: 00468260

Part of subcall function 0046968F: HeapAlloc.KERNEL32(00000000,00000140,00468249,000003F8), ref: 0046969C

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 00308e250556f24be53d22c4c1e5b2513877d9e21008081d955c28075247dc7a
Instruction ID: 6e6482bd650207ad86c54233ac2670d8762018555e74c8298600f12d13cd5025
Opcode Fuzzy Hash: 00308e250556f24be53d22c4c1e5b2513877d9e21008081d955c28075247dc7a
Instruction Fuzzy Hash: D1F0ED70B58B019BEB206B719C4133A3794DB44792F104A7FF500D81A0FFB888C0965F

Function 004686AD Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004685F5: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0046922B,00000009,00000000,00000000,00000001,00468059,00000001,00000074,?,?,00000000,00000001), ref: 00468632
Part of subcall function 004685F5: EnterCriticalSection.KERNEL32(?,?,?,0046922B,00000009,00000000,00000000,00000001,00468059,00000001,00000074,?,?,00000000,00000001), ref: 0046864D

GetCPInfo.KERNEL32(00000000,?,?,00000000,00000000,?,?,00467638), ref: 004686FE

Part of subcall function 00468656: LeaveCriticalSection.KERNEL32(?,00468D8B,00000009,00468D77,00000000,?,00000000,00000000,00000000), ref: 00468663

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: CriticalSection$EnterInfoInitializeLeave
String ID:
API String ID: 1866836854-0
Opcode ID: d544553c3794957d79ceab9ece9c6795c21eceff83caea486740067c3f9cd554
Instruction ID: 72f3e8e95f47c0a7d074f3bfbe55f138b4f0ed167d66031de908a5d040259cbe
Opcode Fuzzy Hash: d544553c3794957d79ceab9ece9c6795c21eceff83caea486740067c3f9cd554
Instruction Fuzzy Hash: 294144719142509EEB10EBA4CC8436A7BA1DB05316F28423FD245CB292FF794986878F

Non-executed Functions

Function 004668C0 Relevance: 54.3, APIs: 4, Strings: 27, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,00062000,00000000,004010F0), ref: 0046693F
GetProcAddress.KERNEL32(00000000), ref: 00466948
GetProcAddress.KERNEL32(00000000,?), ref: 00466958
GetModuleHandleA.KERNEL32(Libr), ref: 0046695F

Strings

Libr, xrefs: 0046695C
., xrefs: 004668FF
i, xrefs: 00466923
LoadLibr, xrefs: 00466952
3, xrefs: 004668F7
b, xrefs: 00466927
2, xrefs: 004668FB
E, xrefs: 004668E3
L, xrefs: 004668F3
y, xrefs: 00466937
d, xrefs: 0046691B
A, xrefs: 0046693B
LoadLibr, xrefs: 004668D6, 004668DA
R, xrefs: 004668E7
L, xrefs: 0046690F
l, xrefs: 0046690B
r, xrefs: 00466933
K, xrefs: 004668DE
a, xrefs: 0046692F
l, xrefs: 00466907
o, xrefs: 00466913
N, xrefs: 004668EB
a, xrefs: 00466917
d, xrefs: 00466903
r, xrefs: 0046692B
E, xrefs: 004668EF
L, xrefs: 0046691F

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: .$2$3$A$E$E$K$L$L$L$Libr$LoadLibr$LoadLibr$N$R$a$a$b$d$d$i$l$l$o$r$r$y
API String ID: 1646373207-713136220
Opcode ID: ab11df402e6262a6cd0bd32f4206eccbc3d47516eb2c55da4dfc699759f1ff03
Instruction ID: 408384f28f9ef53e4cf42fff1d531f2f4c792ab3fc2232b330d19c68f6871aa3
Opcode Fuzzy Hash: ab11df402e6262a6cd0bd32f4206eccbc3d47516eb2c55da4dfc699759f1ff03
Instruction Fuzzy Hash: D621DF519082DDEDEF0297A8C8087EEBFA65F12348F184099D58476292D3FE4658C7BA

Function 00467CDF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0046762E), ref: 00467CFA
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0046762E), ref: 00467D0E
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0046762E), ref: 00467D3A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0046762E), ref: 00467D72
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0046762E), ref: 00467D94
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0046762E), ref: 00467DAD
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0046762E), ref: 00467DC0
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00467DFE

Strings

.vF, xrefs: 00467DA8, 00467D9A

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID: .vF
API String ID: 1823725401-726173741
Opcode ID: 21081ef7853c4b6e1e71b35f9d3aba763abd31334b7cf08a66a00147fecdca15
Instruction ID: e0ff4c1f4c83d16eda3da060816b460531535d088a5a1c2de0a90e5b0c67148f
Opcode Fuzzy Hash: 21081ef7853c4b6e1e71b35f9d3aba763abd31334b7cf08a66a00147fecdca15
Instruction Fuzzy Hash: E93103B250D2656FD7217F789C8487B7A9CEE4535C7150E3BF582C3200FA298C8182AB

Function 0046A504 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0046859D,?,Microsoft Visual C++ Runtime Library,00012010,?,00466618,?,00466668,?,?,?,Runtime Error!Program: ), ref: 0046A516
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0046A52E
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0046A53F
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0046A54C

Strings

GetActiveWindow, xrefs: 0046A539
GetLastActivePopup, xrefs: 0046A541
MessageBoxA, xrefs: 0046A528
hfF, xrefs: 0046A572
user32.dll, xrefs: 0046A511

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$hfF$user32.dll
API String ID: 2238633743-3168188537
Opcode ID: cfa0cc50ece0866b78a170ab5342ea6b85cd7e283ba0fb2aa1623d024210fd94
Instruction ID: 744f6a593e7a9add090b9772e32a29f883b75c07cff326d20426f5d76b4cd1ff
Opcode Fuzzy Hash: cfa0cc50ece0866b78a170ab5342ea6b85cd7e283ba0fb2aa1623d024210fd94
Instruction Fuzzy Hash: 02011E72600651AB8711DFB5DC80A5B7BE8EB54795714443BF102E2221F7B8CCA19FAF

Function 00468479 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 004684E6
GetStdHandle.KERNEL32(000000F4,00466618,00000000,00000000,00000000,?), ref: 004685BC
WriteFile.KERNEL32(00000000), ref: 004685C3

Strings

Runtime Error!Program: , xrefs: 0046854C
..., xrefs: 00468538
Microsoft Visual C++ Runtime Library, xrefs: 00468592
<program name unknown>, xrefs: 004684F6

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: e2e85c8ef0b16a8288ff27266e0de427043c067a522af83105a15374f6e707cc
Instruction ID: 2056a4cf523c6c61efd455e582aa4bd90fb20045327001bf824e2cedd7879936
Opcode Fuzzy Hash: e2e85c8ef0b16a8288ff27266e0de427043c067a522af83105a15374f6e707cc
Instruction Fuzzy Hash: 6631C5B2600218AFEF20EB60DD45F9A736CEB55704F10065FF545E6051FA78EA418A6F

Function 0046A8DD Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,00466730,00000001,?,7591E860,0046B7E4,?,?,0046AB02,?,?,?,00000000,00000001), ref: 0046A91C
GetStringTypeA.KERNEL32(00000000,00000001,0046672C,00000001,?,?,0046AB02,?,?,?,00000000,00000001), ref: 0046A936
GetStringTypeA.KERNEL32(?,?,?,?,0046AB02,7591E860,0046B7E4,?,?,0046AB02,?,?,?,00000000,00000001), ref: 0046A96A
MultiByteToWideChar.KERNEL32(?,0046B7E5,?,?,00000000,00000000,7591E860,0046B7E4,?,?,0046AB02,?,?,?,00000000,00000001), ref: 0046A9A2
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0046AB02,?), ref: 0046A9F8
GetStringTypeW.KERNEL32(?,?,00000000,0046AB02,?,?,?,?,?,?,0046AB02,?), ref: 0046AA0A

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: ab4217411143ffe3254ca9e7388d5397779f7d60e845bb51e8d462f5dba7c91c
Instruction ID: 5d04ebb630ede76be34a412984aa30ef206bdfb02e237f80f5ded91fe66f7989
Opcode Fuzzy Hash: ab4217411143ffe3254ca9e7388d5397779f7d60e845bb51e8d462f5dba7c91c
Instruction Fuzzy Hash: 3F417EB1600609BFCF108F94DD85EAF3B69EB05754F204526F915F2260E3398DA4DBAB

Function 004680C8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 004680E7
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 0046811C
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0046817C

Strings

__MSVCRT_HEAP_SELECT, xrefs: 00468117
__GLOBAL_HEAP_SELECTED, xrefs: 00468156

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 53528356a6435874c4cea8836d0c504b681df6164dbf9ca25d22a8d434fd30e9
Instruction ID: 5b987649a18d894d0e495aeb664bcd7067431a9f38e5e2f94aadff08a1f212ff
Opcode Fuzzy Hash: 53528356a6435874c4cea8836d0c504b681df6164dbf9ca25d22a8d434fd30e9
Instruction Fuzzy Hash: 3331F3719452886AEB3186709C51BDB37689B03308F1402DFE185E5242FE788EC7CB1B

Function 00467E11 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 00467E6F
GetFileType.KERNEL32(?,?,00000000), ref: 00467F1A
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00467F7D
GetFileType.KERNEL32(00000000,?,00000000), ref: 00467F8B
SetHandleCount.KERNEL32 ref: 00467FC2

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 34c641e5c7566a4f61e51126171c732304a31f5bcaff118d0c42436aae4cc374
Instruction ID: 904a1bf5860a3ccec006ab94641980349b31f95e458b6625cd4b51425871e72e
Opcode Fuzzy Hash: 34c641e5c7566a4f61e51126171c732304a31f5bcaff118d0c42436aae4cc374
Instruction Fuzzy Hash: AD5134315083058FD724CF28C884B667BA0EB1172CF2446AED5A6DB6E1F7389C49C75B

Function 00468034 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,0046AAAD,00469480,00000000,?,?,00000000,00000001), ref: 00468036
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00468044
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00468090

Part of subcall function 00469175: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00468059,00000001,00000074,?,?,00000000,00000001), ref: 0046926B

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00468068
GetCurrentThreadId.KERNEL32 ref: 00468079

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 8052f77e0d2cf52281169dad796c00c49ce1532b00fa052d94a585fd97d9bf58
Instruction ID: b74b10b1bdd3e7229d6419e3796b190ce8a51909fc87ae4804f62f1af361191e
Opcode Fuzzy Hash: 8052f77e0d2cf52281169dad796c00c49ce1532b00fa052d94a585fd97d9bf58
Instruction Fuzzy Hash: B4F0F6316002515BD7302B75BD0956A3B649B01771B150B3EF5C2E56B0EF788CC5466A

Function 00469EE0 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,00463C80,00463C80,?,?,0046A3AC,00000000,00000010,00000000,00000009,00000009,?,00468D6A,00000010,00000000), ref: 00469F01
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,0046A3AC,00000000,00000010,00000000,00000009,00000009,?,00468D6A,00000010,00000000), ref: 00469F25
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,0046A3AC,00000000,00000010,00000000,00000009,00000009,?,00468D6A,00000010,00000000), ref: 00469F3F
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0046A3AC,00000000,00000010,00000000,00000009,00000009,?,00468D6A,00000010,00000000,?), ref: 0046A000
HeapFree.KERNEL32(00000000,00000000,?,?,0046A3AC,00000000,00000010,00000000,00000009,00000009,?,00468D6A,00000010,00000000,?,00000000), ref: 0046A017

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 2bf0c84c70cf4df8327d2a3aebbceef8d6b212f0e4515c6402ae096c437e29aa
Instruction ID: 445181fbcf65ce7e9d39d92d2b604eca806c0f8a9288605ab4d6bb1f59089151
Opcode Fuzzy Hash: 2bf0c84c70cf4df8327d2a3aebbceef8d6b212f0e4515c6402ae096c437e29aa
Instruction Fuzzy Hash: 1C31D072600701ABE3308F24DC44B66BBA8EB44755F11423BF156E7790FBB8AD409B4E

Function 00469D34 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00469AFC,00000000,00000000,00000000,00468D0C,00000000,00000000,?,00000000,00000000,00000000), ref: 00469D5C
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00469AFC,00000000,00000000,00000000,00468D0C,00000000,00000000,?,00000000,00000000,00000000), ref: 00469D90
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00469DAA
HeapFree.KERNEL32(00000000,?), ref: 00469DC1

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 85db0018b5f02a0a531da6da56e99f1b82eb4dab677bd662bfc4afaa2d152d60
Instruction ID: a1c2a3597b2230bcaeaffa70772468b135f739cde47e51b730ca6c90506df880
Opcode Fuzzy Hash: 85db0018b5f02a0a531da6da56e99f1b82eb4dab677bd662bfc4afaa2d152d60
Instruction Fuzzy Hash: AE114F70600701EFC7218F2AEC45D627BB9FB85721711493AF1A2D65B0E3B198C2CF8A

Function 004685CC Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,00467FD3,?,00467608), ref: 004685D9
InitializeCriticalSection.KERNEL32(?,00467FD3,?,00467608), ref: 004685E1
InitializeCriticalSection.KERNEL32(?,00467FD3,?,00467608), ref: 004685E9
InitializeCriticalSection.KERNEL32(?,00467FD3,?,00467608), ref: 004685F1

Memory Dump Source

Source File: 00000003.00000002.3327356714.0000000000465000.00000008.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3327299573.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327315119.0000000000401000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327375623.000000000046B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.3327415276.000000000046C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Deuvw.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 503c6c650575022db7612a51c23a455fa7bd590d9805bfc3dac3f36800976718
Instruction ID: 0ad9e4f4a03855f4481bac37ad47b37e425ca202d897247833f3bf621bba40d6
Opcode Fuzzy Hash: 503c6c650575022db7612a51c23a455fa7bd590d9805bfc3dac3f36800976718
Instruction Fuzzy Hash: 6BC002318040B49ACF126F95FE06946BF25EB447A23050077F5845143497A21D50FFD9

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGENT-174US	http://www.rr8844.com	Get hash	malicious	Unknown	Browse	149.104.32.188
	DF2.exe	Get hash	malicious	Unknown	Browse	38.40.94.251
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	149.104.166.231
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	154.22.36.201
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	149.38.61.254
	lDO4WBEQyL.exe	Get hash	malicious	GO Backdoor	Browse	38.180.205.164
	4iogI3WCTh.exe	Get hash	malicious	GhostRat	Browse	154.39.239.95
	Receipt-#202431029B.exe	Get hash	malicious	XWorm	Browse	154.39.0.150
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	38.55.246.3
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	38.55.246.3

Entrypoint:	0x467598
Entrypoint Section:	.data
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x61CC4DC7 [Wed Dec 29 12:00:07 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	19d4e66d725c89ba6712b82bebc8196d

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.data	0x1000	0x6afce	0x6b000	437904bad8bb8b717001438d6a8237eb	False	0.8334048262266355	data	7.790827391559138	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6c000	0xf638	0xf800	514dbf6dc2998bdb92f361ac96eb3c38	False	0.15582472278225806	data	3.504281288959596	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x6c180	0xdcd8	Device independent bitmap graphic, 128 x 214 x 32, image size 54784, resolution 27559 x 27559 px/m	Chinese	China	0.10743597000141503
RT_ICON	0x79e70	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Chinese	China	0.5403377110694184
RT_ICON	0x7af18	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Chinese	China	0.726063829787234
RT_GROUP_ICON	0x79e58	0x14	data	Chinese	China	1.15
RT_GROUP_ICON	0x7b380	0x22	data	Chinese	China	1.0294117647058822
RT_MANIFEST	0x7b3a8	0x28b	XML 1.0 document, ASCII text, with CRLF line terminators	Chinese	China	0.5529953917050692

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6bb5c	0x28	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6c000	0xf638	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xc8	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PQ2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Deuvw.exe

C:\Program Files\Deuvw.exe:Zone.Identifier

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
PQ2.exe

Function 004670B7 Relevance: 50.9, APIs: 2, Strings: 27, Instructions: 149
libraryloaderCOMMON

Function 00467598 Relevance: 6.1, APIs: 4, Instructions: 81
COMMON

Function 00466B6A Relevance: 60.2, APIs: 2, Strings: 38, Instructions: 189
memoryCOMMON

Function 00466EB1 Relevance: 52.6, APIs: 1, Strings: 29, Instructions: 128
memoryCOMMON

Function 00466D84 Relevance: 37.6, APIs: 1, Strings: 24, Instructions: 106
memoryCOMMON

Function 0046A68E Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Function 00468900 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Function 101C0330 Relevance: 3.2, APIs: 2, Instructions: 210
memoryCOMMON

Function 00468210 Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Function 004686AD Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Function 00468CBE Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMON