Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Vhl3X1aYeU.exe

Overview

General Information

Sample name:Vhl3X1aYeU.exe
renamed because original name is a hash value
Original sample name:0b06ffc35e57fa882d381e2516890367.exe
Analysis ID:1585656
MD5:0b06ffc35e57fa882d381e2516890367
SHA1:5f1aae9f6368528637e5ff05562366b306456d80
SHA256:56b3ddac0c8b5d6e4e31c452a200baf843acd84d174d05db0317f28f79b4f9cd
Tags:exenjratRATuser-abuse_ch
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Disables zone checking for all users
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the program root directory (C:\Program Files)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Vhl3X1aYeU.exe (PID: 6272 cmdline: "C:\Users\user\Desktop\Vhl3X1aYeU.exe" MD5: 0B06FFC35E57FA882D381E2516890367)
    • netsh.exe (PID: 6624 cmdline: netsh firewall add allowedprogram "C:\Users\user\Desktop\Vhl3X1aYeU.exe" "Vhl3X1aYeU.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 5356 cmdline: netsh firewall delete allowedprogram "C:\Users\user\Desktop\Vhl3X1aYeU.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 3512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 2496 cmdline: netsh firewall add allowedprogram "C:\Users\user\Desktop\Vhl3X1aYeU.exe" "Vhl3X1aYeU.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Explower.exe (PID: 6884 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe" MD5: 0B06FFC35E57FA882D381E2516890367)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "7d8b54f61658224964f27b9b12cf7d70", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Vhl3X1aYeU.exeJoeSecurity_NjratYara detected NjratJoe Security
    Vhl3X1aYeU.exeWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x115d2:$a1: get_Registry
    • 0x15a27:$a2: SEE_MASK_NOZONECHECKS
    • 0x156c9:$a3: Download ERROR
    • 0x15c79:$a4: cmd.exe /c ping 0 -n 2 & del "
    • 0x13c06:$a5: netsh firewall delete allowedprogram "
    Vhl3X1aYeU.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x15c79:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x13792:$s1: winmgmts:\\.\root\SecurityCenter2
    • 0x156e7:$s3: Executed As
    • 0x124f0:$s5: Stub.exe
    • 0x156c9:$s6: Download ERROR
    • 0x13754:$s8: Select * From AntiVirusProduct
    Vhl3X1aYeU.execrimeware_njrat_stringsDetects njRAT based on some stringsSekoia.io
    • 0x1546b:$: set cdaudio door closed
    • 0x1542f:$: set cdaudio door open
    • 0x15c8f:$: ping 0
    • 0x13412:$: [endof]
    • 0x132cc:$: TiGeR-Firewall
    • 0x132fa:$: NetSnifferCs
    • 0x132b8:$: IPBlocker
    • 0x13314:$: Sandboxie Control
    Vhl3X1aYeU.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x15a27:$reg: SEE_MASK_NOZONECHECKS
    • 0x156ad:$msg: Execute ERROR
    • 0x15701:$msg: Execute ERROR
    • 0x15c79:$ping: cmd.exe /c ping 0 -n 2 & del
    Click to see the 1 entries

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files (x86)\Explower.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\Program Files (x86)\Explower.exeJoeSecurity_NjratYara detected NjratJoe Security
        C:\Program Files (x86)\Explower.exeJoeSecurity_NjratYara detected NjratJoe Security
          C:\Program Files (x86)\Explower.exeWindows_Trojan_Njrat_30f3c220unknownunknown
          • 0x115d2:$a1: get_Registry
          • 0x15a27:$a2: SEE_MASK_NOZONECHECKS
          • 0x156c9:$a3: Download ERROR
          • 0x15c79:$a4: cmd.exe /c ping 0 -n 2 & del "
          • 0x13c06:$a5: netsh firewall delete allowedprogram "
          C:\Program Files (x86)\Explower.exeWindows_Trojan_Njrat_30f3c220unknownunknown
          • 0x115d2:$a1: get_Registry
          • 0x15a27:$a2: SEE_MASK_NOZONECHECKS
          • 0x156c9:$a3: Download ERROR
          • 0x15c79:$a4: cmd.exe /c ping 0 -n 2 & del "
          • 0x13c06:$a5: netsh firewall delete allowedprogram "
          Click to see the 49 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.1671418007.00000000005A2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
            00000000.00000000.1671418007.00000000005A2000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
            • 0x113d2:$a1: get_Registry
            • 0x15827:$a2: SEE_MASK_NOZONECHECKS
            • 0x154c9:$a3: Download ERROR
            • 0x15a79:$a4: cmd.exe /c ping 0 -n 2 & del "
            • 0x13a06:$a5: netsh firewall delete allowedprogram "
            00000000.00000000.1671418007.00000000005A2000.00000002.00000001.01000000.00000003.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
            • 0x15827:$reg: SEE_MASK_NOZONECHECKS
            • 0x154ad:$msg: Execute ERROR
            • 0x15501:$msg: Execute ERROR
            • 0x15a79:$ping: cmd.exe /c ping 0 -n 2 & del
            00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
              Process Memory Space: Vhl3X1aYeU.exe PID: 6272JoeSecurity_NjratYara detected NjratJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.Vhl3X1aYeU.exe.5a0000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
                  0.0.Vhl3X1aYeU.exe.5a0000.0.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
                  • 0x115d2:$a1: get_Registry
                  • 0x15a27:$a2: SEE_MASK_NOZONECHECKS
                  • 0x156c9:$a3: Download ERROR
                  • 0x15c79:$a4: cmd.exe /c ping 0 -n 2 & del "
                  • 0x13c06:$a5: netsh firewall delete allowedprogram "
                  0.0.Vhl3X1aYeU.exe.5a0000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
                  • 0x15c79:$x1: cmd.exe /c ping 0 -n 2 & del "
                  • 0x13792:$s1: winmgmts:\\.\root\SecurityCenter2
                  • 0x156e7:$s3: Executed As
                  • 0x124f0:$s5: Stub.exe
                  • 0x156c9:$s6: Download ERROR
                  • 0x13754:$s8: Select * From AntiVirusProduct
                  0.0.Vhl3X1aYeU.exe.5a0000.0.unpackcrimeware_njrat_stringsDetects njRAT based on some stringsSekoia.io
                  • 0x1546b:$: set cdaudio door closed
                  • 0x1542f:$: set cdaudio door open
                  • 0x15c8f:$: ping 0
                  • 0x13412:$: [endof]
                  • 0x132cc:$: TiGeR-Firewall
                  • 0x132fa:$: NetSnifferCs
                  • 0x132b8:$: IPBlocker
                  • 0x13314:$: Sandboxie Control
                  0.0.Vhl3X1aYeU.exe.5a0000.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
                  • 0x15a27:$reg: SEE_MASK_NOZONECHECKS
                  • 0x156ad:$msg: Execute ERROR
                  • 0x15701:$msg: Execute ERROR
                  • 0x15c79:$ping: cmd.exe /c ping 0 -n 2 & del
                  Click to see the 1 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Vhl3X1aYeU.exe, ProcessId: 6272, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-07T23:57:07.036622+010020211761Malware Command and Control Activity Detected192.168.2.44973077.90.22.453333TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-07T23:57:07.036622+010020331321Malware Command and Control Activity Detected192.168.2.44973077.90.22.453333TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-07T23:57:13.075499+010028255641Malware Command and Control Activity Detected192.168.2.44973077.90.22.453333TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: Vhl3X1aYeU.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
                  Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
                  Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
                  Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
                  Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
                  Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
                  Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
                  Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
                  Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
                  Found malware configuration
                  Source: 0.0.Vhl3X1aYeU.exe.5a0000.0.unpackMalware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "7d8b54f61658224964f27b9b12cf7d70", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Program Files (x86)\Explower.exeReversingLabs: Detection: 84%
                  Source: C:\Users\user\AppData\Local\Explower.exeReversingLabs: Detection: 84%
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exeReversingLabs: Detection: 84%
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exeReversingLabs: Detection: 84%
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exeReversingLabs: Detection: 84%
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeReversingLabs: Detection: 84%
                  Source: C:\Users\user\Documents\Explower.exeReversingLabs: Detection: 84%
                  Source: C:\Users\user\Favorites\Explower.exeReversingLabs: Detection: 84%
                  Source: C:\Windows\SysWOW64\Explower.exeReversingLabs: Detection: 84%
                  Multi AV Scanner detection for submitted file
                  Source: Vhl3X1aYeU.exeReversingLabs: Detection: 84%
                  Yara detected Njrat
                  Source: Yara matchFile source: Vhl3X1aYeU.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.Vhl3X1aYeU.exe.5a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1671418007.00000000005A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Vhl3X1aYeU.exe PID: 6272, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Explower.exe PID: 6884, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: Vhl3X1aYeU.exeJoe Sandbox ML: detected
                  Source: Vhl3X1aYeU.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
                  Source: Vhl3X1aYeU.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Spreading

                  barindex
                  Contains functionality to spread to USB devices (.Net source)
                  Source: Vhl3X1aYeU.exe, Usb1.cs.Net Code: infect
                  Source: Explower.exe.0.dr, Usb1.cs.Net Code: infect
                  Source: Explower.exe0.0.dr, Usb1.cs.Net Code: infect
                  Source: Explower.exe1.0.dr, Usb1.cs.Net Code: infect
                  Source: Explower.exe2.0.dr, Usb1.cs.Net Code: infect
                  Source: Explower.exe3.0.dr, Usb1.cs.Net Code: infect
                  Source: Explower.exe4.0.dr, Usb1.cs.Net Code: infect
                  Source: Explower.exe5.0.dr, Usb1.cs.Net Code: infect
                  Source: Explower.exe6.0.dr, Usb1.cs.Net Code: infect
                  Source: Explower.exe7.0.dr, Usb1.cs.Net Code: infect
                  Source: Vhl3X1aYeU.exe, 00000000.00000000.1671418007.00000000005A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: \autorun.inf
                  Source: Vhl3X1aYeU.exe, 00000000.00000000.1671418007.00000000005A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
                  Source: Vhl3X1aYeU.exe, 00000000.00000000.1671418007.00000000005A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
                  Source: Vhl3X1aYeU.exeBinary or memory string: \autorun.inf
                  Source: Vhl3X1aYeU.exeBinary or memory string: [autorun]
                  Source: Vhl3X1aYeU.exeBinary or memory string: autorun.inf
                  Source: Explower.exe2.0.drBinary or memory string: \autorun.inf
                  Source: Explower.exe2.0.drBinary or memory string: [autorun]
                  Source: Explower.exe2.0.drBinary or memory string: autorun.inf
                  Source: Explower.exe.0.drBinary or memory string: \autorun.inf
                  Source: Explower.exe.0.drBinary or memory string: [autorun]
                  Source: Explower.exe.0.drBinary or memory string: autorun.inf
                  Source: Explower.exe1.0.drBinary or memory string: \autorun.inf
                  Source: Explower.exe1.0.drBinary or memory string: [autorun]
                  Source: Explower.exe1.0.drBinary or memory string: autorun.inf
                  Source: Explower.exe4.0.drBinary or memory string: \autorun.inf
                  Source: Explower.exe4.0.drBinary or memory string: [autorun]
                  Source: Explower.exe4.0.drBinary or memory string: autorun.inf
                  Source: Explower.exe3.0.drBinary or memory string: \autorun.inf
                  Source: Explower.exe3.0.drBinary or memory string: [autorun]
                  Source: Explower.exe3.0.drBinary or memory string: autorun.inf
                  Source: Explower.exe7.0.drBinary or memory string: \autorun.inf
                  Source: Explower.exe7.0.drBinary or memory string: [autorun]
                  Source: Explower.exe7.0.drBinary or memory string: autorun.inf
                  Source: Explower.exe6.0.drBinary or memory string: \autorun.inf
                  Source: Explower.exe6.0.drBinary or memory string: [autorun]
                  Source: Explower.exe6.0.drBinary or memory string: autorun.inf
                  Source: Explower.exe0.0.drBinary or memory string: \autorun.inf
                  Source: Explower.exe0.0.drBinary or memory string: [autorun]
                  Source: Explower.exe0.0.drBinary or memory string: autorun.inf
                  Source: Explower.exe5.0.drBinary or memory string: \autorun.inf
                  Source: Explower.exe5.0.drBinary or memory string: [autorun]
                  Source: Explower.exe5.0.drBinary or memory string: autorun.inf
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49730 -> 77.90.22.45:3333
                  Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49730 -> 77.90.22.45:3333
                  Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49730 -> 77.90.22.45:3333
                  Source: global trafficTCP traffic: 192.168.2.4:49730 -> 77.90.22.45:3333
                  Source: Joe Sandbox ViewASN Name: ASGHOSTNETDE ASGHOSTNETDE
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.90.22.45
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  E-Banking Fraud

                  barindex
                  Yara detected Njrat
                  Source: Yara matchFile source: Vhl3X1aYeU.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.Vhl3X1aYeU.exe.5a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1671418007.00000000005A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Vhl3X1aYeU.exe PID: 6272, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Explower.exe PID: 6884, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: Vhl3X1aYeU.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                  Source: Vhl3X1aYeU.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: Vhl3X1aYeU.exe, type: SAMPLEMatched rule: Detects njRAT based on some strings Author: Sekoia.io
                  Source: Vhl3X1aYeU.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: Vhl3X1aYeU.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: 0.0.Vhl3X1aYeU.exe.5a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                  Source: 0.0.Vhl3X1aYeU.exe.5a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 0.0.Vhl3X1aYeU.exe.5a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects njRAT based on some strings Author: Sekoia.io
                  Source: 0.0.Vhl3X1aYeU.exe.5a0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: 0.0.Vhl3X1aYeU.exe.5a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: 00000000.00000000.1671418007.00000000005A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                  Source: 00000000.00000000.1671418007.00000000005A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects njRAT based on some strings Author: Sekoia.io
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects njRAT based on some strings Author: Sekoia.io
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects njRAT based on some strings Author: Sekoia.io
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects njRAT based on some strings Author: Sekoia.io
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects njRAT based on some strings Author: Sekoia.io
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00EABCEE NtQuerySystemInformation,0_2_00EABCEE
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00EABCBD NtQuerySystemInformation,0_2_00EABCBD
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Windows\SysWOW64\Explower.exeJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Windows\SysWOW64\Explower.exe:Zone.Identifier:$DATAJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00EA2BCF0_2_00EA2BCF
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE42980_2_00FE4298
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE72880_2_00FE7288
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE49F90_2_00FE49F9
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE44F10_2_00FE44F1
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE50E30_2_00FE50E3
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE47D40_2_00FE47D4
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE499D0_2_00FE499D
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE4F9D0_2_00FE4F9D
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE4C8F0_2_00FE4C8F
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE726E0_2_00FE726E
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE536F0_2_00FE536F
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE505D0_2_00FE505D
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE4B5B0_2_00FE4B5B
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE45440_2_00FE4544
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE49360_2_00FE4936
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE46300_2_00FE4630
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE4F2F0_2_00FE4F2F
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE470F0_2_00FE470F
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE50000_2_00FE5000
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00FE54590_2_00FE5459
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4122223043.0000000000ACE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Vhl3X1aYeU.exe
                  Source: Vhl3X1aYeU.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: Vhl3X1aYeU.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                  Source: Vhl3X1aYeU.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Vhl3X1aYeU.exe, type: SAMPLEMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
                  Source: Vhl3X1aYeU.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: Vhl3X1aYeU.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: 0.0.Vhl3X1aYeU.exe.5a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                  Source: 0.0.Vhl3X1aYeU.exe.5a0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.0.Vhl3X1aYeU.exe.5a0000.0.unpack, type: UNPACKEDPEMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
                  Source: 0.0.Vhl3X1aYeU.exe.5a0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: 0.0.Vhl3X1aYeU.exe.5a0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: 00000000.00000000.1671418007.00000000005A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                  Source: 00000000.00000000.1671418007.00000000005A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                  Source: classification engineClassification label: mal100.spre.phis.troj.adwa.evad.winEXE@11/23@0/1
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00EABB72 AdjustTokenPrivileges,0_2_00EABB72
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_00EABB3B AdjustTokenPrivileges,0_2_00EABB3B
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Program Files (x86)\Explower.exeJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Users\user\AppData\Roaming\appJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3512:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMutant created: \Sessions\1\BaseNamedObjects\7d8b54f61658224964f27b9b12cf7d70
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:980:120:WilError_03
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:120:WilError_03
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Users\user\AppData\Local\Temp\FransescoPast.txtJump to behavior
                  Source: Vhl3X1aYeU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Vhl3X1aYeU.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Vhl3X1aYeU.exeReversingLabs: Detection: 84%
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile read: C:\Users\user\Desktop\Vhl3X1aYeU.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\Vhl3X1aYeU.exe "C:\Users\user\Desktop\Vhl3X1aYeU.exe"
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\Vhl3X1aYeU.exe" "Vhl3X1aYeU.exe" ENABLE
                  Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\Desktop\Vhl3X1aYeU.exe"
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\Vhl3X1aYeU.exe" "Vhl3X1aYeU.exe" ENABLE
                  Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe"
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\Vhl3X1aYeU.exe" "Vhl3X1aYeU.exe" ENABLEJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\Desktop\Vhl3X1aYeU.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\Vhl3X1aYeU.exe" "Vhl3X1aYeU.exe" ENABLEJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                  Source: Vhl3X1aYeU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
                  Source: Vhl3X1aYeU.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: Vhl3X1aYeU.exe, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                  Source: Explower.exe.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                  Source: Explower.exe0.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                  Source: Explower.exe1.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                  Source: Explower.exe2.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                  Source: Explower.exe3.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                  Source: Explower.exe4.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                  Source: Explower.exe5.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                  Source: Explower.exe6.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                  Source: Explower.exe7.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeCode function: 0_2_06750A4B push 6A47C310h; ret 0_2_06750A62
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeCode function: 7_2_04E33141 pushad ; ret 7_2_04E33154

                  Persistence and Installation Behavior

                  barindex
                  Drops PE files to the document folder of the user
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Users\user\Documents\Explower.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Windows\SysWOW64\Explower.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Users\user\AppData\Local\Explower.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Program Files (x86)\Explower.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Users\user\Documents\Explower.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Users\user\Favorites\Explower.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Program Files (x86)\Explower.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Windows\SysWOW64\Explower.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops PE files to the startup folder
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe\:Zone.Identifier:$DATAJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: F50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 2C40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 4C40000 memory commit | memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 5AA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 6AA0000 memory commit | memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 6CD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 7CD0000 memory commit | memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 7F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 8F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 9F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 6060000 memory commit | memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 7CD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 9F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: AF20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: BF20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: CF20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: DF20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: EF20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 8F80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: FF20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 10F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 11F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: A400000 memory commit | memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 12F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 13F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 14F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 15F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 16F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 17F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 18F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 19F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 1AF20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: C520000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: D520000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: E520000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 1BF20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 1CF20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 1DF20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 1EF20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 1FF20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 20F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 21F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 22F20000 memory commit | memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 24130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 25130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 26130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 27130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 28130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 29130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 2A130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 2B130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 2C130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 2D130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: F520000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: C620000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: D620000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: E620000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: F620000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: D660000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: E660000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: F660000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 10660000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 11660000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 12660000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: F7A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 107A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 117A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 127A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 137A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 147A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 157A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 167A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 177A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 187A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 197A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 1A7A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 1B7A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 1C7A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 1D7A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 1E7A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 1F7A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 207A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 217A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 2E130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 2F130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 30130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: 31130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeMemory allocated: FD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeMemory allocated: 2C00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeMemory allocated: 4C00000 memory commit | memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeWindow / User API: threadDelayed 2834Jump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeWindow / User API: threadDelayed 1580Jump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeWindow / User API: foregroundWindowGot 410Jump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeWindow / User API: foregroundWindowGot 421Jump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exe TID: 1344Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exe TID: 1344Thread sleep count: 253 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exe TID: 2492Thread sleep count: 2834 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exe TID: 2492Thread sleep time: -1417000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exe TID: 2812Thread sleep count: 187 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exe TID: 2304Thread sleep count: 63 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exe TID: 2492Thread sleep count: 1580 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exe TID: 2492Thread sleep time: -790000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exe TID: 600Thread sleep count: 67 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe TID: 5448Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: netsh.exe, 00000001.00000002.1699675996.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000002.1732889308.0000000000D9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4122223043.0000000000B83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWrvices, Versio
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4122223043.0000000000B83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
                  Source: netsh.exe, 00000003.00000002.1728117183.00000000011CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:57:18 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:59:36 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 18:28:56 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 19:01:50 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 18:01:13 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:57:20 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 18:00:01 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:58:45 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:59:08 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:57:40 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 18:06:27 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:57:00 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:59:31 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:59:24 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:58:12 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/10 | 10:51:05 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/10 | 11:27:45 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/10 | 06:12:19 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 18:05:39 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:57:34 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:58:40 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:58:36 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 18:01:07 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:58:50 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/10 | 00:35:17 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:57:26 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:57:36 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 18:26:42 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/10 | 11:11:59 - Program Manager
                  Source: Explower.exe, 00000007.00000002.1837225047.000000000511B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: dProgram Manager`
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, Explower.exe, 00000007.00000002.1836870113.0000000002C32000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:57:15 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:57:28 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, Explower.exe, 00000007.00000002.1836870113.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, Explower.exe, 00000007.00000002.1836870113.0000000002C01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 19:30:17 - Program Manager
                  Source: Vhl3X1aYeU.exe, Explower.exe2.0.dr, Explower.exe.0.dr, Explower.exe1.0.dr, Explower.exe4.0.dr, Explower.exe3.0.dr, Explower.exe7.0.dr, Explower.exe6.0.dr, Explower.exe0.0.dr, Explower.exe5.0.drBinary or memory string: ProgMan
                  Source: Explower.exe, 00000007.00000002.1836870113.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, Explower.exe, 00000007.00000002.1836870113.0000000002C01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: kedProgram Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:57:23 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:59:18 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:58:55 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:57:30 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 18:00:24 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:58:19 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/10 | 07:53:28 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:58:26 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:57:27 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 18:30:14 - Program Manager
                  Source: Vhl3X1aYeU.exe, Explower.exe2.0.dr, Explower.exe.0.dr, Explower.exe1.0.dr, Explower.exe4.0.dr, Explower.exe3.0.dr, Explower.exe7.0.dr, Explower.exe6.0.dr, Explower.exe0.0.dr, Explower.exe5.0.drBinary or memory string: Shell_traywnd+MostrarBarraDeTarefas
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:57:31 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:58:23 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:58:33 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:57:11 - Program Manager
                  Source: Vhl3X1aYeU.exe, Explower.exe2.0.dr, Explower.exe.0.dr, Explower.exe1.0.dr, Explower.exe4.0.dr, Explower.exe3.0.dr, Explower.exe7.0.dr, Explower.exe6.0.dr, Explower.exe0.0.dr, Explower.exe5.0.drBinary or memory string: Shell_TrayWnd
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:57:01 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:58:15 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 18:07:17 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:57:42 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 18:01:53 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 19:01:16 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:57:39 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 18:01:33 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 18:37:06 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:58:04 - Program Manager
                  Source: Vhl3X1aYeU.exe, 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/07 | 17:58:14 - Program Manager
                  Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Contains functionality to disable the Task Manager (.Net Source)
                  Source: Vhl3X1aYeU.exe, Fransesco.cs.Net Code: INS
                  Source: Explower.exe.0.dr, Fransesco.cs.Net Code: INS
                  Source: Explower.exe0.0.dr, Fransesco.cs.Net Code: INS
                  Source: Explower.exe1.0.dr, Fransesco.cs.Net Code: INS
                  Source: Explower.exe2.0.dr, Fransesco.cs.Net Code: INS
                  Source: Explower.exe3.0.dr, Fransesco.cs.Net Code: INS
                  Source: Explower.exe4.0.dr, Fransesco.cs.Net Code: INS
                  Source: Explower.exe5.0.dr, Fransesco.cs.Net Code: INS
                  Source: Explower.exe6.0.dr, Fransesco.cs.Net Code: INS
                  Source: Explower.exe7.0.dr, Fransesco.cs.Net Code: INS
                  Disables zone checking for all users
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeRegistry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKSJump to behavior
                  Modifies the windows firewall
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\Vhl3X1aYeU.exe" "Vhl3X1aYeU.exe" ENABLE
                  Uses netsh to modify the Windows network and firewall settings
                  Source: C:\Users\user\Desktop\Vhl3X1aYeU.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\Vhl3X1aYeU.exe" "Vhl3X1aYeU.exe" ENABLE

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Njrat
                  Source: Yara matchFile source: Vhl3X1aYeU.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.Vhl3X1aYeU.exe.5a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1671418007.00000000005A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Vhl3X1aYeU.exe PID: 6272, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Explower.exe PID: 6884, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected Njrat
                  Source: Yara matchFile source: Vhl3X1aYeU.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.Vhl3X1aYeU.exe.5a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1671418007.00000000005A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Vhl3X1aYeU.exe PID: 6272, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Explower.exe PID: 6884, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure11
                  Replication Through Removable Media                  		Windows Management Instrumentation12
                  Registry Run Keys / Startup Folder                  		1
                  Access Token Manipulation                  		32
                  Masquerading                  		OS Credential Dumping11
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading                  		2
                  Process Injection                  		41
                  Disable or Modify Tools                  		LSASS Memory2
                  Process Discovery                  		Remote Desktop Protocol1
                  Clipboard Data                  		1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)12
                  Registry Run Keys / Startup Folder                  		31
                  Virtualization/Sandbox Evasion                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  DLL Side-Loading                  		1
                  Access Token Manipulation                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                  Process Injection                  		LSA Secrets1
                  Peripheral Device Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Obfuscated Files or Information                  		Cached Domain Credentials1
                  File and Directory Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Software Packing                  		DCSync12
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1585656 Sample: Vhl3X1aYeU.exe Startdate: 07/01/2025 Architecture: WINDOWS Score: 100 36 Suricata IDS alerts for network traffic 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 11 other signatures 2->42 7 Vhl3X1aYeU.exe 1 24 2->7         started        12 Explower.exe 3 2->12         started        process3 dnsIp4 34 77.90.22.45, 3333, 49730 ASGHOSTNETDE Germany 7->34 26 C:\Windows\SysWOW64xplower.exe, PE32 7->26 dropped 28 C:\Users\user\Favoritesxplower.exe, PE32 7->28 dropped 30 C:\Users\user\Documentsxplower.exe, PE32 7->30 dropped 32 7 other malicious files 7->32 dropped 44 Drops PE files to the document folder of the user 7->44 46 Disables zone checking for all users 7->46 48 Drops PE files to the startup folder 7->48 50 2 other signatures 7->50 14 netsh.exe 2 7->14         started        16 netsh.exe 2 7->16         started        18 netsh.exe 2 7->18         started        file5 signatures6 process7 process8 20 conhost.exe 14->20         started        22 conhost.exe 16->22         started        24 conhost.exe 18->24         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Vhl3X1aYeU.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                  Vhl3X1aYeU.exe100%AviraTR/Dropper.Gen
                  Vhl3X1aYeU.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
                  C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
                  C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
                  C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
                  C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
                  C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
                  C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
                  C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
                  C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
                  C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                  C:\Users\user\AppData\Local\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                  C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                  C:\Users\user\Documents\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                  C:\Users\user\Favorites\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                  C:\Windows\SysWOW64\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  77.90.22.45
                  		unknownGermany
                  		12586ASGHOSTNETDEtrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1585656
                  Start date and time:2025-01-07 23:56:08 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 46s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:12
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:Vhl3X1aYeU.exe
                  renamed because original name is a hash value
                  Original Sample Name:0b06ffc35e57fa882d381e2516890367.exe
                  Detection:MAL
                  Classification:mal100.spre.phis.troj.adwa.evad.winEXE@11/23@0/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 98%
                  • Number of executed functions: 180
                  • Number of non-executed functions: 4
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240s for sample files taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                  • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45, 4.175.87.197
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: Vhl3X1aYeU.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  17:57:39API Interceptor105103x Sleep call for process: Vhl3X1aYeU.exe modified
                  22:57:05AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  77.90.22.45build.exeGet hashmaliciousRedLineBrowse
                  • 77.90.22.45:15352/

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  ASGHOSTNETDEbuild.exeGet hashmaliciousRedLineBrowse
                  • 77.90.22.45
                  server.exeGet hashmaliciousNjratBrowse
                  • 77.90.22.45
                  Fantazy.i486.elfGet hashmaliciousUnknownBrowse
                  • 77.90.25.227
                  armv5l.elfGet hashmaliciousUnknownBrowse
                  • 5.231.4.240
                  mipsel.elfGet hashmaliciousUnknownBrowse
                  • 5.231.4.240
                  powerpc.elfGet hashmaliciousUnknownBrowse
                  • 5.231.4.240
                  mips.elfGet hashmaliciousUnknownBrowse
                  • 5.231.4.240
                  sparc.elfGet hashmaliciousUnknownBrowse
                  • 5.230.251.14
                  arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                  • 5.230.157.188
                  armv4l.elfGet hashmaliciousUnknownBrowse
                  • 5.231.4.240

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Program Files (x86)\Explower.exe

                  Download File
                  Process:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):95232
                  Entropy (8bit):5.560028663711633
                  Encrypted:false
                  SSDEEP:1536:EgxOx6baIa9RZj00ljEwzGi1dDzDAegS:EgxbaIa93jNSi1dzAD
                  MD5:0B06FFC35E57FA882D381E2516890367
                  SHA1:5F1AAE9F6368528637E5FF05562366B306456D80
                  SHA-256:56B3DDAC0C8B5D6E4E31C452A200BAF843ACD84D174D05DB0317F28F79B4F9CD
                  SHA-512:CF386BD0B9FA0B2358DFA9C9CA8C5D12142F3AEFA4B461FFBE0D12F1FFC1BE6D6581EF7A917B4E456368DBA7E9C53ED5BCC13FD06893C49882F7FE23D4C0959F
                  Malicious:true
                  Yara Hits:
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                  • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                  • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Program Files (x86)\Explower.exe, Author: Sekoia.io
                  • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Program Files (x86)\Explower.exe, Author: Sekoia.io
                  • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Program Files (x86)\Explower.exe, Author: Sekoia.io
                  • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Program Files (x86)\Explower.exe, Author: Sekoia.io
                  • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Program Files (x86)\Explower.exe, Author: Sekoia.io
                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 84%
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                  C:\Program Files (x86)\Explower.exe:Zone.Identifier

                  Download File
                  Process:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:true
                  Reputation:high, very likely benign file
                  Preview:[ZoneTransfer]....ZoneId=0

                  C:\Users\user\AppData\Local\Explower.exe

                  Download File
                  Process:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):95232
                  Entropy (8bit):5.560028663711633
                  Encrypted:false
                  SSDEEP:1536:EgxOx6baIa9RZj00ljEwzGi1dDzDAegS:EgxbaIa93jNSi1dzAD
                  MD5:0B06FFC35E57FA882D381E2516890367
                  SHA1:5F1AAE9F6368528637E5FF05562366B306456D80
                  SHA-256:56B3DDAC0C8B5D6E4E31C452A200BAF843ACD84D174D05DB0317F28F79B4F9CD
                  SHA-512:CF386BD0B9FA0B2358DFA9C9CA8C5D12142F3AEFA4B461FFBE0D12F1FFC1BE6D6581EF7A917B4E456368DBA7E9C53ED5BCC13FD06893C49882F7FE23D4C0959F
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 84%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                  C:\Users\user\AppData\Local\Explower.exe:Zone.Identifier

                  Download File
                  Process:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:false
                  Preview:[ZoneTransfer]....ZoneId=0

                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Explower.exe.log

                  Download File
                  Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):525
                  Entropy (8bit):5.259753436570609
                  Encrypted:false
                  SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                  MD5:260E01CC001F9C4643CA7A62F395D747
                  SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                  SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                  SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                  Malicious:false
                  Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                  C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe

                  Download File
                  Process:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):95232
                  Entropy (8bit):5.560028663711633
                  Encrypted:false
                  SSDEEP:1536:EgxOx6baIa9RZj00ljEwzGi1dDzDAegS:EgxbaIa93jNSi1dzAD
                  MD5:0B06FFC35E57FA882D381E2516890367
                  SHA1:5F1AAE9F6368528637E5FF05562366B306456D80
                  SHA-256:56B3DDAC0C8B5D6E4E31C452A200BAF843ACD84D174D05DB0317F28F79B4F9CD
                  SHA-512:CF386BD0B9FA0B2358DFA9C9CA8C5D12142F3AEFA4B461FFBE0D12F1FFC1BE6D6581EF7A917B4E456368DBA7E9C53ED5BCC13FD06893C49882F7FE23D4C0959F
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 84%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                  C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe:Zone.Identifier

                  Download File
                  Process:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:false
                  Preview:[ZoneTransfer]....ZoneId=0

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe

                  Download File
                  Process:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):95232
                  Entropy (8bit):5.560028663711633
                  Encrypted:false
                  SSDEEP:1536:EgxOx6baIa9RZj00ljEwzGi1dDzDAegS:EgxbaIa93jNSi1dzAD
                  MD5:0B06FFC35E57FA882D381E2516890367
                  SHA1:5F1AAE9F6368528637E5FF05562366B306456D80
                  SHA-256:56B3DDAC0C8B5D6E4E31C452A200BAF843ACD84D174D05DB0317F28F79B4F9CD
                  SHA-512:CF386BD0B9FA0B2358DFA9C9CA8C5D12142F3AEFA4B461FFBE0D12F1FFC1BE6D6581EF7A917B4E456368DBA7E9C53ED5BCC13FD06893C49882F7FE23D4C0959F
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 84%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe:Zone.Identifier

                  Download File
                  Process:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:false
                  Preview:[ZoneTransfer]....ZoneId=0

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe

                  Download File
                  Process:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):95232
                  Entropy (8bit):5.560028663711633
                  Encrypted:false
                  SSDEEP:1536:EgxOx6baIa9RZj00ljEwzGi1dDzDAegS:EgxbaIa93jNSi1dzAD
                  MD5:0B06FFC35E57FA882D381E2516890367
                  SHA1:5F1AAE9F6368528637E5FF05562366B306456D80
                  SHA-256:56B3DDAC0C8B5D6E4E31C452A200BAF843ACD84D174D05DB0317F28F79B4F9CD
                  SHA-512:CF386BD0B9FA0B2358DFA9C9CA8C5D12142F3AEFA4B461FFBE0D12F1FFC1BE6D6581EF7A917B4E456368DBA7E9C53ED5BCC13FD06893C49882F7FE23D4C0959F
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 84%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe:Zone.Identifier

                  Download File
                  Process:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:false
                  Preview:[ZoneTransfer]....ZoneId=0

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

                  Download File
                  Process:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):95232
                  Entropy (8bit):5.560028663711633
                  Encrypted:false
                  SSDEEP:1536:EgxOx6baIa9RZj00ljEwzGi1dDzDAegS:EgxbaIa93jNSi1dzAD
                  MD5:0B06FFC35E57FA882D381E2516890367
                  SHA1:5F1AAE9F6368528637E5FF05562366B306456D80
                  SHA-256:56B3DDAC0C8B5D6E4E31C452A200BAF843ACD84D174D05DB0317F28F79B4F9CD
                  SHA-512:CF386BD0B9FA0B2358DFA9C9CA8C5D12142F3AEFA4B461FFBE0D12F1FFC1BE6D6581EF7A917B4E456368DBA7E9C53ED5BCC13FD06893C49882F7FE23D4C0959F
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 84%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe:Zone.Identifier

                  Download File
                  Process:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:false
                  Preview:[ZoneTransfer]....ZoneId=0

                  C:\Users\user\AppData\Roaming\app

                  Download File
                  Process:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                  Category:dropped
                  Size (bytes):4
                  Entropy (8bit):2.0
                  Encrypted:false
                  SSDEEP:3:X:X
                  MD5:FBA73CE50D8CFB469EC29A2333B22A85
                  SHA1:4B7B6DFB36AF4A016301DC065870DD0829DB0A55
                  SHA-256:56AE4E1144656432194C610E366FB556F7401A9993E75C0007F46397A5DDFA03
                  SHA-512:B620D99E15C25E970A09738D14B493B2345EC1EB48737E2983565666A3C052D235712DB01A110C9948DC00D62A14FCCCF43CCC295F993D673334DC88497C77C7
                  Malicious:false
                  Preview:.7

                  C:\Users\user\Documents\Explower.exe

                  Download File
                  Process:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):95232
                  Entropy (8bit):5.560028663711633
                  Encrypted:false
                  SSDEEP:1536:EgxOx6baIa9RZj00ljEwzGi1dDzDAegS:EgxbaIa93jNSi1dzAD
                  MD5:0B06FFC35E57FA882D381E2516890367
                  SHA1:5F1AAE9F6368528637E5FF05562366B306456D80
                  SHA-256:56B3DDAC0C8B5D6E4E31C452A200BAF843ACD84D174D05DB0317F28F79B4F9CD
                  SHA-512:CF386BD0B9FA0B2358DFA9C9CA8C5D12142F3AEFA4B461FFBE0D12F1FFC1BE6D6581EF7A917B4E456368DBA7E9C53ED5BCC13FD06893C49882F7FE23D4C0959F
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 84%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                  C:\Users\user\Documents\Explower.exe:Zone.Identifier

                  Download File
                  Process:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:false
                  Preview:[ZoneTransfer]....ZoneId=0

                  C:\Users\user\Favorites\Explower.exe

                  Download File
                  Process:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):95232
                  Entropy (8bit):5.560028663711633
                  Encrypted:false
                  SSDEEP:1536:EgxOx6baIa9RZj00ljEwzGi1dDzDAegS:EgxbaIa93jNSi1dzAD
                  MD5:0B06FFC35E57FA882D381E2516890367
                  SHA1:5F1AAE9F6368528637E5FF05562366B306456D80
                  SHA-256:56B3DDAC0C8B5D6E4E31C452A200BAF843ACD84D174D05DB0317F28F79B4F9CD
                  SHA-512:CF386BD0B9FA0B2358DFA9C9CA8C5D12142F3AEFA4B461FFBE0D12F1FFC1BE6D6581EF7A917B4E456368DBA7E9C53ED5BCC13FD06893C49882F7FE23D4C0959F
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 84%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                  C:\Users\user\Favorites\Explower.exe:Zone.Identifier

                  Download File
                  Process:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:false
                  Preview:[ZoneTransfer]....ZoneId=0

                  C:\Windows\SysWOW64\Explower.exe

                  Download File
                  Process:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):95232
                  Entropy (8bit):5.560028663711633
                  Encrypted:false
                  SSDEEP:1536:EgxOx6baIa9RZj00ljEwzGi1dDzDAegS:EgxbaIa93jNSi1dzAD
                  MD5:0B06FFC35E57FA882D381E2516890367
                  SHA1:5F1AAE9F6368528637E5FF05562366B306456D80
                  SHA-256:56B3DDAC0C8B5D6E4E31C452A200BAF843ACD84D174D05DB0317F28F79B4F9CD
                  SHA-512:CF386BD0B9FA0B2358DFA9C9CA8C5D12142F3AEFA4B461FFBE0D12F1FFC1BE6D6581EF7A917B4E456368DBA7E9C53ED5BCC13FD06893C49882F7FE23D4C0959F
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 84%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                  C:\Windows\SysWOW64\Explower.exe:Zone.Identifier

                  Download File
                  Process:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:false
                  Preview:[ZoneTransfer]....ZoneId=0

                  \Device\ConDrv

                  Download File
                  Process:C:\Windows\SysWOW64\netsh.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):313
                  Entropy (8bit):4.971939296804078
                  Encrypted:false
                  SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                  MD5:689E2126A85BF55121488295EE068FA1
                  SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                  SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                  SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                  Malicious:false
                  Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):5.560028663711633
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  • Win32 Executable (generic) a (10002005/4) 49.75%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Windows Screen Saver (13104/52) 0.07%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:Vhl3X1aYeU.exe
                  File size:95'232 bytes
                  MD5:0b06ffc35e57fa882d381e2516890367
                  SHA1:5f1aae9f6368528637e5ff05562366b306456d80
                  SHA256:56b3ddac0c8b5d6e4e31c452a200baf843acd84d174d05db0317f28f79b4f9cd
                  SHA512:cf386bd0b9fa0b2358dfa9c9ca8c5d12142f3aefa4b461ffbe0d12f1ffc1be6d6581ef7a917b4e456368dba7e9c53ed5bcc13fd06893c49882f7fe23d4c0959f
                  SSDEEP:1536:EgxOx6baIa9RZj00ljEwzGi1dDzDAegS:EgxbaIa93jNSi1dzAD
                  TLSH:A893E84977E52524E5BF56F79871F2004E34B48B1602E39D48F219AA1B33AC44F89FEB
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|g.................p............... ........@.. ....................................@................................

                  File Icon

                  Icon Hash:90cececece8e8eb0

                  Static PE Info

                  General

                  Entrypoint:0x418efe
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x677C1A11 [Mon Jan 6 17:59:45 2025 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x18ea80x53.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x16f040x170007a35295feb40ef132602d0ca762e331dFalse0.3681003736413043data5.591903135296159IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .reloc0x1a0000xc0x20002466978873e232bef309f048b95192fFalse0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2025-01-07T23:57:07.036622+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44973077.90.22.453333TCP
                  2025-01-07T23:57:07.036622+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44973077.90.22.453333TCP
                  2025-01-07T23:57:13.075499+01002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.44973077.90.22.453333TCP

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 7, 2025 23:57:06.165402889 CET497303333192.168.2.477.90.22.45
                  Jan 7, 2025 23:57:06.170352936 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:57:06.172873020 CET497303333192.168.2.477.90.22.45
                  Jan 7, 2025 23:57:07.036622047 CET497303333192.168.2.477.90.22.45
                  Jan 7, 2025 23:57:07.042670012 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:57:07.042855024 CET497303333192.168.2.477.90.22.45
                  Jan 7, 2025 23:57:07.047658920 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:57:12.710295916 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:57:12.748850107 CET497303333192.168.2.477.90.22.45
                  Jan 7, 2025 23:57:12.753655910 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:57:13.075499058 CET497303333192.168.2.477.90.22.45
                  Jan 7, 2025 23:57:13.080440044 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:57:30.731965065 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:57:30.732311964 CET497303333192.168.2.477.90.22.45
                  Jan 7, 2025 23:57:30.737183094 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:57:48.804514885 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:57:48.826292992 CET497303333192.168.2.477.90.22.45
                  Jan 7, 2025 23:57:48.831139088 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:58:06.835944891 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:58:06.836282969 CET497303333192.168.2.477.90.22.45
                  Jan 7, 2025 23:58:06.841113091 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:58:24.960571051 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:58:24.960860014 CET497303333192.168.2.477.90.22.45
                  Jan 7, 2025 23:58:24.965648890 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:58:43.038549900 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:58:43.038798094 CET497303333192.168.2.477.90.22.45
                  Jan 7, 2025 23:58:43.043622971 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:59:01.118788004 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:59:01.119044065 CET497303333192.168.2.477.90.22.45
                  Jan 7, 2025 23:59:01.124804974 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:59:19.171444893 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:59:19.356848001 CET497303333192.168.2.477.90.22.45
                  Jan 7, 2025 23:59:20.638317108 CET497303333192.168.2.477.90.22.45
                  Jan 7, 2025 23:59:20.643192053 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:59:37.290308952 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:59:37.290709019 CET497303333192.168.2.477.90.22.45
                  Jan 7, 2025 23:59:37.295535088 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:59:55.366852999 CET33334973077.90.22.45192.168.2.4
                  Jan 7, 2025 23:59:55.370661020 CET497303333192.168.2.477.90.22.45
                  Jan 7, 2025 23:59:55.376338959 CET33334973077.90.22.45192.168.2.4
                  Jan 8, 2025 00:00:13.430172920 CET33334973077.90.22.45192.168.2.4
                  Jan 8, 2025 00:00:13.560153961 CET497303333192.168.2.477.90.22.45
                  Jan 8, 2025 00:00:14.149641991 CET497303333192.168.2.477.90.22.45
                  Jan 8, 2025 00:00:14.154480934 CET33334973077.90.22.45192.168.2.4
                  Jan 8, 2025 00:00:31.507853985 CET33334973077.90.22.45192.168.2.4
                  Jan 8, 2025 00:00:31.508285046 CET497303333192.168.2.477.90.22.45
                  Jan 8, 2025 00:00:31.513066053 CET33334973077.90.22.45192.168.2.4
                  Jan 8, 2025 00:00:49.542241096 CET33334973077.90.22.45192.168.2.4
                  Jan 8, 2025 00:00:49.542561054 CET497303333192.168.2.477.90.22.45
                  Jan 8, 2025 00:00:49.553407907 CET33334973077.90.22.45192.168.2.4
                  Jan 8, 2025 00:01:07.601222038 CET33334973077.90.22.45192.168.2.4
                  Jan 8, 2025 00:01:07.653970003 CET497303333192.168.2.477.90.22.45

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:17:56:59
                  Start date:07/01/2025
                  Path:C:\Users\user\Desktop\Vhl3X1aYeU.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\Vhl3X1aYeU.exe"
                  Imagebase:0x5a0000
                  File size:95'232 bytes
                  MD5 hash:0B06FFC35E57FA882D381E2516890367
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1671418007.00000000005A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1671418007.00000000005A2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.1671418007.00000000005A2000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.4123012226.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:false

                  General

                  Target ID:1
                  Start time:17:57:00
                  Start date:07/01/2025
                  Path:C:\Windows\SysWOW64\netsh.exe
                  Wow64 process (32bit):true
                  Commandline:netsh firewall add allowedprogram "C:\Users\user\Desktop\Vhl3X1aYeU.exe" "Vhl3X1aYeU.exe" ENABLE
                  Imagebase:0x1560000
                  File size:82'432 bytes
                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:2
                  Start time:17:57:00
                  Start date:07/01/2025
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:3
                  Start time:17:57:02
                  Start date:07/01/2025
                  Path:C:\Windows\SysWOW64\netsh.exe
                  Wow64 process (32bit):true
                  Commandline:netsh firewall delete allowedprogram "C:\Users\user\Desktop\Vhl3X1aYeU.exe"
                  Imagebase:0x1560000
                  File size:82'432 bytes
                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:4
                  Start time:17:57:02
                  Start date:07/01/2025
                  Path:C:\Windows\SysWOW64\netsh.exe
                  Wow64 process (32bit):true
                  Commandline:netsh firewall add allowedprogram "C:\Users\user\Desktop\Vhl3X1aYeU.exe" "Vhl3X1aYeU.exe" ENABLE
                  Imagebase:0x1560000
                  File size:82'432 bytes
                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:5
                  Start time:17:57:02
                  Start date:07/01/2025
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:6
                  Start time:17:57:02
                  Start date:07/01/2025
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:7
                  Start time:17:57:13
                  Start date:07/01/2025
                  Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe"
                  Imagebase:0x760000
                  File size:95'232 bytes
                  MD5 hash:0B06FFC35E57FA882D381E2516890367
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Antivirus matches:
                  • Detection: 84%, ReversingLabs
                  Reputation:low
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:34.2%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:7.1%
                    Total number of Nodes:99
                    Total number of Limit Nodes:6
                    execution_graph 19612 4e62ae6 19614 4e62b1b GetProcessWorkingSetSize 19612->19614 19615 4e62b47 19614->19615 19616 eab06a 19619 eab0a2 CreateMutexW 19616->19619 19618 eab0e5 19619->19618 19620 eaac6a 19621 eaac9f GetFileType 19620->19621 19623 eaaccc 19621->19623 19624 4e61d66 19625 4e61da1 LoadLibraryA 19624->19625 19627 4e61dde 19625->19627 19676 eab8aa 19677 eab8d0 DeleteFileW 19676->19677 19679 eab8ec 19677->19679 19628 eabcee 19629 eabd4e 19628->19629 19630 eabd23 NtQuerySystemInformation 19628->19630 19629->19630 19631 eabd38 19630->19631 19680 eaaeae 19683 eaaee3 WriteFile 19680->19683 19682 eaaf15 19683->19682 19684 eaa72e 19685 eaa77e OleGetClipboard 19684->19685 19686 eaa78c 19685->19686 19632 eab7e2 19633 eab80b CopyFileW 19632->19633 19635 eab832 19633->19635 19687 eaaaa6 19689 eaaade CreateFileW 19687->19689 19690 eaab2d 19689->19690 19691 4e60d2a 19694 4e60d62 WSASocketW 19691->19694 19693 4e60d9e 19694->19693 19695 4e62936 19697 4e6295f select 19695->19697 19698 4e62994 19697->19698 19699 eab73a 19700 eab769 WaitForInputIdle 19699->19700 19701 eab79f 19699->19701 19702 eab777 19700->19702 19701->19700 19640 4e61872 19641 4e618a7 GetProcessTimes 19640->19641 19643 4e618d9 19641->19643 19644 eab9f2 19646 eaba1b LookupPrivilegeValueW 19644->19646 19647 eaba42 19646->19647 19648 eabb72 19650 eabba1 AdjustTokenPrivileges 19648->19650 19651 eabbc3 19650->19651 19652 eab4f6 19653 eab531 SendMessageTimeoutA 19652->19653 19655 eab579 19653->19655 19707 4e61aba 19708 4e61aef WSAConnect 19707->19708 19710 4e61b0e 19708->19710 19711 4e61306 19712 4e6133e MapViewOfFile 19711->19712 19714 4e6138d 19712->19714 19715 eab40e 19716 eab443 RegSetValueExW 19715->19716 19718 eab48f 19716->19718 19660 4e62bca 19662 4e62bff SetProcessWorkingSetSize 19660->19662 19663 4e62c2b 19662->19663 19722 eaa186 19723 eaa1bb send 19722->19723 19724 eaa1f3 19722->19724 19725 eaa1c9 19723->19725 19724->19723 19726 4e6268a 19727 4e626c2 RegCreateKeyExW 19726->19727 19729 4e62734 19727->19729 19730 4e62a0a 19733 4e62a3f GetExitCodeProcess 19730->19733 19732 4e62a68 19733->19732 19664 4e61156 19665 4e6118e ConvertStringSecurityDescriptorToSecurityDescriptorW 19664->19665 19667 4e611cf 19665->19667 19734 eaa59a 19735 eaa5d8 DuplicateHandle 19734->19735 19736 eaa610 19734->19736 19737 eaa5e6 19735->19737 19736->19735 19738 eab31a 19740 eab34f RegQueryValueExW 19738->19740 19741 eab3a3 19740->19741 19668 eaa65e 19669 eaa68a CloseHandle 19668->19669 19670 eaa6c0 19668->19670 19671 eaa698 19669->19671 19670->19669 19742 eab212 19743 eab24a RegOpenKeyExW 19742->19743 19745 eab2a0 19743->19745 19746 eaaa12 19747 eaaa3e SetErrorMode 19746->19747 19748 eaaa67 19746->19748 19749 eaaa53 19747->19749 19748->19747 19672 4e6285a 19675 4e6288f ioctlsocket 19672->19675 19674 4e628bb 19675->19674

                    Executed Functions

                    Function 00FE4298 Relevance: 4.4, Strings: 2, Instructions: 1950COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: @$|t
                    • API String ID: 0-3910548985
                    • Opcode ID: 98f343168d694732aef42fb8fdeca04e3464ef058cdad9f44a898065a0688717
                    • Instruction ID: 16a3385c790bda6d6e447ebd1c40fa9392df3d142a0adebd3044a15723423f40
                    • Opcode Fuzzy Hash: 98f343168d694732aef42fb8fdeca04e3464ef058cdad9f44a898065a0688717
                    • Instruction Fuzzy Hash: 11235A78A01228CFDB25EF35D855BADB7B2BB48308F1041E9D909A7394DB35AE85CF50
                    Function 00FE44F1 Relevance: 4.1, Strings: 2, Instructions: 1624COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 557 fe44f1-fe467d 578 fe480d-fe4821 557->578 579 fe4683-fe47d2 557->579 580 fe496f-fe4983 578->580 581 fe4827-fe492c 578->581 579->578 583 fe49d6-fe49ea 580->583 584 fe4985-fe498b call fe4210 580->584 778 fe4934 581->778 585 fe49ec-fe49f7 583->585 586 fe4a32-fe4a46 583->586 592 fe4990-fe499b 584->592 585->586 589 fe4a4c-fe4b59 586->589 590 fe4b94-fe4ba8 586->590 589->590 594 fe4bae-fe4bc2 590->594 595 fe4cd4-fe4ce8 590->595 592->583 597 fe4bc4-fe4bcb 594->597 598 fe4bd0-fe4be4 594->598 601 fe4cee-fe4f2d 595->601 602 fe4f74-fe4f88 595->602 605 fe4c48-fe4c5c 597->605 606 fe4bef-fe4c03 598->606 607 fe4be6-fe4bed 598->607 601->602 608 fe4f8a-fe4f9b 602->608 609 fe4fe2-fe4ff6 602->609 612 fe4c5e-fe4c74 605->612 613 fe4c76-fe4c82 605->613 614 fe4c0e-fe4c22 606->614 615 fe4c05-fe4c0c 606->615 607->605 608->609 610 fe4ff8-fe4ffe 609->610 611 fe5045-fe5059 609->611 610->611 619 fe505b 611->619 620 fe50a2-fe50b6 611->620 625 fe4c8d 612->625 613->625 622 fe4c2d-fe4c41 614->622 623 fe4c24-fe4c2b 614->623 615->605 619->620 632 fe512d-fe5141 620->632 633 fe50b8-fe50e1 620->633 622->605 628 fe4c43-fe4c45 622->628 623->605 625->595 628->605 636 fe5147-fe5363 632->636 637 fe53b4-fe53c8 632->637 633->632 1017 fe5367 636->1017 1018 fe5365 636->1018 638 fe549e-fe54b2 637->638 639 fe53ce-fe5457 637->639 645 fe566f-fe5683 638->645 646 fe54b8-fe5628 638->646 639->638 653 fe5689-fe5794 645->653 654 fe57e6-fe57fa 645->654 646->645 944 fe579f 653->944 659 fe595d-fe5971 654->659 660 fe5800-fe590b 654->660 665 fe5977-fe5a82 659->665 666 fe5ad4-fe5ae8 659->666 952 fe5916 660->952 969 fe5a8d 665->969 670 fe5aee-fe5bf9 666->670 671 fe5c4b-fe5c5f 666->671 975 fe5c04 670->975 678 fe5c65-fe5d70 671->678 679 fe5dc2-fe5dd6 671->679 991 fe5d7b 678->991 685 fe5ddc-fe5ee7 679->685 686 fe5f39-fe5f4d 679->686 996 fe5ef2 685->996 691 fe5f53-fe6069 686->691 692 fe60b0-fe60c4 686->692 691->692 700 fe60ca-fe61d5 692->700 701 fe6227-fe623b 692->701 1014 fe61e0 700->1014 708 fe639e-fe63b2 701->708 709 fe6241-fe634c 701->709 718 fe63b8-fe63fd call fe4278 708->718 719 fe6536-fe654a 708->719 1024 fe6357 709->1024 850 fe64bd-fe64df 718->850 731 fe668d-fe66a1 719->731 732 fe6550-fe656f 719->732 744 fe67ee-fe6802 731->744 745 fe66a7-fe67a7 731->745 768 fe6614-fe6636 732->768 751 fe694f-fe6963 744->751 752 fe6808-fe6908 744->752 745->744 762 fe6969-fe6a69 751->762 763 fe6ab0-fe6ada 751->763 752->751 762->763 793 fe6b9a-fe6bae 763->793 794 fe6ae0-fe6b53 763->794 776 fe663c 768->776 777 fe6574-fe6583 768->777 776->731 788 fe663e 777->788 789 fe6589-fe65bc 777->789 778->580 806 fe6643-fe668b 788->806 878 fe65be-fe65f8 789->878 879 fe6603-fe660c 789->879 798 fe6c8b-fe6c9f 793->798 799 fe6bb4-fe6c0b 793->799 794->793 815 fe6de5-fe6df9 798->815 816 fe6ca5-fe6d97 798->816 924 fe6c12-fe6c44 799->924 806->731 827 fe6dff-fe6e4f 815->827 828 fe705c-fe7070 815->828 1053 fe6d9e 816->1053 945 fe6ebd-fe6ee8 827->945 946 fe6e51-fe6e77 827->946 838 fe7158-fe715f 828->838 839 fe7076-fe7111 call fe4278 * 2 828->839 839->838 865 fe64e5 850->865 866 fe6402-fe6411 850->866 865->719 876 fe64e7 866->876 877 fe6417-fe64b5 866->877 909 fe64ec-fe6534 876->909 877->909 1021 fe64b7 877->1021 878->879 879->806 894 fe660e 879->894 894->768 909->719 924->798 944->654 1019 fe6eee-fe6fc1 945->1019 1020 fe6fc6-fe7057 945->1020 1012 fe6eb8 946->1012 1013 fe6e79-fe6e99 946->1013 952->659 969->666 975->671 991->679 996->686 1012->828 1013->1012 1014->701 1025 fe536d 1017->1025 1081 fe5367 call fe717b 1017->1081 1082 fe5367 call fe71c8 1017->1082 1018->1025 1019->828 1020->828 1021->850 1024->708 1025->637 1053->815 1081->1025 1082->1025
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: $|t
                    • API String ID: 0-1654681884
                    • Opcode ID: 212a2cfbf33501259d9fc3fabe787d29ce0b6c5636a6fd0560a70a466fe923ab
                    • Instruction ID: 1d3af8f5dd375096bbbacb7c5f5995ff959aac4b5a647fa0c433056f92e04834
                    • Opcode Fuzzy Hash: 212a2cfbf33501259d9fc3fabe787d29ce0b6c5636a6fd0560a70a466fe923ab
                    • Instruction Fuzzy Hash: 5E035978A01228CFDB25EF35D895BA9B7B2FB48304F1041E9D949A7394DB35AE81CF50
                    Function 00FE4544 Relevance: 4.1, Strings: 2, Instructions: 1618COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1083 fe4544-fe467d 1101 fe480d-fe4821 1083->1101 1102 fe4683-fe47d2 1083->1102 1103 fe496f-fe4983 1101->1103 1104 fe4827-fe492c 1101->1104 1102->1101 1106 fe49d6-fe49ea 1103->1106 1107 fe4985-fe498b call fe4210 1103->1107 1301 fe4934 1104->1301 1108 fe49ec-fe49f7 1106->1108 1109 fe4a32-fe4a46 1106->1109 1115 fe4990-fe499b 1107->1115 1108->1109 1112 fe4a4c-fe4b59 1109->1112 1113 fe4b94-fe4ba8 1109->1113 1112->1113 1117 fe4bae-fe4bc2 1113->1117 1118 fe4cd4-fe4ce8 1113->1118 1115->1106 1120 fe4bc4-fe4bcb 1117->1120 1121 fe4bd0-fe4be4 1117->1121 1124 fe4cee-fe4f2d 1118->1124 1125 fe4f74-fe4f88 1118->1125 1128 fe4c48-fe4c5c 1120->1128 1129 fe4bef-fe4c03 1121->1129 1130 fe4be6-fe4bed 1121->1130 1124->1125 1131 fe4f8a-fe4f9b 1125->1131 1132 fe4fe2-fe4ff6 1125->1132 1135 fe4c5e-fe4c74 1128->1135 1136 fe4c76-fe4c82 1128->1136 1137 fe4c0e-fe4c22 1129->1137 1138 fe4c05-fe4c0c 1129->1138 1130->1128 1131->1132 1133 fe4ff8-fe4ffe 1132->1133 1134 fe5045-fe5059 1132->1134 1133->1134 1142 fe505b 1134->1142 1143 fe50a2-fe50b6 1134->1143 1148 fe4c8d 1135->1148 1136->1148 1145 fe4c2d-fe4c41 1137->1145 1146 fe4c24-fe4c2b 1137->1146 1138->1128 1142->1143 1155 fe512d-fe5141 1143->1155 1156 fe50b8-fe50e1 1143->1156 1145->1128 1151 fe4c43-fe4c45 1145->1151 1146->1128 1148->1118 1151->1128 1159 fe5147-fe5363 1155->1159 1160 fe53b4-fe53c8 1155->1160 1156->1155 1540 fe5367 1159->1540 1541 fe5365 1159->1541 1161 fe549e-fe54b2 1160->1161 1162 fe53ce-fe5457 1160->1162 1168 fe566f-fe5683 1161->1168 1169 fe54b8-fe5628 1161->1169 1162->1161 1176 fe5689-fe5794 1168->1176 1177 fe57e6-fe57fa 1168->1177 1169->1168 1467 fe579f 1176->1467 1182 fe595d-fe5971 1177->1182 1183 fe5800-fe590b 1177->1183 1188 fe5977-fe5a82 1182->1188 1189 fe5ad4-fe5ae8 1182->1189 1475 fe5916 1183->1475 1492 fe5a8d 1188->1492 1193 fe5aee-fe5bf9 1189->1193 1194 fe5c4b-fe5c5f 1189->1194 1498 fe5c04 1193->1498 1201 fe5c65-fe5d70 1194->1201 1202 fe5dc2-fe5dd6 1194->1202 1514 fe5d7b 1201->1514 1208 fe5ddc-fe5ee7 1202->1208 1209 fe5f39-fe5f4d 1202->1209 1519 fe5ef2 1208->1519 1214 fe5f53-fe6069 1209->1214 1215 fe60b0-fe60c4 1209->1215 1214->1215 1223 fe60ca-fe61d5 1215->1223 1224 fe6227-fe623b 1215->1224 1537 fe61e0 1223->1537 1231 fe639e-fe63b2 1224->1231 1232 fe6241-fe634c 1224->1232 1241 fe63b8-fe63fd call fe4278 1231->1241 1242 fe6536-fe654a 1231->1242 1547 fe6357 1232->1547 1373 fe64bd-fe64df 1241->1373 1254 fe668d-fe66a1 1242->1254 1255 fe6550-fe656f 1242->1255 1267 fe67ee-fe6802 1254->1267 1268 fe66a7-fe67a7 1254->1268 1291 fe6614-fe6636 1255->1291 1274 fe694f-fe6963 1267->1274 1275 fe6808-fe6908 1267->1275 1268->1267 1285 fe6969-fe6a69 1274->1285 1286 fe6ab0-fe6ada 1274->1286 1275->1274 1285->1286 1316 fe6b9a-fe6bae 1286->1316 1317 fe6ae0-fe6b53 1286->1317 1299 fe663c 1291->1299 1300 fe6574-fe6583 1291->1300 1299->1254 1311 fe663e 1300->1311 1312 fe6589-fe65bc 1300->1312 1301->1103 1329 fe6643-fe668b 1311->1329 1401 fe65be-fe65f8 1312->1401 1402 fe6603-fe660c 1312->1402 1321 fe6c8b-fe6c9f 1316->1321 1322 fe6bb4-fe6c0b 1316->1322 1317->1316 1338 fe6de5-fe6df9 1321->1338 1339 fe6ca5-fe6d97 1321->1339 1447 fe6c12-fe6c44 1322->1447 1329->1254 1350 fe6dff-fe6e4f 1338->1350 1351 fe705c-fe7070 1338->1351 1576 fe6d9e 1339->1576 1468 fe6ebd-fe6ee8 1350->1468 1469 fe6e51-fe6e77 1350->1469 1361 fe7158-fe715f 1351->1361 1362 fe7076-fe7111 call fe4278 * 2 1351->1362 1362->1361 1388 fe64e5 1373->1388 1389 fe6402-fe6411 1373->1389 1388->1242 1399 fe64e7 1389->1399 1400 fe6417-fe64b5 1389->1400 1432 fe64ec-fe6534 1399->1432 1400->1432 1544 fe64b7 1400->1544 1401->1402 1402->1329 1417 fe660e 1402->1417 1417->1291 1432->1242 1447->1321 1467->1177 1542 fe6eee-fe6fc1 1468->1542 1543 fe6fc6-fe7057 1468->1543 1535 fe6eb8 1469->1535 1536 fe6e79-fe6e99 1469->1536 1475->1182 1492->1189 1498->1194 1514->1202 1519->1209 1535->1351 1536->1535 1537->1224 1548 fe536d 1540->1548 1604 fe5367 call fe717b 1540->1604 1605 fe5367 call fe71c8 1540->1605 1541->1548 1542->1351 1543->1351 1544->1373 1547->1231 1548->1160 1576->1338 1604->1548 1605->1548
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: $|t
                    • API String ID: 0-1654681884
                    • Opcode ID: ede12bd15d590724b5e2718722a22ffb659a8b4e76a57970daa8a71a87982b3f
                    • Instruction ID: 5986d285c5a2d09d6c3090c39c6495393c5dba28d71186d5f5447ac804c66571
                    • Opcode Fuzzy Hash: ede12bd15d590724b5e2718722a22ffb659a8b4e76a57970daa8a71a87982b3f
                    • Instruction Fuzzy Hash: 0E035978A01228CFDB25EF35D895BA9B7B2FB48304F1041E9D949A7394DB35AE81CF50
                    Function 00FE4630 Relevance: 4.1, Strings: 2, Instructions: 1579COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1606 fe4630-fe467d 1613 fe480d-fe4821 1606->1613 1614 fe4683-fe47d2 1606->1614 1615 fe496f-fe4983 1613->1615 1616 fe4827-fe492c 1613->1616 1614->1613 1618 fe49d6-fe49ea 1615->1618 1619 fe4985-fe498b call fe4210 1615->1619 1813 fe4934 1616->1813 1620 fe49ec-fe49f7 1618->1620 1621 fe4a32-fe4a46 1618->1621 1627 fe4990-fe499b 1619->1627 1620->1621 1624 fe4a4c-fe4b59 1621->1624 1625 fe4b94-fe4ba8 1621->1625 1624->1625 1629 fe4bae-fe4bc2 1625->1629 1630 fe4cd4-fe4ce8 1625->1630 1627->1618 1632 fe4bc4-fe4bcb 1629->1632 1633 fe4bd0-fe4be4 1629->1633 1636 fe4cee-fe4f2d 1630->1636 1637 fe4f74-fe4f88 1630->1637 1640 fe4c48-fe4c5c 1632->1640 1641 fe4bef-fe4c03 1633->1641 1642 fe4be6-fe4bed 1633->1642 1636->1637 1643 fe4f8a-fe4f9b 1637->1643 1644 fe4fe2-fe4ff6 1637->1644 1647 fe4c5e-fe4c74 1640->1647 1648 fe4c76-fe4c82 1640->1648 1649 fe4c0e-fe4c22 1641->1649 1650 fe4c05-fe4c0c 1641->1650 1642->1640 1643->1644 1645 fe4ff8-fe4ffe 1644->1645 1646 fe5045-fe5059 1644->1646 1645->1646 1654 fe505b 1646->1654 1655 fe50a2-fe50b6 1646->1655 1660 fe4c8d 1647->1660 1648->1660 1657 fe4c2d-fe4c41 1649->1657 1658 fe4c24-fe4c2b 1649->1658 1650->1640 1654->1655 1667 fe512d-fe5141 1655->1667 1668 fe50b8-fe50e1 1655->1668 1657->1640 1663 fe4c43-fe4c45 1657->1663 1658->1640 1660->1630 1663->1640 1671 fe5147-fe5363 1667->1671 1672 fe53b4-fe53c8 1667->1672 1668->1667 2052 fe5367 1671->2052 2053 fe5365 1671->2053 1673 fe549e-fe54b2 1672->1673 1674 fe53ce-fe5457 1672->1674 1680 fe566f-fe5683 1673->1680 1681 fe54b8-fe5628 1673->1681 1674->1673 1688 fe5689-fe5794 1680->1688 1689 fe57e6-fe57fa 1680->1689 1681->1680 1979 fe579f 1688->1979 1694 fe595d-fe5971 1689->1694 1695 fe5800-fe590b 1689->1695 1700 fe5977-fe5a82 1694->1700 1701 fe5ad4-fe5ae8 1694->1701 1987 fe5916 1695->1987 2004 fe5a8d 1700->2004 1705 fe5aee-fe5bf9 1701->1705 1706 fe5c4b-fe5c5f 1701->1706 2010 fe5c04 1705->2010 1713 fe5c65-fe5d70 1706->1713 1714 fe5dc2-fe5dd6 1706->1714 2026 fe5d7b 1713->2026 1720 fe5ddc-fe5ee7 1714->1720 1721 fe5f39-fe5f4d 1714->1721 2031 fe5ef2 1720->2031 1726 fe5f53-fe6069 1721->1726 1727 fe60b0-fe60c4 1721->1727 1726->1727 1735 fe60ca-fe61d5 1727->1735 1736 fe6227-fe623b 1727->1736 2049 fe61e0 1735->2049 1743 fe639e-fe63b2 1736->1743 1744 fe6241-fe634c 1736->1744 1753 fe63b8-fe63fd call fe4278 1743->1753 1754 fe6536-fe654a 1743->1754 2059 fe6357 1744->2059 1885 fe64bd-fe64df 1753->1885 1766 fe668d-fe66a1 1754->1766 1767 fe6550-fe656f 1754->1767 1779 fe67ee-fe6802 1766->1779 1780 fe66a7-fe67a7 1766->1780 1803 fe6614-fe6636 1767->1803 1786 fe694f-fe6963 1779->1786 1787 fe6808-fe6908 1779->1787 1780->1779 1797 fe6969-fe6a69 1786->1797 1798 fe6ab0-fe6ada 1786->1798 1787->1786 1797->1798 1828 fe6b9a-fe6bae 1798->1828 1829 fe6ae0-fe6b53 1798->1829 1811 fe663c 1803->1811 1812 fe6574-fe6583 1803->1812 1811->1766 1823 fe663e 1812->1823 1824 fe6589-fe65bc 1812->1824 1813->1615 1841 fe6643-fe668b 1823->1841 1913 fe65be-fe65f8 1824->1913 1914 fe6603-fe660c 1824->1914 1833 fe6c8b-fe6c9f 1828->1833 1834 fe6bb4-fe6c0b 1828->1834 1829->1828 1850 fe6de5-fe6df9 1833->1850 1851 fe6ca5-fe6d97 1833->1851 1959 fe6c12-fe6c44 1834->1959 1841->1766 1862 fe6dff-fe6e4f 1850->1862 1863 fe705c-fe7070 1850->1863 2088 fe6d9e 1851->2088 1980 fe6ebd-fe6ee8 1862->1980 1981 fe6e51-fe6e77 1862->1981 1873 fe7158-fe715f 1863->1873 1874 fe7076-fe7111 call fe4278 * 2 1863->1874 1874->1873 1900 fe64e5 1885->1900 1901 fe6402-fe6411 1885->1901 1900->1754 1911 fe64e7 1901->1911 1912 fe6417-fe64b5 1901->1912 1944 fe64ec-fe6534 1911->1944 1912->1944 2056 fe64b7 1912->2056 1913->1914 1914->1841 1929 fe660e 1914->1929 1929->1803 1944->1754 1959->1833 1979->1689 2054 fe6eee-fe6fc1 1980->2054 2055 fe6fc6-fe7057 1980->2055 2047 fe6eb8 1981->2047 2048 fe6e79-fe6e99 1981->2048 1987->1694 2004->1701 2010->1706 2026->1714 2031->1721 2047->1863 2048->2047 2049->1736 2060 fe536d 2052->2060 2116 fe5367 call fe717b 2052->2116 2117 fe5367 call fe71c8 2052->2117 2053->2060 2054->1863 2055->1863 2056->1885 2059->1743 2060->1672 2088->1850 2116->2060 2117->2060
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: $|t
                    • API String ID: 0-1654681884
                    • Opcode ID: 539fbd58cca29059cf650b57c44dffe0ecf6aecce4a3523acb4b3edeadf52ef6
                    • Instruction ID: f7ac5c23dc00b2e71d442bd478d1e51aaf06af0b2e77df05c01e2513639d0c06
                    • Opcode Fuzzy Hash: 539fbd58cca29059cf650b57c44dffe0ecf6aecce4a3523acb4b3edeadf52ef6
                    • Instruction Fuzzy Hash: 8A035978A01228CFDB25EF35DC55BA9B7B2BB48304F1041E9D949A73A4DB35AE81CF50
                    Function 00FE470F Relevance: 4.0, Strings: 2, Instructions: 1544COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2118 fe470f-fe4821 2132 fe496f-fe4983 2118->2132 2133 fe4827-fe492c 2118->2133 2134 fe49d6-fe49ea 2132->2134 2135 fe4985-fe498b call fe4210 2132->2135 2317 fe4934 2133->2317 2136 fe49ec-fe49f7 2134->2136 2137 fe4a32-fe4a46 2134->2137 2142 fe4990-fe499b 2135->2142 2136->2137 2140 fe4a4c-fe4b59 2137->2140 2141 fe4b94-fe4ba8 2137->2141 2140->2141 2144 fe4bae-fe4bc2 2141->2144 2145 fe4cd4-fe4ce8 2141->2145 2142->2134 2147 fe4bc4-fe4bcb 2144->2147 2148 fe4bd0-fe4be4 2144->2148 2150 fe4cee-fe4f2d 2145->2150 2151 fe4f74-fe4f88 2145->2151 2154 fe4c48-fe4c5c 2147->2154 2155 fe4bef-fe4c03 2148->2155 2156 fe4be6-fe4bed 2148->2156 2150->2151 2157 fe4f8a-fe4f9b 2151->2157 2158 fe4fe2-fe4ff6 2151->2158 2161 fe4c5e-fe4c74 2154->2161 2162 fe4c76-fe4c82 2154->2162 2163 fe4c0e-fe4c22 2155->2163 2164 fe4c05-fe4c0c 2155->2164 2156->2154 2157->2158 2159 fe4ff8-fe4ffe 2158->2159 2160 fe5045-fe5059 2158->2160 2159->2160 2167 fe505b 2160->2167 2168 fe50a2-fe50b6 2160->2168 2173 fe4c8d 2161->2173 2162->2173 2170 fe4c2d-fe4c41 2163->2170 2171 fe4c24-fe4c2b 2163->2171 2164->2154 2167->2168 2175 fe512d-fe5141 2168->2175 2176 fe50b8-fe50e1 2168->2176 2170->2154 2179 fe4c43-fe4c45 2170->2179 2171->2154 2173->2145 2182 fe5147-fe5363 2175->2182 2183 fe53b4-fe53c8 2175->2183 2176->2175 2179->2154 2556 fe5367 2182->2556 2557 fe5365 2182->2557 2185 fe549e-fe54b2 2183->2185 2186 fe53ce-fe5457 2183->2186 2191 fe566f-fe5683 2185->2191 2192 fe54b8-fe5628 2185->2192 2186->2185 2198 fe5689-fe5794 2191->2198 2199 fe57e6-fe57fa 2191->2199 2192->2191 2483 fe579f 2198->2483 2203 fe595d-fe5971 2199->2203 2204 fe5800-fe590b 2199->2204 2208 fe5977-fe5a82 2203->2208 2209 fe5ad4-fe5ae8 2203->2209 2491 fe5916 2204->2491 2508 fe5a8d 2208->2508 2213 fe5aee-fe5bf9 2209->2213 2214 fe5c4b-fe5c5f 2209->2214 2514 fe5c04 2213->2514 2220 fe5c65-fe5d70 2214->2220 2221 fe5dc2-fe5dd6 2214->2221 2530 fe5d7b 2220->2530 2225 fe5ddc-fe5ee7 2221->2225 2226 fe5f39-fe5f4d 2221->2226 2535 fe5ef2 2225->2535 2233 fe5f53-fe6069 2226->2233 2234 fe60b0-fe60c4 2226->2234 2233->2234 2242 fe60ca-fe61d5 2234->2242 2243 fe6227-fe623b 2234->2243 2553 fe61e0 2242->2553 2249 fe639e-fe63b2 2243->2249 2250 fe6241-fe634c 2243->2250 2259 fe63b8-fe63fd call fe4278 2249->2259 2260 fe6536-fe654a 2249->2260 2563 fe6357 2250->2563 2389 fe64bd-fe64df 2259->2389 2271 fe668d-fe66a1 2260->2271 2272 fe6550-fe656f 2260->2272 2284 fe67ee-fe6802 2271->2284 2285 fe66a7-fe67a7 2271->2285 2307 fe6614-fe6636 2272->2307 2290 fe694f-fe6963 2284->2290 2291 fe6808-fe6908 2284->2291 2285->2284 2301 fe6969-fe6a69 2290->2301 2302 fe6ab0-fe6ada 2290->2302 2291->2290 2301->2302 2332 fe6b9a-fe6bae 2302->2332 2333 fe6ae0-fe6b53 2302->2333 2315 fe663c 2307->2315 2316 fe6574-fe6583 2307->2316 2315->2271 2327 fe663e 2316->2327 2328 fe6589-fe65bc 2316->2328 2317->2132 2345 fe6643-fe668b 2327->2345 2417 fe65be-fe65f8 2328->2417 2418 fe6603-fe660c 2328->2418 2337 fe6c8b-fe6c9f 2332->2337 2338 fe6bb4-fe6c0b 2332->2338 2333->2332 2354 fe6de5-fe6df9 2337->2354 2355 fe6ca5-fe6d97 2337->2355 2463 fe6c12-fe6c44 2338->2463 2345->2271 2366 fe6dff-fe6e4f 2354->2366 2367 fe705c-fe7070 2354->2367 2592 fe6d9e 2355->2592 2484 fe6ebd-fe6ee8 2366->2484 2485 fe6e51-fe6e77 2366->2485 2377 fe7158-fe715f 2367->2377 2378 fe7076-fe7111 call fe4278 * 2 2367->2378 2378->2377 2404 fe64e5 2389->2404 2405 fe6402-fe6411 2389->2405 2404->2260 2415 fe64e7 2405->2415 2416 fe6417-fe64b5 2405->2416 2448 fe64ec-fe6534 2415->2448 2416->2448 2560 fe64b7 2416->2560 2417->2418 2418->2345 2433 fe660e 2418->2433 2433->2307 2448->2260 2463->2337 2483->2199 2558 fe6eee-fe6fc1 2484->2558 2559 fe6fc6-fe7057 2484->2559 2551 fe6eb8 2485->2551 2552 fe6e79-fe6e99 2485->2552 2491->2203 2508->2209 2514->2214 2530->2221 2535->2226 2551->2367 2552->2551 2553->2243 2564 fe536d 2556->2564 2620 fe5367 call fe717b 2556->2620 2621 fe5367 call fe71c8 2556->2621 2557->2564 2558->2367 2559->2367 2560->2389 2563->2249 2564->2183 2592->2354 2620->2564 2621->2564
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: $|t
                    • API String ID: 0-1654681884
                    • Opcode ID: 6f114460451c3f06ea4c4d657fce0988b9a1331f179528044eaf0f287e178e20
                    • Instruction ID: 70d5425e46d59a583e2c65723ae69dbd68132d064c817ed173699800a1f1932b
                    • Opcode Fuzzy Hash: 6f114460451c3f06ea4c4d657fce0988b9a1331f179528044eaf0f287e178e20
                    • Instruction Fuzzy Hash: 29F25978A01228CFDB25EF35DC95BA9B7B2BB48304F1041E9D949A7394DB35AE81CF50
                    Function 00FE47D4 Relevance: 4.0, Strings: 2, Instructions: 1513COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2622 fe47d4-fe4821 2629 fe496f-fe4983 2622->2629 2630 fe4827-fe492c 2622->2630 2631 fe49d6-fe49ea 2629->2631 2632 fe4985-fe498b call fe4210 2629->2632 2814 fe4934 2630->2814 2633 fe49ec-fe49f7 2631->2633 2634 fe4a32-fe4a46 2631->2634 2639 fe4990-fe499b 2632->2639 2633->2634 2637 fe4a4c-fe4b59 2634->2637 2638 fe4b94-fe4ba8 2634->2638 2637->2638 2641 fe4bae-fe4bc2 2638->2641 2642 fe4cd4-fe4ce8 2638->2642 2639->2631 2644 fe4bc4-fe4bcb 2641->2644 2645 fe4bd0-fe4be4 2641->2645 2647 fe4cee-fe4f2d 2642->2647 2648 fe4f74-fe4f88 2642->2648 2651 fe4c48-fe4c5c 2644->2651 2652 fe4bef-fe4c03 2645->2652 2653 fe4be6-fe4bed 2645->2653 2647->2648 2654 fe4f8a-fe4f9b 2648->2654 2655 fe4fe2-fe4ff6 2648->2655 2658 fe4c5e-fe4c74 2651->2658 2659 fe4c76-fe4c82 2651->2659 2660 fe4c0e-fe4c22 2652->2660 2661 fe4c05-fe4c0c 2652->2661 2653->2651 2654->2655 2656 fe4ff8-fe4ffe 2655->2656 2657 fe5045-fe5059 2655->2657 2656->2657 2664 fe505b 2657->2664 2665 fe50a2-fe50b6 2657->2665 2670 fe4c8d 2658->2670 2659->2670 2667 fe4c2d-fe4c41 2660->2667 2668 fe4c24-fe4c2b 2660->2668 2661->2651 2664->2665 2672 fe512d-fe5141 2665->2672 2673 fe50b8-fe50e1 2665->2673 2667->2651 2676 fe4c43-fe4c45 2667->2676 2668->2651 2670->2642 2679 fe5147-fe5363 2672->2679 2680 fe53b4-fe53c8 2672->2680 2673->2672 2676->2651 3053 fe5367 2679->3053 3054 fe5365 2679->3054 2682 fe549e-fe54b2 2680->2682 2683 fe53ce-fe5457 2680->2683 2688 fe566f-fe5683 2682->2688 2689 fe54b8-fe5628 2682->2689 2683->2682 2695 fe5689-fe5794 2688->2695 2696 fe57e6-fe57fa 2688->2696 2689->2688 2980 fe579f 2695->2980 2700 fe595d-fe5971 2696->2700 2701 fe5800-fe590b 2696->2701 2705 fe5977-fe5a82 2700->2705 2706 fe5ad4-fe5ae8 2700->2706 2988 fe5916 2701->2988 3005 fe5a8d 2705->3005 2710 fe5aee-fe5bf9 2706->2710 2711 fe5c4b-fe5c5f 2706->2711 3011 fe5c04 2710->3011 2717 fe5c65-fe5d70 2711->2717 2718 fe5dc2-fe5dd6 2711->2718 3027 fe5d7b 2717->3027 2722 fe5ddc-fe5ee7 2718->2722 2723 fe5f39-fe5f4d 2718->2723 3032 fe5ef2 2722->3032 2730 fe5f53-fe6069 2723->2730 2731 fe60b0-fe60c4 2723->2731 2730->2731 2739 fe60ca-fe61d5 2731->2739 2740 fe6227-fe623b 2731->2740 3050 fe61e0 2739->3050 2746 fe639e-fe63b2 2740->2746 2747 fe6241-fe634c 2740->2747 2756 fe63b8-fe63fd call fe4278 2746->2756 2757 fe6536-fe654a 2746->2757 3060 fe6357 2747->3060 2886 fe64bd-fe64df 2756->2886 2768 fe668d-fe66a1 2757->2768 2769 fe6550-fe656f 2757->2769 2781 fe67ee-fe6802 2768->2781 2782 fe66a7-fe67a7 2768->2782 2804 fe6614-fe6636 2769->2804 2787 fe694f-fe6963 2781->2787 2788 fe6808-fe6908 2781->2788 2782->2781 2798 fe6969-fe6a69 2787->2798 2799 fe6ab0-fe6ada 2787->2799 2788->2787 2798->2799 2829 fe6b9a-fe6bae 2799->2829 2830 fe6ae0-fe6b53 2799->2830 2812 fe663c 2804->2812 2813 fe6574-fe6583 2804->2813 2812->2768 2824 fe663e 2813->2824 2825 fe6589-fe65bc 2813->2825 2814->2629 2842 fe6643-fe668b 2824->2842 2914 fe65be-fe65f8 2825->2914 2915 fe6603-fe660c 2825->2915 2834 fe6c8b-fe6c9f 2829->2834 2835 fe6bb4-fe6c0b 2829->2835 2830->2829 2851 fe6de5-fe6df9 2834->2851 2852 fe6ca5-fe6d97 2834->2852 2960 fe6c12-fe6c44 2835->2960 2842->2768 2863 fe6dff-fe6e4f 2851->2863 2864 fe705c-fe7070 2851->2864 3089 fe6d9e 2852->3089 2981 fe6ebd-fe6ee8 2863->2981 2982 fe6e51-fe6e77 2863->2982 2874 fe7158-fe715f 2864->2874 2875 fe7076-fe7111 call fe4278 * 2 2864->2875 2875->2874 2901 fe64e5 2886->2901 2902 fe6402-fe6411 2886->2902 2901->2757 2912 fe64e7 2902->2912 2913 fe6417-fe64b5 2902->2913 2945 fe64ec-fe6534 2912->2945 2913->2945 3057 fe64b7 2913->3057 2914->2915 2915->2842 2930 fe660e 2915->2930 2930->2804 2945->2757 2960->2834 2980->2696 3055 fe6eee-fe6fc1 2981->3055 3056 fe6fc6-fe7057 2981->3056 3048 fe6eb8 2982->3048 3049 fe6e79-fe6e99 2982->3049 2988->2700 3005->2706 3011->2711 3027->2718 3032->2723 3048->2864 3049->3048 3050->2740 3061 fe536d 3053->3061 3117 fe5367 call fe717b 3053->3117 3118 fe5367 call fe71c8 3053->3118 3054->3061 3055->2864 3056->2864 3057->2886 3060->2746 3061->2680 3089->2851 3117->3061 3118->3061
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: $|t
                    • API String ID: 0-1654681884
                    • Opcode ID: 49941fa28cafae0822ac785d2a86c3ed893b6741af2e15e43a2eeab3eddd5b5b
                    • Instruction ID: 33a6df3b970c660dfcd0e91ee1581a60ebb8fed6e49764a923fb8012b44a5dbb
                    • Opcode Fuzzy Hash: 49941fa28cafae0822ac785d2a86c3ed893b6741af2e15e43a2eeab3eddd5b5b
                    • Instruction Fuzzy Hash: 3CF26978A01228CFDB25EF35DC55BA9B7B2BB48304F1041E9D949A73A4DB35AE81CF50
                    Function 00FE4936 Relevance: 4.0, Strings: 2, Instructions: 1456COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 3119 fe4936-fe4983 3126 fe49d6-fe49ea 3119->3126 3127 fe4985-fe498b call fe4210 3119->3127 3128 fe49ec-fe49f7 3126->3128 3129 fe4a32-fe4a46 3126->3129 3133 fe4990-fe499b 3127->3133 3128->3129 3131 fe4a4c-fe4b59 3129->3131 3132 fe4b94-fe4ba8 3129->3132 3131->3132 3134 fe4bae-fe4bc2 3132->3134 3135 fe4cd4-fe4ce8 3132->3135 3133->3126 3137 fe4bc4-fe4bcb 3134->3137 3138 fe4bd0-fe4be4 3134->3138 3140 fe4cee-fe4f2d 3135->3140 3141 fe4f74-fe4f88 3135->3141 3143 fe4c48-fe4c5c 3137->3143 3144 fe4bef-fe4c03 3138->3144 3145 fe4be6-fe4bed 3138->3145 3140->3141 3146 fe4f8a-fe4f9b 3141->3146 3147 fe4fe2-fe4ff6 3141->3147 3150 fe4c5e-fe4c74 3143->3150 3151 fe4c76-fe4c82 3143->3151 3152 fe4c0e-fe4c22 3144->3152 3153 fe4c05-fe4c0c 3144->3153 3145->3143 3146->3147 3148 fe4ff8-fe4ffe 3147->3148 3149 fe5045-fe5059 3147->3149 3148->3149 3156 fe505b 3149->3156 3157 fe50a2-fe50b6 3149->3157 3161 fe4c8d 3150->3161 3151->3161 3158 fe4c2d-fe4c41 3152->3158 3159 fe4c24-fe4c2b 3152->3159 3153->3143 3156->3157 3163 fe512d-fe5141 3157->3163 3164 fe50b8-fe50e1 3157->3164 3158->3143 3167 fe4c43-fe4c45 3158->3167 3159->3143 3161->3135 3169 fe5147-fe5363 3163->3169 3170 fe53b4-fe53c8 3163->3170 3164->3163 3167->3143 3534 fe5367 3169->3534 3535 fe5365 3169->3535 3172 fe549e-fe54b2 3170->3172 3173 fe53ce-fe5457 3170->3173 3178 fe566f-fe5683 3172->3178 3179 fe54b8-fe5628 3172->3179 3173->3172 3184 fe5689-fe5794 3178->3184 3185 fe57e6-fe57fa 3178->3185 3179->3178 3461 fe579f 3184->3461 3188 fe595d-fe5971 3185->3188 3189 fe5800-fe590b 3185->3189 3193 fe5977-fe5a82 3188->3193 3194 fe5ad4-fe5ae8 3188->3194 3469 fe5916 3189->3469 3486 fe5a8d 3193->3486 3198 fe5aee-fe5bf9 3194->3198 3199 fe5c4b-fe5c5f 3194->3199 3492 fe5c04 3198->3492 3204 fe5c65-fe5d70 3199->3204 3205 fe5dc2-fe5dd6 3199->3205 3508 fe5d7b 3204->3508 3209 fe5ddc-fe5ee7 3205->3209 3210 fe5f39-fe5f4d 3205->3210 3513 fe5ef2 3209->3513 3219 fe5f53-fe6069 3210->3219 3220 fe60b0-fe60c4 3210->3220 3219->3220 3225 fe60ca-fe61d5 3220->3225 3226 fe6227-fe623b 3220->3226 3531 fe61e0 3225->3531 3231 fe639e-fe63b2 3226->3231 3232 fe6241-fe634c 3226->3232 3241 fe63b8-fe63fd call fe4278 3231->3241 3242 fe6536-fe654a 3231->3242 3541 fe6357 3232->3541 3367 fe64bd-fe64df 3241->3367 3252 fe668d-fe66a1 3242->3252 3253 fe6550-fe656f 3242->3253 3264 fe67ee-fe6802 3252->3264 3265 fe66a7-fe67a7 3252->3265 3286 fe6614-fe6636 3253->3286 3270 fe694f-fe6963 3264->3270 3271 fe6808-fe6908 3264->3271 3265->3264 3280 fe6969-fe6a69 3270->3280 3281 fe6ab0-fe6ada 3270->3281 3271->3270 3280->3281 3310 fe6b9a-fe6bae 3281->3310 3311 fe6ae0-fe6b53 3281->3311 3294 fe663c 3286->3294 3295 fe6574-fe6583 3286->3295 3294->3252 3305 fe663e 3295->3305 3306 fe6589-fe65bc 3295->3306 3323 fe6643-fe668b 3305->3323 3395 fe65be-fe65f8 3306->3395 3396 fe6603-fe660c 3306->3396 3315 fe6c8b-fe6c9f 3310->3315 3316 fe6bb4-fe6c0b 3310->3316 3311->3310 3332 fe6de5-fe6df9 3315->3332 3333 fe6ca5-fe6d97 3315->3333 3441 fe6c12-fe6c44 3316->3441 3323->3252 3344 fe6dff-fe6e4f 3332->3344 3345 fe705c-fe7070 3332->3345 3570 fe6d9e 3333->3570 3462 fe6ebd-fe6ee8 3344->3462 3463 fe6e51-fe6e77 3344->3463 3355 fe7158-fe715f 3345->3355 3356 fe7076-fe7111 call fe4278 * 2 3345->3356 3356->3355 3382 fe64e5 3367->3382 3383 fe6402-fe6411 3367->3383 3382->3242 3393 fe64e7 3383->3393 3394 fe6417-fe64b5 3383->3394 3426 fe64ec-fe6534 3393->3426 3394->3426 3538 fe64b7 3394->3538 3395->3396 3396->3323 3411 fe660e 3396->3411 3411->3286 3426->3242 3441->3315 3461->3185 3536 fe6eee-fe6fc1 3462->3536 3537 fe6fc6-fe7057 3462->3537 3529 fe6eb8 3463->3529 3530 fe6e79-fe6e99 3463->3530 3469->3188 3486->3194 3492->3199 3508->3205 3513->3210 3529->3345 3530->3529 3531->3226 3542 fe536d 3534->3542 3598 fe5367 call fe717b 3534->3598 3599 fe5367 call fe71c8 3534->3599 3535->3542 3536->3345 3537->3345 3538->3367 3541->3231 3542->3170 3570->3332 3598->3542 3599->3542
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: $|t
                    • API String ID: 0-1654681884
                    • Opcode ID: 4ffc7296eee7ef04e0447df91350dad473284269f3a3ffc0a832693430350d19
                    • Instruction ID: ee1807c7fa89d807cf6098519015aff4ca24a0a96eb97c15187eefbdf0b75b66
                    • Opcode Fuzzy Hash: 4ffc7296eee7ef04e0447df91350dad473284269f3a3ffc0a832693430350d19
                    • Instruction Fuzzy Hash: C9F26978A01228CFDB25EF35DC51BA9B7B2BB48304F1041E9D949A73A4DB35AE81CF50
                    Function 00FE499D Relevance: 3.9, Strings: 2, Instructions: 1447COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 3600 fe499d-fe49ea 3607 fe49ec-fe49f7 3600->3607 3608 fe4a32-fe4a46 3600->3608 3607->3608 3609 fe4a4c-fe4b59 3608->3609 3610 fe4b94-fe4ba8 3608->3610 3609->3610 3611 fe4bae-fe4bc2 3610->3611 3612 fe4cd4-fe4ce8 3610->3612 3614 fe4bc4-fe4bcb 3611->3614 3615 fe4bd0-fe4be4 3611->3615 3617 fe4cee-fe4f2d 3612->3617 3618 fe4f74-fe4f88 3612->3618 3619 fe4c48-fe4c5c 3614->3619 3620 fe4bef-fe4c03 3615->3620 3621 fe4be6-fe4bed 3615->3621 3617->3618 3622 fe4f8a-fe4f9b 3618->3622 3623 fe4fe2-fe4ff6 3618->3623 3626 fe4c5e-fe4c74 3619->3626 3627 fe4c76-fe4c82 3619->3627 3628 fe4c0e-fe4c22 3620->3628 3629 fe4c05-fe4c0c 3620->3629 3621->3619 3622->3623 3624 fe4ff8-fe4ffe 3623->3624 3625 fe5045-fe5059 3623->3625 3624->3625 3632 fe505b 3625->3632 3633 fe50a2-fe50b6 3625->3633 3637 fe4c8d 3626->3637 3627->3637 3634 fe4c2d-fe4c41 3628->3634 3635 fe4c24-fe4c2b 3628->3635 3629->3619 3632->3633 3639 fe512d-fe5141 3633->3639 3640 fe50b8-fe50e1 3633->3640 3634->3619 3643 fe4c43-fe4c45 3634->3643 3635->3619 3637->3612 3645 fe5147-fe5363 3639->3645 3646 fe53b4-fe53c8 3639->3646 3640->3639 3643->3619 4010 fe5367 3645->4010 4011 fe5365 3645->4011 3648 fe549e-fe54b2 3646->3648 3649 fe53ce-fe5457 3646->3649 3654 fe566f-fe5683 3648->3654 3655 fe54b8-fe5628 3648->3655 3649->3648 3660 fe5689-fe5794 3654->3660 3661 fe57e6-fe57fa 3654->3661 3655->3654 3937 fe579f 3660->3937 3664 fe595d-fe5971 3661->3664 3665 fe5800-fe590b 3661->3665 3669 fe5977-fe5a82 3664->3669 3670 fe5ad4-fe5ae8 3664->3670 3945 fe5916 3665->3945 3962 fe5a8d 3669->3962 3674 fe5aee-fe5bf9 3670->3674 3675 fe5c4b-fe5c5f 3670->3675 3968 fe5c04 3674->3968 3680 fe5c65-fe5d70 3675->3680 3681 fe5dc2-fe5dd6 3675->3681 3984 fe5d7b 3680->3984 3685 fe5ddc-fe5ee7 3681->3685 3686 fe5f39-fe5f4d 3681->3686 3989 fe5ef2 3685->3989 3695 fe5f53-fe6069 3686->3695 3696 fe60b0-fe60c4 3686->3696 3695->3696 3701 fe60ca-fe61d5 3696->3701 3702 fe6227-fe623b 3696->3702 4007 fe61e0 3701->4007 3707 fe639e-fe63b2 3702->3707 3708 fe6241-fe634c 3702->3708 3717 fe63b8-fe63fd call fe4278 3707->3717 3718 fe6536-fe654a 3707->3718 4017 fe6357 3708->4017 3843 fe64bd-fe64df 3717->3843 3728 fe668d-fe66a1 3718->3728 3729 fe6550-fe656f 3718->3729 3740 fe67ee-fe6802 3728->3740 3741 fe66a7-fe67a7 3728->3741 3762 fe6614-fe6636 3729->3762 3746 fe694f-fe6963 3740->3746 3747 fe6808-fe6908 3740->3747 3741->3740 3756 fe6969-fe6a69 3746->3756 3757 fe6ab0-fe6ada 3746->3757 3747->3746 3756->3757 3786 fe6b9a-fe6bae 3757->3786 3787 fe6ae0-fe6b53 3757->3787 3770 fe663c 3762->3770 3771 fe6574-fe6583 3762->3771 3770->3728 3781 fe663e 3771->3781 3782 fe6589-fe65bc 3771->3782 3799 fe6643-fe668b 3781->3799 3871 fe65be-fe65f8 3782->3871 3872 fe6603-fe660c 3782->3872 3791 fe6c8b-fe6c9f 3786->3791 3792 fe6bb4-fe6c0b 3786->3792 3787->3786 3808 fe6de5-fe6df9 3791->3808 3809 fe6ca5-fe6d97 3791->3809 3917 fe6c12-fe6c44 3792->3917 3799->3728 3820 fe6dff-fe6e4f 3808->3820 3821 fe705c-fe7070 3808->3821 4046 fe6d9e 3809->4046 3938 fe6ebd-fe6ee8 3820->3938 3939 fe6e51-fe6e77 3820->3939 3831 fe7158-fe715f 3821->3831 3832 fe7076-fe7111 call fe4278 * 2 3821->3832 3832->3831 3858 fe64e5 3843->3858 3859 fe6402-fe6411 3843->3859 3858->3718 3869 fe64e7 3859->3869 3870 fe6417-fe64b5 3859->3870 3902 fe64ec-fe6534 3869->3902 3870->3902 4014 fe64b7 3870->4014 3871->3872 3872->3799 3887 fe660e 3872->3887 3887->3762 3902->3718 3917->3791 3937->3661 4012 fe6eee-fe6fc1 3938->4012 4013 fe6fc6-fe7057 3938->4013 4005 fe6eb8 3939->4005 4006 fe6e79-fe6e99 3939->4006 3945->3664 3962->3670 3968->3675 3984->3681 3989->3686 4005->3821 4006->4005 4007->3702 4018 fe536d 4010->4018 4074 fe5367 call fe717b 4010->4074 4075 fe5367 call fe71c8 4010->4075 4011->4018 4012->3821 4013->3821 4014->3843 4017->3707 4018->3646 4046->3808 4074->4018 4075->4018
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: $|t
                    • API String ID: 0-1654681884
                    • Opcode ID: 8975d1a1a86223ad96eeb31ce20e7d3aa5ff1f60bfd6aaf04eff10490faf62db
                    • Instruction ID: 0532058cea2cf2264502e13f8f9a3c20dbed54e59664eb4bc0e51142736648ec
                    • Opcode Fuzzy Hash: 8975d1a1a86223ad96eeb31ce20e7d3aa5ff1f60bfd6aaf04eff10490faf62db
                    • Instruction Fuzzy Hash: 40F26978A01228CFDB25EF35DC95BA9B7B2BB48304F1041E9D949A73A4DB359E81CF50
                    Function 00FE49F9 Relevance: 3.9, Strings: 2, Instructions: 1440COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 4076 fe49f9-fe4a46 4083 fe4a4c-fe4b59 4076->4083 4084 fe4b94-fe4ba8 4076->4084 4083->4084 4085 fe4bae-fe4bc2 4084->4085 4086 fe4cd4-fe4ce8 4084->4086 4087 fe4bc4-fe4bcb 4085->4087 4088 fe4bd0-fe4be4 4085->4088 4090 fe4cee-fe4f2d 4086->4090 4091 fe4f74-fe4f88 4086->4091 4092 fe4c48-fe4c5c 4087->4092 4093 fe4bef-fe4c03 4088->4093 4094 fe4be6-fe4bed 4088->4094 4090->4091 4095 fe4f8a-fe4f9b 4091->4095 4096 fe4fe2-fe4ff6 4091->4096 4099 fe4c5e-fe4c74 4092->4099 4100 fe4c76-fe4c82 4092->4100 4101 fe4c0e-fe4c22 4093->4101 4102 fe4c05-fe4c0c 4093->4102 4094->4092 4095->4096 4097 fe4ff8-fe4ffe 4096->4097 4098 fe5045-fe5059 4096->4098 4097->4098 4105 fe505b 4098->4105 4106 fe50a2-fe50b6 4098->4106 4110 fe4c8d 4099->4110 4100->4110 4107 fe4c2d-fe4c41 4101->4107 4108 fe4c24-fe4c2b 4101->4108 4102->4092 4105->4106 4112 fe512d-fe5141 4106->4112 4113 fe50b8-fe50e1 4106->4113 4107->4092 4116 fe4c43-fe4c45 4107->4116 4108->4092 4110->4086 4118 fe5147-fe5363 4112->4118 4119 fe53b4-fe53c8 4112->4119 4113->4112 4116->4092 4483 fe5367 4118->4483 4484 fe5365 4118->4484 4121 fe549e-fe54b2 4119->4121 4122 fe53ce-fe5457 4119->4122 4127 fe566f-fe5683 4121->4127 4128 fe54b8-fe5628 4121->4128 4122->4121 4133 fe5689-fe5794 4127->4133 4134 fe57e6-fe57fa 4127->4134 4128->4127 4410 fe579f 4133->4410 4137 fe595d-fe5971 4134->4137 4138 fe5800-fe590b 4134->4138 4142 fe5977-fe5a82 4137->4142 4143 fe5ad4-fe5ae8 4137->4143 4418 fe5916 4138->4418 4435 fe5a8d 4142->4435 4147 fe5aee-fe5bf9 4143->4147 4148 fe5c4b-fe5c5f 4143->4148 4441 fe5c04 4147->4441 4153 fe5c65-fe5d70 4148->4153 4154 fe5dc2-fe5dd6 4148->4154 4457 fe5d7b 4153->4457 4158 fe5ddc-fe5ee7 4154->4158 4159 fe5f39-fe5f4d 4154->4159 4462 fe5ef2 4158->4462 4168 fe5f53-fe6069 4159->4168 4169 fe60b0-fe60c4 4159->4169 4168->4169 4174 fe60ca-fe61d5 4169->4174 4175 fe6227-fe623b 4169->4175 4480 fe61e0 4174->4480 4180 fe639e-fe63b2 4175->4180 4181 fe6241-fe634c 4175->4181 4190 fe63b8-fe63fd call fe4278 4180->4190 4191 fe6536-fe654a 4180->4191 4490 fe6357 4181->4490 4316 fe64bd-fe64df 4190->4316 4201 fe668d-fe66a1 4191->4201 4202 fe6550-fe656f 4191->4202 4213 fe67ee-fe6802 4201->4213 4214 fe66a7-fe67a7 4201->4214 4235 fe6614-fe6636 4202->4235 4219 fe694f-fe6963 4213->4219 4220 fe6808-fe6908 4213->4220 4214->4213 4229 fe6969-fe6a69 4219->4229 4230 fe6ab0-fe6ada 4219->4230 4220->4219 4229->4230 4259 fe6b9a-fe6bae 4230->4259 4260 fe6ae0-fe6b53 4230->4260 4243 fe663c 4235->4243 4244 fe6574-fe6583 4235->4244 4243->4201 4254 fe663e 4244->4254 4255 fe6589-fe65bc 4244->4255 4272 fe6643-fe668b 4254->4272 4344 fe65be-fe65f8 4255->4344 4345 fe6603-fe660c 4255->4345 4264 fe6c8b-fe6c9f 4259->4264 4265 fe6bb4-fe6c0b 4259->4265 4260->4259 4281 fe6de5-fe6df9 4264->4281 4282 fe6ca5-fe6d97 4264->4282 4390 fe6c12-fe6c44 4265->4390 4272->4201 4293 fe6dff-fe6e4f 4281->4293 4294 fe705c-fe7070 4281->4294 4519 fe6d9e 4282->4519 4411 fe6ebd-fe6ee8 4293->4411 4412 fe6e51-fe6e77 4293->4412 4304 fe7158-fe715f 4294->4304 4305 fe7076-fe7111 call fe4278 * 2 4294->4305 4305->4304 4331 fe64e5 4316->4331 4332 fe6402-fe6411 4316->4332 4331->4191 4342 fe64e7 4332->4342 4343 fe6417-fe64b5 4332->4343 4375 fe64ec-fe6534 4342->4375 4343->4375 4487 fe64b7 4343->4487 4344->4345 4345->4272 4360 fe660e 4345->4360 4360->4235 4375->4191 4390->4264 4410->4134 4485 fe6eee-fe6fc1 4411->4485 4486 fe6fc6-fe7057 4411->4486 4478 fe6eb8 4412->4478 4479 fe6e79-fe6e99 4412->4479 4418->4137 4435->4143 4441->4148 4457->4154 4462->4159 4478->4294 4479->4478 4480->4175 4491 fe536d 4483->4491 4547 fe5367 call fe717b 4483->4547 4548 fe5367 call fe71c8 4483->4548 4484->4491 4485->4294 4486->4294 4487->4316 4490->4180 4491->4119 4519->4281 4547->4491 4548->4491
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: $|t
                    • API String ID: 0-1654681884
                    • Opcode ID: 9dc5f85313455f5a079d83b700fb2f0b6677fd3fc8c1ac23cc42aafea96165fe
                    • Instruction ID: d10cbad794b050e8dd6aba86fcac287107dad875854c2720f9d1b988553f7860
                    • Opcode Fuzzy Hash: 9dc5f85313455f5a079d83b700fb2f0b6677fd3fc8c1ac23cc42aafea96165fe
                    • Instruction Fuzzy Hash: 76F26978A01228CFDB25EF35DC95BA9B7B2BB48304F1041E9D949A73A4DB359E81CF50
                    Function 00FE4B5B Relevance: 3.9, Strings: 2, Instructions: 1383COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 4549 fe4b5b-fe4ba8 4556 fe4bae-fe4bc2 4549->4556 4557 fe4cd4-fe4ce8 4549->4557 4558 fe4bc4-fe4bcb 4556->4558 4559 fe4bd0-fe4be4 4556->4559 4560 fe4cee-fe4f2d 4557->4560 4561 fe4f74-fe4f88 4557->4561 4562 fe4c48-fe4c5c 4558->4562 4563 fe4bef-fe4c03 4559->4563 4564 fe4be6-fe4bed 4559->4564 4560->4561 4565 fe4f8a-fe4f9b 4561->4565 4566 fe4fe2-fe4ff6 4561->4566 4569 fe4c5e-fe4c74 4562->4569 4570 fe4c76-fe4c82 4562->4570 4571 fe4c0e-fe4c22 4563->4571 4572 fe4c05-fe4c0c 4563->4572 4564->4562 4565->4566 4567 fe4ff8-fe4ffe 4566->4567 4568 fe5045-fe5059 4566->4568 4567->4568 4574 fe505b 4568->4574 4575 fe50a2-fe50b6 4568->4575 4579 fe4c8d 4569->4579 4570->4579 4576 fe4c2d-fe4c41 4571->4576 4577 fe4c24-fe4c2b 4571->4577 4572->4562 4574->4575 4581 fe512d-fe5141 4575->4581 4582 fe50b8-fe50e1 4575->4582 4576->4562 4584 fe4c43-fe4c45 4576->4584 4577->4562 4579->4557 4586 fe5147-fe5363 4581->4586 4587 fe53b4-fe53c8 4581->4587 4582->4581 4584->4562 4940 fe5367 4586->4940 4941 fe5365 4586->4941 4589 fe549e-fe54b2 4587->4589 4590 fe53ce-fe5457 4587->4590 4594 fe566f-fe5683 4589->4594 4595 fe54b8-fe5628 4589->4595 4590->4589 4599 fe5689-fe5794 4594->4599 4600 fe57e6-fe57fa 4594->4600 4595->4594 4867 fe579f 4599->4867 4603 fe595d-fe5971 4600->4603 4604 fe5800-fe590b 4600->4604 4607 fe5977-fe5a82 4603->4607 4608 fe5ad4-fe5ae8 4603->4608 4875 fe5916 4604->4875 4892 fe5a8d 4607->4892 4612 fe5aee-fe5bf9 4608->4612 4613 fe5c4b-fe5c5f 4608->4613 4898 fe5c04 4612->4898 4617 fe5c65-fe5d70 4613->4617 4618 fe5dc2-fe5dd6 4613->4618 4914 fe5d7b 4617->4914 4622 fe5ddc-fe5ee7 4618->4622 4623 fe5f39-fe5f4d 4618->4623 4919 fe5ef2 4622->4919 4631 fe5f53-fe6069 4623->4631 4632 fe60b0-fe60c4 4623->4632 4631->4632 4639 fe60ca-fe61d5 4632->4639 4640 fe6227-fe623b 4632->4640 4937 fe61e0 4639->4937 4643 fe639e-fe63b2 4640->4643 4644 fe6241-fe634c 4640->4644 4652 fe63b8-fe63fd call fe4278 4643->4652 4653 fe6536-fe654a 4643->4653 4947 fe6357 4644->4947 4773 fe64bd-fe64df 4652->4773 4663 fe668d-fe66a1 4653->4663 4664 fe6550-fe656f 4653->4664 4674 fe67ee-fe6802 4663->4674 4675 fe66a7-fe67a7 4663->4675 4695 fe6614-fe6636 4664->4695 4680 fe694f-fe6963 4674->4680 4681 fe6808-fe6908 4674->4681 4675->4674 4689 fe6969-fe6a69 4680->4689 4690 fe6ab0-fe6ada 4680->4690 4681->4680 4689->4690 4718 fe6b9a-fe6bae 4690->4718 4719 fe6ae0-fe6b53 4690->4719 4703 fe663c 4695->4703 4704 fe6574-fe6583 4695->4704 4703->4663 4713 fe663e 4704->4713 4714 fe6589-fe65bc 4704->4714 4730 fe6643-fe668b 4713->4730 4801 fe65be-fe65f8 4714->4801 4802 fe6603-fe660c 4714->4802 4722 fe6c8b-fe6c9f 4718->4722 4723 fe6bb4-fe6c0b 4718->4723 4719->4718 4739 fe6de5-fe6df9 4722->4739 4740 fe6ca5-fe6d97 4722->4740 4847 fe6c12-fe6c44 4723->4847 4730->4663 4750 fe6dff-fe6e4f 4739->4750 4751 fe705c-fe7070 4739->4751 4976 fe6d9e 4740->4976 4868 fe6ebd-fe6ee8 4750->4868 4869 fe6e51-fe6e77 4750->4869 4761 fe7158-fe715f 4751->4761 4762 fe7076-fe7111 call fe4278 * 2 4751->4762 4762->4761 4788 fe64e5 4773->4788 4789 fe6402-fe6411 4773->4789 4788->4653 4799 fe64e7 4789->4799 4800 fe6417-fe64b5 4789->4800 4832 fe64ec-fe6534 4799->4832 4800->4832 4944 fe64b7 4800->4944 4801->4802 4802->4730 4817 fe660e 4802->4817 4817->4695 4832->4653 4847->4722 4867->4600 4942 fe6eee-fe6fc1 4868->4942 4943 fe6fc6-fe7057 4868->4943 4935 fe6eb8 4869->4935 4936 fe6e79-fe6e99 4869->4936 4875->4603 4892->4608 4898->4613 4914->4618 4919->4623 4935->4751 4936->4935 4937->4640 4948 fe536d 4940->4948 5004 fe5367 call fe717b 4940->5004 5005 fe5367 call fe71c8 4940->5005 4941->4948 4942->4751 4943->4751 4944->4773 4947->4643 4948->4587 4976->4739 5004->4948 5005->4948
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: $|t
                    • API String ID: 0-1654681884
                    • Opcode ID: 40b368861a59d52f30448d40c8d5f9b5716b9d07ddd5056e5321192775700737
                    • Instruction ID: 0e0dae110e1a556f52c0874913871b1e10fed5291070ef7b41856ec7f41ca7a9
                    • Opcode Fuzzy Hash: 40b368861a59d52f30448d40c8d5f9b5716b9d07ddd5056e5321192775700737
                    • Instruction Fuzzy Hash: F7E26978A01228CFDB25EF35DC91BA9B7B1BB48304F1041E9D949A73A4DB359E85CF50
                    Function 00FE4C8F Relevance: 2.6, Strings: 1, Instructions: 1362COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 5022 fe4c8f-fe4ce8 5029 fe4cee-fe4f2d 5022->5029 5030 fe4f74-fe4f88 5022->5030 5029->5030 5031 fe4f8a-fe4f9b 5030->5031 5032 fe4fe2-fe4ff6 5030->5032 5031->5032 5033 fe4ff8-fe4ffe 5032->5033 5034 fe5045-fe5059 5032->5034 5033->5034 5036 fe505b 5034->5036 5037 fe50a2-fe50b6 5034->5037 5036->5037 5040 fe512d-fe5141 5037->5040 5041 fe50b8-fe50e1 5037->5041 5043 fe5147-fe5363 5040->5043 5044 fe53b4-fe53c8 5040->5044 5041->5040 5397 fe5367 5043->5397 5398 fe5365 5043->5398 5046 fe549e-fe54b2 5044->5046 5047 fe53ce-fe5457 5044->5047 5051 fe566f-fe5683 5046->5051 5052 fe54b8-fe5628 5046->5052 5047->5046 5056 fe5689-fe5794 5051->5056 5057 fe57e6-fe57fa 5051->5057 5052->5051 5324 fe579f 5056->5324 5060 fe595d-fe5971 5057->5060 5061 fe5800-fe590b 5057->5061 5064 fe5977-fe5a82 5060->5064 5065 fe5ad4-fe5ae8 5060->5065 5332 fe5916 5061->5332 5349 fe5a8d 5064->5349 5069 fe5aee-fe5bf9 5065->5069 5070 fe5c4b-fe5c5f 5065->5070 5355 fe5c04 5069->5355 5074 fe5c65-fe5d70 5070->5074 5075 fe5dc2-fe5dd6 5070->5075 5371 fe5d7b 5074->5371 5079 fe5ddc-fe5ee7 5075->5079 5080 fe5f39-fe5f4d 5075->5080 5376 fe5ef2 5079->5376 5088 fe5f53-fe6069 5080->5088 5089 fe60b0-fe60c4 5080->5089 5088->5089 5096 fe60ca-fe61d5 5089->5096 5097 fe6227-fe623b 5089->5097 5394 fe61e0 5096->5394 5100 fe639e-fe63b2 5097->5100 5101 fe6241-fe634c 5097->5101 5109 fe63b8-fe63fd call fe4278 5100->5109 5110 fe6536-fe654a 5100->5110 5404 fe6357 5101->5404 5230 fe64bd-fe64df 5109->5230 5120 fe668d-fe66a1 5110->5120 5121 fe6550-fe656f 5110->5121 5131 fe67ee-fe6802 5120->5131 5132 fe66a7-fe67a7 5120->5132 5152 fe6614-fe6636 5121->5152 5137 fe694f-fe6963 5131->5137 5138 fe6808-fe6908 5131->5138 5132->5131 5146 fe6969-fe6a69 5137->5146 5147 fe6ab0-fe6ada 5137->5147 5138->5137 5146->5147 5175 fe6b9a-fe6bae 5147->5175 5176 fe6ae0-fe6b53 5147->5176 5160 fe663c 5152->5160 5161 fe6574-fe6583 5152->5161 5160->5120 5170 fe663e 5161->5170 5171 fe6589-fe65bc 5161->5171 5187 fe6643-fe668b 5170->5187 5258 fe65be-fe65f8 5171->5258 5259 fe6603-fe660c 5171->5259 5179 fe6c8b-fe6c9f 5175->5179 5180 fe6bb4-fe6c0b 5175->5180 5176->5175 5196 fe6de5-fe6df9 5179->5196 5197 fe6ca5-fe6d97 5179->5197 5304 fe6c12-fe6c44 5180->5304 5187->5120 5207 fe6dff-fe6e4f 5196->5207 5208 fe705c-fe7070 5196->5208 5433 fe6d9e 5197->5433 5325 fe6ebd-fe6ee8 5207->5325 5326 fe6e51-fe6e77 5207->5326 5218 fe7158-fe715f 5208->5218 5219 fe7076-fe7111 call fe4278 * 2 5208->5219 5219->5218 5245 fe64e5 5230->5245 5246 fe6402-fe6411 5230->5246 5245->5110 5256 fe64e7 5246->5256 5257 fe6417-fe64b5 5246->5257 5289 fe64ec-fe6534 5256->5289 5257->5289 5401 fe64b7 5257->5401 5258->5259 5259->5187 5274 fe660e 5259->5274 5274->5152 5289->5110 5304->5179 5324->5057 5399 fe6eee-fe6fc1 5325->5399 5400 fe6fc6-fe7057 5325->5400 5392 fe6eb8 5326->5392 5393 fe6e79-fe6e99 5326->5393 5332->5060 5349->5065 5355->5070 5371->5075 5376->5080 5392->5208 5393->5392 5394->5097 5405 fe536d 5397->5405 5461 fe5367 call fe717b 5397->5461 5462 fe5367 call fe71c8 5397->5462 5398->5405 5399->5208 5400->5208 5401->5230 5404->5100 5405->5044 5433->5196 5461->5405 5462->5405
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: |t
                    • API String ID: 0-1785604035
                    • Opcode ID: 6ad9d175ebdcac3311666276edc18f2b29caf3022c1afcde10719f43d3c37be7
                    • Instruction ID: d837ed037e26de1ed5ee090134528bdf2b9d09e9740282d006d7c502683bba10
                    • Opcode Fuzzy Hash: 6ad9d175ebdcac3311666276edc18f2b29caf3022c1afcde10719f43d3c37be7
                    • Instruction Fuzzy Hash: FBE25978A01228CFDB25EF35DC91BA9B7B2BB48304F1041E9D949A73A4DB359E85CF50
                    Function 00FE4F2F Relevance: 2.5, Strings: 1, Instructions: 1245COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 5463 fe4f2f-fe4f88 5470 fe4f8a-fe4f9b 5463->5470 5471 fe4fe2-fe4ff6 5463->5471 5470->5471 5472 fe4ff8-fe4ffe 5471->5472 5473 fe5045-fe5059 5471->5473 5472->5473 5474 fe505b 5473->5474 5475 fe50a2-fe50b6 5473->5475 5474->5475 5478 fe512d-fe5141 5475->5478 5479 fe50b8-fe50e1 5475->5479 5480 fe5147-fe5363 5478->5480 5481 fe53b4-fe53c8 5478->5481 5479->5478 5811 fe5367 5480->5811 5812 fe5365 5480->5812 5483 fe549e-fe54b2 5481->5483 5484 fe53ce-fe5457 5481->5484 5487 fe566f-fe5683 5483->5487 5488 fe54b8-fe5628 5483->5488 5484->5483 5491 fe5689-fe5794 5487->5491 5492 fe57e6-fe57fa 5487->5492 5488->5487 5745 fe579f 5491->5745 5495 fe595d-fe5971 5492->5495 5496 fe5800-fe590b 5492->5496 5498 fe5977-fe5a82 5495->5498 5499 fe5ad4-fe5ae8 5495->5499 5755 fe5916 5496->5755 5768 fe5a8d 5498->5768 5503 fe5aee-fe5bf9 5499->5503 5504 fe5c4b-fe5c5f 5499->5504 5777 fe5c04 5503->5777 5508 fe5c65-fe5d70 5504->5508 5509 fe5dc2-fe5dd6 5504->5509 5789 fe5d7b 5508->5789 5512 fe5ddc-fe5ee7 5509->5512 5513 fe5f39-fe5f4d 5509->5513 5797 fe5ef2 5512->5797 5520 fe5f53-fe6069 5513->5520 5521 fe60b0-fe60c4 5513->5521 5520->5521 5528 fe60ca-fe61d5 5521->5528 5529 fe6227-fe623b 5521->5529 5815 fe61e0 5528->5815 5534 fe639e-fe63b2 5529->5534 5535 fe6241-fe634c 5529->5535 5540 fe63b8-fe63fd call fe4278 5534->5540 5541 fe6536-fe654a 5534->5541 5820 fe6357 5535->5820 5655 fe64bd-fe64df 5540->5655 5551 fe668d-fe66a1 5541->5551 5552 fe6550-fe656f 5541->5552 5561 fe67ee-fe6802 5551->5561 5562 fe66a7-fe67a7 5551->5562 5581 fe6614-fe6636 5552->5581 5567 fe694f-fe6963 5561->5567 5568 fe6808-fe6908 5561->5568 5562->5561 5575 fe6969-fe6a69 5567->5575 5576 fe6ab0-fe6ada 5567->5576 5568->5567 5575->5576 5603 fe6b9a-fe6bae 5576->5603 5604 fe6ae0-fe6b53 5576->5604 5589 fe663c 5581->5589 5590 fe6574-fe6583 5581->5590 5589->5551 5598 fe663e 5590->5598 5599 fe6589-fe65bc 5590->5599 5614 fe6643-fe668b 5598->5614 5682 fe65be-fe65f8 5599->5682 5683 fe6603-fe660c 5599->5683 5606 fe6c8b-fe6c9f 5603->5606 5607 fe6bb4-fe6c0b 5603->5607 5604->5603 5623 fe6de5-fe6df9 5606->5623 5624 fe6ca5-fe6d97 5606->5624 5728 fe6c12-fe6c44 5607->5728 5614->5551 5633 fe6dff-fe6e4f 5623->5633 5634 fe705c-fe7070 5623->5634 5847 fe6d9e 5624->5847 5747 fe6ebd-fe6ee8 5633->5747 5748 fe6e51-fe6e77 5633->5748 5644 fe7158-fe715f 5634->5644 5645 fe7076-fe7111 call fe4278 * 2 5634->5645 5645->5644 5670 fe64e5 5655->5670 5671 fe6402-fe6411 5655->5671 5670->5541 5680 fe64e7 5671->5680 5681 fe6417-fe64b5 5671->5681 5711 fe64ec-fe6534 5680->5711 5681->5711 5819 fe64b7 5681->5819 5682->5683 5683->5614 5701 fe660e 5683->5701 5701->5581 5711->5541 5728->5606 5745->5492 5817 fe6eee-fe6fc1 5747->5817 5818 fe6fc6-fe7057 5747->5818 5813 fe6eb8 5748->5813 5814 fe6e79-fe6e99 5748->5814 5755->5495 5768->5499 5777->5504 5789->5509 5797->5513 5821 fe536d 5811->5821 5868 fe5367 call fe717b 5811->5868 5869 fe5367 call fe71c8 5811->5869 5812->5821 5813->5634 5814->5813 5815->5529 5817->5634 5818->5634 5819->5655 5820->5534 5821->5481 5847->5623 5868->5821 5869->5821
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: |t
                    • API String ID: 0-1785604035
                    • Opcode ID: 1be0cb7f6743e993d8dcd0a994b01e3d47bbafca9546d043085e8f5a799b9aca
                    • Instruction ID: ae3ccc85ce1c54585bf76b140d1eeba7ab1f1e29eac72adf840cf78005fcc796
                    • Opcode Fuzzy Hash: 1be0cb7f6743e993d8dcd0a994b01e3d47bbafca9546d043085e8f5a799b9aca
                    • Instruction Fuzzy Hash: 6DD26878A01228CFDB25EF35DC95BA9B7B1BB48304F1041E9E949A73A4DB359E81CF50
                    Function 00FE4F9D Relevance: 2.5, Strings: 1, Instructions: 1236COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 5870 fe4f9d-fe4ff6 5877 fe4ff8-fe4ffe 5870->5877 5878 fe5045-fe5059 5870->5878 5877->5878 5879 fe505b 5878->5879 5880 fe50a2-fe50b6 5878->5880 5879->5880 5882 fe512d-fe5141 5880->5882 5883 fe50b8-fe50e1 5880->5883 5884 fe5147-fe5363 5882->5884 5885 fe53b4-fe53c8 5882->5885 5883->5882 6214 fe5367 5884->6214 6215 fe5365 5884->6215 5886 fe549e-fe54b2 5885->5886 5887 fe53ce-fe5457 5885->5887 5890 fe566f-fe5683 5886->5890 5891 fe54b8-fe5628 5886->5891 5887->5886 5894 fe5689-fe5794 5890->5894 5895 fe57e6-fe57fa 5890->5895 5891->5890 6148 fe579f 5894->6148 5898 fe595d-fe5971 5895->5898 5899 fe5800-fe590b 5895->5899 5901 fe5977-fe5a82 5898->5901 5902 fe5ad4-fe5ae8 5898->5902 6158 fe5916 5899->6158 6171 fe5a8d 5901->6171 5906 fe5aee-fe5bf9 5902->5906 5907 fe5c4b-fe5c5f 5902->5907 6180 fe5c04 5906->6180 5911 fe5c65-fe5d70 5907->5911 5912 fe5dc2-fe5dd6 5907->5912 6192 fe5d7b 5911->6192 5915 fe5ddc-fe5ee7 5912->5915 5916 fe5f39-fe5f4d 5912->5916 6200 fe5ef2 5915->6200 5923 fe5f53-fe6069 5916->5923 5924 fe60b0-fe60c4 5916->5924 5923->5924 5931 fe60ca-fe61d5 5924->5931 5932 fe6227-fe623b 5924->5932 6218 fe61e0 5931->6218 5937 fe639e-fe63b2 5932->5937 5938 fe6241-fe634c 5932->5938 5943 fe63b8-fe63fd call fe4278 5937->5943 5944 fe6536-fe654a 5937->5944 6223 fe6357 5938->6223 6058 fe64bd-fe64df 5943->6058 5954 fe668d-fe66a1 5944->5954 5955 fe6550-fe656f 5944->5955 5964 fe67ee-fe6802 5954->5964 5965 fe66a7-fe67a7 5954->5965 5984 fe6614-fe6636 5955->5984 5970 fe694f-fe6963 5964->5970 5971 fe6808-fe6908 5964->5971 5965->5964 5978 fe6969-fe6a69 5970->5978 5979 fe6ab0-fe6ada 5970->5979 5971->5970 5978->5979 6006 fe6b9a-fe6bae 5979->6006 6007 fe6ae0-fe6b53 5979->6007 5992 fe663c 5984->5992 5993 fe6574-fe6583 5984->5993 5992->5954 6001 fe663e 5993->6001 6002 fe6589-fe65bc 5993->6002 6017 fe6643-fe668b 6001->6017 6085 fe65be-fe65f8 6002->6085 6086 fe6603-fe660c 6002->6086 6009 fe6c8b-fe6c9f 6006->6009 6010 fe6bb4-fe6c0b 6006->6010 6007->6006 6026 fe6de5-fe6df9 6009->6026 6027 fe6ca5-fe6d97 6009->6027 6131 fe6c12-fe6c44 6010->6131 6017->5954 6036 fe6dff-fe6e4f 6026->6036 6037 fe705c-fe7070 6026->6037 6250 fe6d9e 6027->6250 6150 fe6ebd-fe6ee8 6036->6150 6151 fe6e51-fe6e77 6036->6151 6047 fe7158-fe715f 6037->6047 6048 fe7076-fe7111 call fe4278 * 2 6037->6048 6048->6047 6073 fe64e5 6058->6073 6074 fe6402-fe6411 6058->6074 6073->5944 6083 fe64e7 6074->6083 6084 fe6417-fe64b5 6074->6084 6114 fe64ec-fe6534 6083->6114 6084->6114 6222 fe64b7 6084->6222 6085->6086 6086->6017 6104 fe660e 6086->6104 6104->5984 6114->5944 6131->6009 6148->5895 6220 fe6eee-fe6fc1 6150->6220 6221 fe6fc6-fe7057 6150->6221 6216 fe6eb8 6151->6216 6217 fe6e79-fe6e99 6151->6217 6158->5898 6171->5902 6180->5907 6192->5912 6200->5916 6224 fe536d 6214->6224 6271 fe5367 call fe717b 6214->6271 6272 fe5367 call fe71c8 6214->6272 6215->6224 6216->6037 6217->6216 6218->5932 6220->6037 6221->6037 6222->6058 6223->5937 6224->5885 6250->6026 6271->6224 6272->6224
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: |t
                    • API String ID: 0-1785604035
                    • Opcode ID: 60c905833feeb7ec9066924bbb3aa177c70d37b04edd78dc130b73f76f98578f
                    • Instruction ID: 7d416061659d4ae0fdf7bb2e6ea31a8c03fcac79dab019d17c13644890e1f4c7
                    • Opcode Fuzzy Hash: 60c905833feeb7ec9066924bbb3aa177c70d37b04edd78dc130b73f76f98578f
                    • Instruction Fuzzy Hash: F2D26878A01228CFDB25EF35DC95BA9B7B1BB48304F1041E9E949A73A4DB359E81CF50
                    Function 00FE5000 Relevance: 2.5, Strings: 1, Instructions: 1230COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 6273 fe5000-fe5059 6280 fe505b 6273->6280 6281 fe50a2-fe50b6 6273->6281 6280->6281 6282 fe512d-fe5141 6281->6282 6283 fe50b8-fe50e1 6281->6283 6284 fe5147-fe5363 6282->6284 6285 fe53b4-fe53c8 6282->6285 6283->6282 6614 fe5367 6284->6614 6615 fe5365 6284->6615 6286 fe549e-fe54b2 6285->6286 6287 fe53ce-fe5457 6285->6287 6290 fe566f-fe5683 6286->6290 6291 fe54b8-fe5628 6286->6291 6287->6286 6294 fe5689-fe5794 6290->6294 6295 fe57e6-fe57fa 6290->6295 6291->6290 6548 fe579f 6294->6548 6298 fe595d-fe5971 6295->6298 6299 fe5800-fe590b 6295->6299 6301 fe5977-fe5a82 6298->6301 6302 fe5ad4-fe5ae8 6298->6302 6558 fe5916 6299->6558 6571 fe5a8d 6301->6571 6306 fe5aee-fe5bf9 6302->6306 6307 fe5c4b-fe5c5f 6302->6307 6580 fe5c04 6306->6580 6311 fe5c65-fe5d70 6307->6311 6312 fe5dc2-fe5dd6 6307->6312 6592 fe5d7b 6311->6592 6315 fe5ddc-fe5ee7 6312->6315 6316 fe5f39-fe5f4d 6312->6316 6600 fe5ef2 6315->6600 6323 fe5f53-fe6069 6316->6323 6324 fe60b0-fe60c4 6316->6324 6323->6324 6331 fe60ca-fe61d5 6324->6331 6332 fe6227-fe623b 6324->6332 6618 fe61e0 6331->6618 6337 fe639e-fe63b2 6332->6337 6338 fe6241-fe634c 6332->6338 6343 fe63b8-fe63fd call fe4278 6337->6343 6344 fe6536-fe654a 6337->6344 6623 fe6357 6338->6623 6458 fe64bd-fe64df 6343->6458 6354 fe668d-fe66a1 6344->6354 6355 fe6550-fe656f 6344->6355 6364 fe67ee-fe6802 6354->6364 6365 fe66a7-fe67a7 6354->6365 6384 fe6614-fe6636 6355->6384 6370 fe694f-fe6963 6364->6370 6371 fe6808-fe6908 6364->6371 6365->6364 6378 fe6969-fe6a69 6370->6378 6379 fe6ab0-fe6ada 6370->6379 6371->6370 6378->6379 6406 fe6b9a-fe6bae 6379->6406 6407 fe6ae0-fe6b53 6379->6407 6392 fe663c 6384->6392 6393 fe6574-fe6583 6384->6393 6392->6354 6401 fe663e 6393->6401 6402 fe6589-fe65bc 6393->6402 6417 fe6643-fe668b 6401->6417 6485 fe65be-fe65f8 6402->6485 6486 fe6603-fe660c 6402->6486 6409 fe6c8b-fe6c9f 6406->6409 6410 fe6bb4-fe6c0b 6406->6410 6407->6406 6426 fe6de5-fe6df9 6409->6426 6427 fe6ca5-fe6d97 6409->6427 6531 fe6c12-fe6c44 6410->6531 6417->6354 6436 fe6dff-fe6e4f 6426->6436 6437 fe705c-fe7070 6426->6437 6650 fe6d9e 6427->6650 6550 fe6ebd-fe6ee8 6436->6550 6551 fe6e51-fe6e77 6436->6551 6447 fe7158-fe715f 6437->6447 6448 fe7076-fe7111 call fe4278 * 2 6437->6448 6448->6447 6473 fe64e5 6458->6473 6474 fe6402-fe6411 6458->6474 6473->6344 6483 fe64e7 6474->6483 6484 fe6417-fe64b5 6474->6484 6514 fe64ec-fe6534 6483->6514 6484->6514 6622 fe64b7 6484->6622 6485->6486 6486->6417 6504 fe660e 6486->6504 6504->6384 6514->6344 6531->6409 6548->6295 6620 fe6eee-fe6fc1 6550->6620 6621 fe6fc6-fe7057 6550->6621 6616 fe6eb8 6551->6616 6617 fe6e79-fe6e99 6551->6617 6558->6298 6571->6302 6580->6307 6592->6312 6600->6316 6624 fe536d 6614->6624 6671 fe5367 call fe717b 6614->6671 6672 fe5367 call fe71c8 6614->6672 6615->6624 6616->6437 6617->6616 6618->6332 6620->6437 6621->6437 6622->6458 6623->6337 6624->6285 6650->6426 6671->6624 6672->6624
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: |t
                    • API String ID: 0-1785604035
                    • Opcode ID: f17024e947590775b823d4ba0ad45289fc32ae155eac7b794ccf9e848b7c3f1b
                    • Instruction ID: 30618cd6a182af78d95fb884e82a4756a840f2600fd0a979064b1915cbc3d801
                    • Opcode Fuzzy Hash: f17024e947590775b823d4ba0ad45289fc32ae155eac7b794ccf9e848b7c3f1b
                    • Instruction Fuzzy Hash: 27D25878A01228CFDB25EF35DC95BA9B7B1BB48304F1041E9E949A73A4DB359E81CF50
                    Function 00FE505D Relevance: 2.5, Strings: 1, Instructions: 1225COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 6673 fe505d-fe50b6 6680 fe512d-fe5141 6673->6680 6681 fe50b8-fe50e1 6673->6681 6682 fe5147-fe5363 6680->6682 6683 fe53b4-fe53c8 6680->6683 6681->6680 7012 fe5367 6682->7012 7013 fe5365 6682->7013 6684 fe549e-fe54b2 6683->6684 6685 fe53ce-fe5457 6683->6685 6688 fe566f-fe5683 6684->6688 6689 fe54b8-fe5628 6684->6689 6685->6684 6692 fe5689-fe5794 6688->6692 6693 fe57e6-fe57fa 6688->6693 6689->6688 6946 fe579f 6692->6946 6696 fe595d-fe5971 6693->6696 6697 fe5800-fe590b 6693->6697 6699 fe5977-fe5a82 6696->6699 6700 fe5ad4-fe5ae8 6696->6700 6956 fe5916 6697->6956 6969 fe5a8d 6699->6969 6704 fe5aee-fe5bf9 6700->6704 6705 fe5c4b-fe5c5f 6700->6705 6978 fe5c04 6704->6978 6709 fe5c65-fe5d70 6705->6709 6710 fe5dc2-fe5dd6 6705->6710 6990 fe5d7b 6709->6990 6713 fe5ddc-fe5ee7 6710->6713 6714 fe5f39-fe5f4d 6710->6714 6998 fe5ef2 6713->6998 6721 fe5f53-fe6069 6714->6721 6722 fe60b0-fe60c4 6714->6722 6721->6722 6729 fe60ca-fe61d5 6722->6729 6730 fe6227-fe623b 6722->6730 7016 fe61e0 6729->7016 6735 fe639e-fe63b2 6730->6735 6736 fe6241-fe634c 6730->6736 6741 fe63b8-fe63fd call fe4278 6735->6741 6742 fe6536-fe654a 6735->6742 7021 fe6357 6736->7021 6856 fe64bd-fe64df 6741->6856 6752 fe668d-fe66a1 6742->6752 6753 fe6550-fe656f 6742->6753 6762 fe67ee-fe6802 6752->6762 6763 fe66a7-fe67a7 6752->6763 6782 fe6614-fe6636 6753->6782 6768 fe694f-fe6963 6762->6768 6769 fe6808-fe6908 6762->6769 6763->6762 6776 fe6969-fe6a69 6768->6776 6777 fe6ab0-fe6ada 6768->6777 6769->6768 6776->6777 6804 fe6b9a-fe6bae 6777->6804 6805 fe6ae0-fe6b53 6777->6805 6790 fe663c 6782->6790 6791 fe6574-fe6583 6782->6791 6790->6752 6799 fe663e 6791->6799 6800 fe6589-fe65bc 6791->6800 6815 fe6643-fe668b 6799->6815 6883 fe65be-fe65f8 6800->6883 6884 fe6603-fe660c 6800->6884 6807 fe6c8b-fe6c9f 6804->6807 6808 fe6bb4-fe6c0b 6804->6808 6805->6804 6824 fe6de5-fe6df9 6807->6824 6825 fe6ca5-fe6d97 6807->6825 6929 fe6c12-fe6c44 6808->6929 6815->6752 6834 fe6dff-fe6e4f 6824->6834 6835 fe705c-fe7070 6824->6835 7048 fe6d9e 6825->7048 6948 fe6ebd-fe6ee8 6834->6948 6949 fe6e51-fe6e77 6834->6949 6845 fe7158-fe715f 6835->6845 6846 fe7076-fe7111 call fe4278 * 2 6835->6846 6846->6845 6871 fe64e5 6856->6871 6872 fe6402-fe6411 6856->6872 6871->6742 6881 fe64e7 6872->6881 6882 fe6417-fe64b5 6872->6882 6912 fe64ec-fe6534 6881->6912 6882->6912 7020 fe64b7 6882->7020 6883->6884 6884->6815 6902 fe660e 6884->6902 6902->6782 6912->6742 6929->6807 6946->6693 7018 fe6eee-fe6fc1 6948->7018 7019 fe6fc6-fe7057 6948->7019 7014 fe6eb8 6949->7014 7015 fe6e79-fe6e99 6949->7015 6956->6696 6969->6700 6978->6705 6990->6710 6998->6714 7022 fe536d 7012->7022 7069 fe5367 call fe717b 7012->7069 7070 fe5367 call fe71c8 7012->7070 7013->7022 7014->6835 7015->7014 7016->6730 7018->6835 7019->6835 7020->6856 7021->6735 7022->6683 7048->6824 7069->7022 7070->7022
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: |t
                    • API String ID: 0-1785604035
                    • Opcode ID: 2dbcf90e496465654f8b6ad472ff9fb620ad09ee86c425afa990cf0575f78c24
                    • Instruction ID: 81dca50fe5bc920f0cef4c2500a7bf6defb425122f918487dad26ad339e96997
                    • Opcode Fuzzy Hash: 2dbcf90e496465654f8b6ad472ff9fb620ad09ee86c425afa990cf0575f78c24
                    • Instruction Fuzzy Hash: E3D25878A01228CFDB25EF35DC95BA9B7B1BB48304F1041E9E949A73A4DB359E81CF50
                    Function 00FE50E3 Relevance: 2.5, Strings: 1, Instructions: 1210COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: |t
                    • API String ID: 0-1785604035
                    • Opcode ID: 8cec6b7c1c8140f6e47069bd74f781e6e9a7576d09a6cb0ff6f928cda6d6af9c
                    • Instruction ID: f036eb3197ea786d68d0bb55b1db1e38751f6b1da31b5e78217dd01e933b5d9f
                    • Opcode Fuzzy Hash: 8cec6b7c1c8140f6e47069bd74f781e6e9a7576d09a6cb0ff6f928cda6d6af9c
                    • Instruction Fuzzy Hash: 4BD24978A01228CFDB25EF35DC95BA9B7B1BB48304F1041E9E949A73A4DB359E81CF50
                    Function 00FE536F Relevance: 2.3, Strings: 1, Instructions: 1071COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: |t
                    • API String ID: 0-1785604035
                    • Opcode ID: 9c406c6826d5bfb2c1e3467998066e5b3d878ca5c459351a9b90fd0f8fb75bd9
                    • Instruction ID: 694bb57531dcbfb4ec3f96c968e3b4c16e151e135ccc7e8108a0d4ae7a5d95a3
                    • Opcode Fuzzy Hash: 9c406c6826d5bfb2c1e3467998066e5b3d878ca5c459351a9b90fd0f8fb75bd9
                    • Instruction Fuzzy Hash: 5DC21678A01228CFDB25EF35D855BA9B7B2FB48304F1041E9D909A7394DB36AE81CF50
                    Function 00EABB3B Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                    Download Yara Rule
                    APIs
                    • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00EABBBB
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: AdjustPrivilegesToken
                    • String ID:
                    • API String ID: 2874748243-0
                    • Opcode ID: c322935555b7ac95f902663f5b76c017281ef10792f66297b12df3f7b28e715a
                    • Instruction ID: 420050951ff1362c0a3f3699c1d1cf582a6193f2834b454eb51cd512e759d850
                    • Opcode Fuzzy Hash: c322935555b7ac95f902663f5b76c017281ef10792f66297b12df3f7b28e715a
                    • Instruction Fuzzy Hash: 7F21BC75509780AFEB228F25DC44B52BFF4AF1A310F0884DAE9858F163D370A908CB72
                    Function 00EABCBD Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtQuerySystemInformation.NTDLL ref: 00EABD29
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: InformationQuerySystem
                    • String ID:
                    • API String ID: 3562636166-0
                    • Opcode ID: fe419451610385420947f40cbbc2d9db2e4fa3d1768e3d2d780d8bf454c81079
                    • Instruction ID: 6cef862ad4c03561782619e3562c385b8e5b90f47303d6dab08c35298af1054e
                    • Opcode Fuzzy Hash: fe419451610385420947f40cbbc2d9db2e4fa3d1768e3d2d780d8bf454c81079
                    • Instruction Fuzzy Hash: 2A1190714093C0AFDB228F14DC45A92FFB4EF57314F0984DAE9844F263D275A908DB62
                    Function 00EABB72 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                    Download Yara Rule
                    APIs
                    • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00EABBBB
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: AdjustPrivilegesToken
                    • String ID:
                    • API String ID: 2874748243-0
                    • Opcode ID: 60479ef05ad8bfd0ff0a27823dcb37d9c738c1f66ad972576677a1a431fdb4d2
                    • Instruction ID: 42865876d1600b96332a5f38e0349bb94fb5fc961cffbbd01104fc8cfcaf28ab
                    • Opcode Fuzzy Hash: 60479ef05ad8bfd0ff0a27823dcb37d9c738c1f66ad972576677a1a431fdb4d2
                    • Instruction Fuzzy Hash: 7A119E315002049FDB20CF29D984BA6FBE4EF09320F08C4AADD498F656D375E518DB71
                    Function 00EABCEE Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtQuerySystemInformation.NTDLL ref: 00EABD29
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: InformationQuerySystem
                    • String ID:
                    • API String ID: 3562636166-0
                    • Opcode ID: f5b3ebc9387549b08914e25eef604a1f5ac62568ceee4a82efd02ab2b5147d34
                    • Instruction ID: 936982580671343066f4fdb7e9efc963ab7cd38e5240e44c3a0e463881955f50
                    • Opcode Fuzzy Hash: f5b3ebc9387549b08914e25eef604a1f5ac62568ceee4a82efd02ab2b5147d34
                    • Instruction Fuzzy Hash: 19018B354002449FEB308F05D984BA6FBE0EF19324F08C4AADD491F666D376E518DB62
                    Function 00FE5459 Relevance: 1.0, Instructions: 1040COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 00ddc9ab1084e8922ceb91da7477357c8bcea96c701b44d3566003bd974989a1
                    • Instruction ID: a2d3ad804de65d47ae5ef15db35267dbb02075ed0367596d12aed94ce4db1da9
                    • Opcode Fuzzy Hash: 00ddc9ab1084e8922ceb91da7477357c8bcea96c701b44d3566003bd974989a1
                    • Instruction Fuzzy Hash: 8AC20778A01228CFDB25EF31D955BA9B7B2FB48304F1041E9D909A7394DB36AE81DF50
                    Function 00FE7288 Relevance: .8, Instructions: 761COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 59b3079fa7e86df1c9ca9b845a258ae4056131e698fe4c843c88bbafec2eec0c
                    • Instruction ID: 7bf316060487d16827a462e6835bf67daeaa051ceccf4beaeea1a1bd577111ec
                    • Opcode Fuzzy Hash: 59b3079fa7e86df1c9ca9b845a258ae4056131e698fe4c843c88bbafec2eec0c
                    • Instruction Fuzzy Hash: 61424636A053928BDB28FB77C85027973A2BF80364B254235D4519B2D4EF39ED42E752
                    Function 00FE3440 Relevance: 3.8, Strings: 3, Instructions: 43COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 5006 fe3440-fe3460 5020 fe3462 call fb05e0 5006->5020 5021 fe3462 call fb0606 5006->5021 5009 fe3468-fe34e8 5020->5009 5021->5009
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: HQ$XR$P
                    • API String ID: 0-2787943518
                    • Opcode ID: 78fe0c0f123c48c41c2f1019b4402f405234eabd1b237a02ac4d7c83a9a62273
                    • Instruction ID: 0b3c2f5f2370c22396a97180f5d6e1c880ff9c855e58e6c68134605234896a82
                    • Opcode Fuzzy Hash: 78fe0c0f123c48c41c2f1019b4402f405234eabd1b237a02ac4d7c83a9a62273
                    • Instruction Fuzzy Hash: 0701E13460A381CFCB00EB78D68995E3BE1AFC9304B04882CE085DB266EB3498489B52
                    Function 04E6262A Relevance: 1.6, APIs: 1, Instructions: 131registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04E62725
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: e8dcffd3c1be34bed00690bea18e343d79cb1f2879661e31152b0647662ff775
                    • Instruction ID: ffabe7081c5864e430acc005c6c99da823d1c6276ddaf5eea2ec1cc20f27976a
                    • Opcode Fuzzy Hash: e8dcffd3c1be34bed00690bea18e343d79cb1f2879661e31152b0647662ff775
                    • Instruction Fuzzy Hash: EA4180711493C06FE7238B358C50FA6BFB8EF07214F0945DAE985CB563D264A909CB72
                    Function 04E60C17 Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 04E60CDE
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: 2c92aa0018297ab5665c5589b68eb21067c7bfe1717c44b6008821885e1e486b
                    • Instruction ID: 8c179e9c56ca475488a511247ec423ae295bbb700cd49800066b080c806284a4
                    • Opcode Fuzzy Hash: 2c92aa0018297ab5665c5589b68eb21067c7bfe1717c44b6008821885e1e486b
                    • Instruction Fuzzy Hash: 43318B6510E3C06FD3138B258C61A61BFB4EF47610F0E45CBD8C48B6A3D269A919D7B2
                    Function 00EAB1E6 Relevance: 1.6, APIs: 1, Instructions: 97registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00EAB291
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: e991ab173e1d834ec6567ddac5838b7b52d82b54a8b30cf00391db35da724662
                    • Instruction ID: 61c1d807ee084c4494784f25e210f8e75286af5db5bd7bfb751c6a6245ab9723
                    • Opcode Fuzzy Hash: e991ab173e1d834ec6567ddac5838b7b52d82b54a8b30cf00391db35da724662
                    • Instruction Fuzzy Hash: C231A4714093846FD7228B65CC45FA6BFB8EF1A214F08849BE984DB563D364E909C771
                    Function 00EAAA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00EAAB25
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: e7c51c0de3e329cd3ab08a82d47027ab02fb43a7f0f45a1f7d06dad00e865ed1
                    • Instruction ID: 44672388d35223ae02eafb372c1918bd5ebdef1bd9a2cd6e8e8cee2a9aecba59
                    • Opcode Fuzzy Hash: e7c51c0de3e329cd3ab08a82d47027ab02fb43a7f0f45a1f7d06dad00e865ed1
                    • Instruction Fuzzy Hash: 2B318F71504340AFE721CF25CC44F56BBF8EF0A314F0888AAE9458B652D375E908CB71
                    Function 00EAB2D9 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 00EAB394
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: 34303178af4cda238dba57d4a47010e823dc4685f301598ad6eb6073930d9c90
                    • Instruction ID: e4d72185162155878188ec1cf6ae8eccb1fc0c9522c782005afa320b934fdafe
                    • Opcode Fuzzy Hash: 34303178af4cda238dba57d4a47010e823dc4685f301598ad6eb6073930d9c90
                    • Instruction Fuzzy Hash: 4D3193755093846FDB22CB61CC44FA6BFB8EF0B314F08849AE9459B263D364E94CCB61
                    Function 00EAB036 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • CreateMutexW.KERNELBASE(?,?), ref: 00EAB0DD
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: CreateMutex
                    • String ID:
                    • API String ID: 1964310414-0
                    • Opcode ID: 488dc72571c95487fd4d15d4991cdcc6b72100a70447b655977d45be07dffd02
                    • Instruction ID: 77eea7ea4934fc0121457a2e3c4acb2c45b23527e6cb1aa68e782cea68d2348f
                    • Opcode Fuzzy Hash: 488dc72571c95487fd4d15d4991cdcc6b72100a70447b655977d45be07dffd02
                    • Instruction Fuzzy Hash: F03172715093805FE721CB65DD95B96BFB8EF06314F0884AAE9448F293D375A908C762
                    Function 04E61130 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                    Download Yara Rule
                    APIs
                    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 04E611C7
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: DescriptorSecurity$ConvertString
                    • String ID:
                    • API String ID: 3907675253-0
                    • Opcode ID: d9b83122c6433249cdf63406384bade0fbee5f15f35c1bae4dc758f0fa44b790
                    • Instruction ID: 614e27937ce5b8e1f3683dfde076e837f22a9d068edbb36e3bf17ab1838f1e05
                    • Opcode Fuzzy Hash: d9b83122c6433249cdf63406384bade0fbee5f15f35c1bae4dc758f0fa44b790
                    • Instruction Fuzzy Hash: 8F31B171504384AFEB22CB64DC45FA6BBB8EF05214F0884AAE945CB652D274A918CB71
                    Function 04E61834 Relevance: 1.6, APIs: 1, Instructions: 88timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessTimes.KERNELBASE(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 04E618D1
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: ProcessTimes
                    • String ID:
                    • API String ID: 1995159646-0
                    • Opcode ID: a033c73bb5544f0edee96d52e63ddb0fdf1e613d52592fdb5cc2b2cc5b6b1838
                    • Instruction ID: c362cc588d70962a17c42ea42e8af2ca7a61502a7bfee03d53da7a05ebae33a8
                    • Opcode Fuzzy Hash: a033c73bb5544f0edee96d52e63ddb0fdf1e613d52592fdb5cc2b2cc5b6b1838
                    • Instruction Fuzzy Hash: 1A31C572505380AFE7228F64DD45B96BFB8EF06314F08889BE9858B193D274A909CB71
                    Function 04E6268A Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04E62725
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: a341131e91f788de29c0f076de362d8ecedfc2f0e8b284f92b206173ca5d93cd
                    • Instruction ID: 4eba576c81d707adee537b3a8191332b0c12da948ef07f0b20e3a3f70bef8b4b
                    • Opcode Fuzzy Hash: a341131e91f788de29c0f076de362d8ecedfc2f0e8b284f92b206173ca5d93cd
                    • Instruction Fuzzy Hash: 61217172500304AEEB31DE55CD44FA7F7ECEF08714F04886AEA45C6652E765F5188B71
                    Function 00EAA6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                    Download Yara Rule
                    APIs
                    • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 00EAA77E
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: Clipboard
                    • String ID:
                    • API String ID: 220874293-0
                    • Opcode ID: 7ef89016095956e948e2565b2e6a64ccedca7862e3b34554c858717820203461
                    • Instruction ID: 0f6332b96f649f648f0fbfb363001002a7ed1e10a0d5db5f490c78d6546628ab
                    • Opcode Fuzzy Hash: 7ef89016095956e948e2565b2e6a64ccedca7862e3b34554c858717820203461
                    • Instruction Fuzzy Hash: 1B31807104D3C06FD3138B259C61B62BFB4EF87610F0A40DBE884CB6A3D2696919D772
                    Function 04E629CC Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                    Download Yara Rule
                    APIs
                    • GetExitCodeProcess.KERNELBASE(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 04E62A60
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: CodeExitProcess
                    • String ID:
                    • API String ID: 3861947596-0
                    • Opcode ID: 322fa5935322fea7160ece30057cf2ad008b9e40d08d415c0bff8a12894c547e
                    • Instruction ID: b9342dc7d32bf731845d6bb8a121e84a6b1c42380a0f676c201cfcf84dab1346
                    • Opcode Fuzzy Hash: 322fa5935322fea7160ece30057cf2ad008b9e40d08d415c0bff8a12894c547e
                    • Instruction Fuzzy Hash: A221D6715093846FE722CB24DC55B96BFB8AF46314F0884DBE9888F193D274A949C772
                    Function 00EAB4C8 Relevance: 1.6, APIs: 1, Instructions: 82windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageTimeoutA.USER32(?,00000E24), ref: 00EAB571
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: MessageSendTimeout
                    • String ID:
                    • API String ID: 1599653421-0
                    • Opcode ID: 14ec2c865c45688bf8393dd26096f1bfcf8935bed71d16226e09bb2f7e9b6498
                    • Instruction ID: 1e735d1a8934c607a0de33cebaa49aa65eb2cb05246f9c96020017eb2bfb1624
                    • Opcode Fuzzy Hash: 14ec2c865c45688bf8393dd26096f1bfcf8935bed71d16226e09bb2f7e9b6498
                    • Instruction Fuzzy Hash: 8C21B671504340AFEB328F51DC44FA6FFB8EF46314F08889AE9845F562D375A909CB61
                    Function 04E628FD Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: select
                    • String ID:
                    • API String ID: 1274211008-0
                    • Opcode ID: 5582bbc824ab968a6b464d3299918b414a22b936540a706c6c42d6e173e2bce7
                    • Instruction ID: 5115c94aa5b935f1b40b1066133640d872419b377893c8e2e4444740aeb8220f
                    • Opcode Fuzzy Hash: 5582bbc824ab968a6b464d3299918b414a22b936540a706c6c42d6e173e2bce7
                    • Instruction Fuzzy Hash: 1E216D715093849FDB22CF25DC44A52BFF8EF46314F0884DAE985CB262D275A909DB71
                    Function 00EAAE77 Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON
                    Download Yara Rule
                    APIs
                    • WriteFile.KERNELBASE(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 00EAAF0D
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: FileWrite
                    • String ID:
                    • API String ID: 3934441357-0
                    • Opcode ID: 0b8a9097dc5ea0fd0ae66aac1746925b0724e233f19203ddddaa1ac18abcbda7
                    • Instruction ID: f4655bce81381872ee11d3c2aa52e0b539d283bfbab741c24ca92cb57a22e9a0
                    • Opcode Fuzzy Hash: 0b8a9097dc5ea0fd0ae66aac1746925b0724e233f19203ddddaa1ac18abcbda7
                    • Instruction Fuzzy Hash: 0221A6B5509380AFDB22CB51DD44F56BFB8EF46314F0884DAE9449F163D275A908CB71
                    Function 00EAB3EA Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegSetValueExW.KERNELBASE(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 00EAB480
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: Value
                    • String ID:
                    • API String ID: 3702945584-0
                    • Opcode ID: e7365a71f8d4a6a8a7252dd87a1fa3e9aea24a9b984f7380a564e7930cb2d1a4
                    • Instruction ID: cf86ce34626f0cc7df1d744ffe3132ed427c0917abd2ca927f62e225106fb75e
                    • Opcode Fuzzy Hash: e7365a71f8d4a6a8a7252dd87a1fa3e9aea24a9b984f7380a564e7930cb2d1a4
                    • Instruction Fuzzy Hash: 8D218E76504784AFDB228B15DC44FA7BFB8EF4A314F08849AE9859B263D364E908C771
                    Function 04E612E6 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: FileView
                    • String ID:
                    • API String ID: 3314676101-0
                    • Opcode ID: 0a3996aaba912cb522a611d198d5ff48e2ce5e08dfcebce43a5545d3c57b9fce
                    • Instruction ID: a045d08a32882fabd193778596c2ee7d6169bc926539a41439cfa7d3e4bf2fdf
                    • Opcode Fuzzy Hash: 0a3996aaba912cb522a611d198d5ff48e2ce5e08dfcebce43a5545d3c57b9fce
                    • Instruction Fuzzy Hash: 0D21A071404380AFE722CF55DD44F96FBF8EF0A214F04889EE9858B652D375B508CB62
                    Function 04E60D0A Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                    Download Yara Rule
                    APIs
                    • WSASocketW.WS2_32(?,?,?,?,?), ref: 04E60D96
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: Socket
                    • String ID:
                    • API String ID: 38366605-0
                    • Opcode ID: 246160281f9b68ea31cad758aaa2c8cb66fd305260d69908d37866911126c2ff
                    • Instruction ID: 87769fd30dcc07353e99f4cd587c9331e964989d9713be2488e871d622410090
                    • Opcode Fuzzy Hash: 246160281f9b68ea31cad758aaa2c8cb66fd305260d69908d37866911126c2ff
                    • Instruction Fuzzy Hash: 9E219171405340AFE721CF55DC45F96FFB8EF0A214F04889EE9858B692D375A508CB62
                    Function 00EAAAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00EAAB25
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: d7d16abf20de3a21e31abfef0ce422866fc57a38f99ce160c744e586b662635d
                    • Instruction ID: 5bd44215d3e63c7916514f3290df14dfb78c21c0e62c968409dedf283a564320
                    • Opcode Fuzzy Hash: d7d16abf20de3a21e31abfef0ce422866fc57a38f99ce160c744e586b662635d
                    • Instruction Fuzzy Hash: 9B216D71600300AFEB21DF65DD45BA6FBE8EF09314F08886AE9459B651D375F908CA72
                    Function 04E61156 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                    Download Yara Rule
                    APIs
                    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 04E611C7
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: DescriptorSecurity$ConvertString
                    • String ID:
                    • API String ID: 3907675253-0
                    • Opcode ID: 129b020f78ed51ba8694abf84e6f2b1d8052b930ca9a8ee7cd01cb6e063827c5
                    • Instruction ID: 1bd8a84c0097ca9754c5c835473ea0c06b152880b44f2bc843806760a5e30593
                    • Opcode Fuzzy Hash: 129b020f78ed51ba8694abf84e6f2b1d8052b930ca9a8ee7cd01cb6e063827c5
                    • Instruction Fuzzy Hash: F021C272600204AFEB21DF65DD45FAAFBECEF04314F04886AE945CB652E674E5088A71
                    Function 04E6103E Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 04E610DC
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: 12eeedb262e1d11f95e24a0f03a98835fafcb89b5ceea83b02d62576515c7f4c
                    • Instruction ID: 1ed381b756e89be402cfe4df57d9abd9f65e8dc6b2dc31015780d909d76c2b42
                    • Opcode Fuzzy Hash: 12eeedb262e1d11f95e24a0f03a98835fafcb89b5ceea83b02d62576515c7f4c
                    • Instruction Fuzzy Hash: 2D219F71504380AFE722CB55CD44F56FBF8AF45314F08859AE9458B292D365E908CB62
                    Function 00EAB212 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00EAB291
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 5b3c1ef2bb3ad5fbc55a227b105f50d6604921fb047940eb96a2c59b5c4813ba
                    • Instruction ID: 342973189d81a6705c1ef62fa1c33b517024e7372cdd24641df817759b91824a
                    • Opcode Fuzzy Hash: 5b3c1ef2bb3ad5fbc55a227b105f50d6604921fb047940eb96a2c59b5c4813ba
                    • Instruction Fuzzy Hash: F421D472500304AEEB30CF55CC44FABFBECEF19314F04886AE9059B652D775E9088AB1
                    Function 00EAA9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNELBASE(?), ref: 00EAAA44
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: 986ba63191b170a237b415c8cc2b0de09085e198998dc13059bea10243a483e2
                    • Instruction ID: 0c1c86991ab107e1536b4b1e38f03c70272493adfaf70e8b00af56ef17290907
                    • Opcode Fuzzy Hash: 986ba63191b170a237b415c8cc2b0de09085e198998dc13059bea10243a483e2
                    • Instruction Fuzzy Hash: 3A214A6540E3C09FDB138B259C64A51BFB4AF57624F0E80DBD8848F5A3D2686908C772
                    Function 00EAAC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • GetFileType.KERNELBASE(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 00EAACBD
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: FileType
                    • String ID:
                    • API String ID: 3081899298-0
                    • Opcode ID: 6d18645735db0cbd0f9a5bd44565db540e8236b530fbea95eb915863d736cb34
                    • Instruction ID: 6c39fdd84d9cc242a2f020d0ec683855b15bb10e9b01a4d6910850c17b721e0f
                    • Opcode Fuzzy Hash: 6d18645735db0cbd0f9a5bd44565db540e8236b530fbea95eb915863d736cb34
                    • Instruction Fuzzy Hash: 1121D8B54083806FE7228B15DC40BA6BFB8DF47724F0884DBE9848F253D274A909D772
                    Function 04E62AC3 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • GetProcessWorkingSetSize.KERNEL32(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 04E62B3F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: ProcessSizeWorking
                    • String ID:
                    • API String ID: 3584180929-0
                    • Opcode ID: 571e2cf4c029f5f4e074fe88ddc2b3c01c687d33297a7bc0898a3e3ca3f7f794
                    • Instruction ID: 3d2d05db19e9d6ffb615cea3d38134f615ca798bc89e177e6f20b246c0be7e3d
                    • Opcode Fuzzy Hash: 571e2cf4c029f5f4e074fe88ddc2b3c01c687d33297a7bc0898a3e3ca3f7f794
                    • Instruction Fuzzy Hash: 1521C5715043806FDB21CF25DC44FA6BFB8EF46324F0884AAE945CB152D274A908CB71
                    Function 04E62BA7 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • SetProcessWorkingSetSize.KERNEL32(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 04E62C23
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: ProcessSizeWorking
                    • String ID:
                    • API String ID: 3584180929-0
                    • Opcode ID: 571e2cf4c029f5f4e074fe88ddc2b3c01c687d33297a7bc0898a3e3ca3f7f794
                    • Instruction ID: 7c9e7eef9cb6394f7492f8ae5e5ee402f1f4aac1f6417850b08107a3dc3cd569
                    • Opcode Fuzzy Hash: 571e2cf4c029f5f4e074fe88ddc2b3c01c687d33297a7bc0898a3e3ca3f7f794
                    • Instruction Fuzzy Hash: DA21C5715053806FDB21CF15CC44FA6BFA8EF46214F0884AAE945DB252D274A908CB71
                    Function 00EAB06A Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • CreateMutexW.KERNELBASE(?,?), ref: 00EAB0DD
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: CreateMutex
                    • String ID:
                    • API String ID: 1964310414-0
                    • Opcode ID: 4815e6aa13a61612cddf0b5485cc681cc17373510a048a18c101d82b69210e68
                    • Instruction ID: 2b9eaf76c108e51c7ecd7cc6e7ef0627bc41efde57f2c954bf168819eb281262
                    • Opcode Fuzzy Hash: 4815e6aa13a61612cddf0b5485cc681cc17373510a048a18c101d82b69210e68
                    • Instruction Fuzzy Hash: 802180716002009FEB20DF65DD85BA6FBE8EF09314F04886AE9489F782D775F908CA71
                    Function 00EAA140 Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: send
                    • String ID:
                    • API String ID: 2809346765-0
                    • Opcode ID: 5b14c4a1b8a8dc5b99f7a5f07c213c7c2a4669e60ef4bfbad765a69da3d1e44d
                    • Instruction ID: 92b9d389ec9a117c36950d00a2d5569ee788ce78b6e2ba76f7d1cf051bc399df
                    • Opcode Fuzzy Hash: 5b14c4a1b8a8dc5b99f7a5f07c213c7c2a4669e60ef4bfbad765a69da3d1e44d
                    • Instruction Fuzzy Hash: 3B21AF7140D7C09FD7228B61CC54A56BFB4EF57210F0A88DBD9848F1A3D279A909CB72
                    Function 00EAB7B5 Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON
                    Download Yara Rule
                    APIs
                    • CopyFileW.KERNELBASE(?,?,?), ref: 00EAB82A
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: CopyFile
                    • String ID:
                    • API String ID: 1304948518-0
                    • Opcode ID: 3fead968e43a78529c75671988e27427af57785b501ecd05496ce61ebf767026
                    • Instruction ID: 0febe377e887c623de9017d3d51b3f78d2f626113f3bbb77784ad7f8d10f27bc
                    • Opcode Fuzzy Hash: 3fead968e43a78529c75671988e27427af57785b501ecd05496ce61ebf767026
                    • Instruction Fuzzy Hash: A3216F716093805FDB218F29DC54B62BFA8EF46614F0884DAED85DF253D265E904CB61
                    Function 00EAB31A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 00EAB394
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: 741ce581d8fa1e148eb5b38c8dffd0a9670d9b88d6828fcb8ad510d81080060f
                    • Instruction ID: b0384175a601a626b7f7109a7c7c1a5a9d4f5e997fb63b8db71ad9d53e681b0a
                    • Opcode Fuzzy Hash: 741ce581d8fa1e148eb5b38c8dffd0a9670d9b88d6828fcb8ad510d81080060f
                    • Instruction Fuzzy Hash: 44216F75500204AEEB30CE55CD44FA6B7ECEF09714F0484AAE9459B652D7B0F908CA71
                    Function 04E62837 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • ioctlsocket.WS2_32(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 04E628B3
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: ioctlsocket
                    • String ID:
                    • API String ID: 3577187118-0
                    • Opcode ID: 57c087dc998cce2237f5833f7bd1535420857855f92e8dfdb71fc7460d10838e
                    • Instruction ID: 74b34eb5a50a2239e8c8375c6374effdc87885d58b9a94f57421cce942e238f2
                    • Opcode Fuzzy Hash: 57c087dc998cce2237f5833f7bd1535420857855f92e8dfdb71fc7460d10838e
                    • Instruction Fuzzy Hash: FD21C6714093846FDB21CF54DC44F96FFB8EF46314F0888ABE9489B152D274A508C771
                    Function 04E61A87 Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON
                    Download Yara Rule
                    APIs
                    • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04E61B06
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: Connect
                    • String ID:
                    • API String ID: 3144859779-0
                    • Opcode ID: 3c50b32569e6ff74ee8ef0c7219d157a119ecdba51e507cf0bf7af0778b42a1a
                    • Instruction ID: 0ef7406e9530a52899fd7465efab5e628ce2d732df31f6ee4638cff30a9c6228
                    • Opcode Fuzzy Hash: 3c50b32569e6ff74ee8ef0c7219d157a119ecdba51e507cf0bf7af0778b42a1a
                    • Instruction Fuzzy Hash: AA21B071009380AFDB228F60CC84A92FFF4EF06310F0985DAE9858F162E375A919DB61
                    Function 04E60D2A Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                    Download Yara Rule
                    APIs
                    • WSASocketW.WS2_32(?,?,?,?,?), ref: 04E60D96
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: Socket
                    • String ID:
                    • API String ID: 38366605-0
                    • Opcode ID: b6a3e042aa0b6efbff349ed078d9dc4e5f84781370cb32508d11613d699a6a3f
                    • Instruction ID: 7a0b5d6430e14d360a3afbd78d8af10927e30aaa83cd6095936336d0cb405c5d
                    • Opcode Fuzzy Hash: b6a3e042aa0b6efbff349ed078d9dc4e5f84781370cb32508d11613d699a6a3f
                    • Instruction Fuzzy Hash: 07219F71504200AFEB31DF55DD45BAAFBE4EF09324F04886AE9468A692D375B508CB71
                    Function 04E61306 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: FileView
                    • String ID:
                    • API String ID: 3314676101-0
                    • Opcode ID: c795d71c38a3a8fb5a3231d1115cad1c71da7cd4f38d2fb4e82b1210ecc5be7f
                    • Instruction ID: 9e3ac5c179e0ed210b662ea3d7308a49671d24ec2f75221dcda8fa956865e8f8
                    • Opcode Fuzzy Hash: c795d71c38a3a8fb5a3231d1115cad1c71da7cd4f38d2fb4e82b1210ecc5be7f
                    • Instruction Fuzzy Hash: D221C271540200AFEB21CF19DD45FAAFBE8EF09324F048869E9868AA51E375F508CB61
                    Function 00EAB4F6 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageTimeoutA.USER32(?,00000E24), ref: 00EAB571
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: MessageSendTimeout
                    • String ID:
                    • API String ID: 1599653421-0
                    • Opcode ID: f25418ad31b8767a57df33c7a0c43d9b55344bc2069a569a7d170a9927781b08
                    • Instruction ID: cb52ee30f357a033a3e2f5ea79dfe69904e6a8b8c07c7c36a33df6504cd27c1e
                    • Opcode Fuzzy Hash: f25418ad31b8767a57df33c7a0c43d9b55344bc2069a569a7d170a9927781b08
                    • Instruction Fuzzy Hash: FC21F071500200AFEB318F50CD40FA6FBA8EF09314F14886AE9459A692D375B508CB71
                    Function 04E61D46 Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNELBASE(?,00000E24), ref: 04E61DCF
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: b05cceaf06af004282ee8858f18b1c67c6e1b71c0016688cb922adf9fb260715
                    • Instruction ID: 9ada0e07e71e291c4b7daf54fac2fe845a3f353dd8ff9a1e942374bbd925a16b
                    • Opcode Fuzzy Hash: b05cceaf06af004282ee8858f18b1c67c6e1b71c0016688cb922adf9fb260715
                    • Instruction Fuzzy Hash: D711E4710043806FE721CB15DC85FA6FBB8DF46324F08849AF9448B292D2B4AA48CB62
                    Function 00EAB40E Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegSetValueExW.KERNELBASE(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 00EAB480
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: Value
                    • String ID:
                    • API String ID: 3702945584-0
                    • Opcode ID: 01a3785893e58d3b729d2788f60306a6c57ed5a7dec11a641835dc4b9ea46c45
                    • Instruction ID: e9c6fd8ac188acf5c507ad563c303f9f5df34786e3d69e7fceaad5d4fc1bb160
                    • Opcode Fuzzy Hash: 01a3785893e58d3b729d2788f60306a6c57ed5a7dec11a641835dc4b9ea46c45
                    • Instruction Fuzzy Hash: 8011AC76500704AFEB308E15CD80BA6FBACEF09714F04886AE9459A653E774E9088AB1
                    Function 04E6106A Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 04E610DC
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: ac97bd97e6ea00336ccef07c63398800d271b71848c10af7654703cd44ba4fca
                    • Instruction ID: d6b0fce969d95ebc0234021e42f82fbc642caf53bfe4b741dc15a82c26fb318e
                    • Opcode Fuzzy Hash: ac97bd97e6ea00336ccef07c63398800d271b71848c10af7654703cd44ba4fca
                    • Instruction Fuzzy Hash: 4F11AF72500300AFEB31CF55CD85FA6F7E8EF08714F04896AE9468A652D770F908CA71
                    Function 00EAB9D2 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                    Download Yara Rule
                    APIs
                    • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00EABA3A
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: LookupPrivilegeValue
                    • String ID:
                    • API String ID: 3899507212-0
                    • Opcode ID: f0fa9db8fb43a09f6217365247a86490ef754a5c2d9bc00441c6d27c1041e355
                    • Instruction ID: e1e49014aa0e7e8921b9dcf54328a21345c397605efcfa5d05e50bab31cbf074
                    • Opcode Fuzzy Hash: f0fa9db8fb43a09f6217365247a86490ef754a5c2d9bc00441c6d27c1041e355
                    • Instruction Fuzzy Hash: 5D119371604340AFDB21CF25DC44B62BFE8EF5A620F0884AAED45DB252E274E904CB71
                    Function 04E61872 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessTimes.KERNELBASE(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 04E618D1
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: ProcessTimes
                    • String ID:
                    • API String ID: 1995159646-0
                    • Opcode ID: 2bbfc3fb688dfa6037f47fbc2f25388b7c8973e0ec455a9abb2915161799b9c5
                    • Instruction ID: 26d3bef8e67127e305f8861a6301df895e20eb1315b0478e609b11ea3eaeb75d
                    • Opcode Fuzzy Hash: 2bbfc3fb688dfa6037f47fbc2f25388b7c8973e0ec455a9abb2915161799b9c5
                    • Instruction Fuzzy Hash: E311E672500300AFEB318F55DD45FAAF7E8EF44314F04886AE9498B651D774E508CBB1
                    Function 04E62AE6 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    • GetProcessWorkingSetSize.KERNEL32(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 04E62B3F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: ProcessSizeWorking
                    • String ID:
                    • API String ID: 3584180929-0
                    • Opcode ID: df0268b9b77d12c2947511c98ddea068c98aec6b98c9bf6ab5e6048e27781387
                    • Instruction ID: a5a24efbefd49d215c5c533ec626ba7654e5dd419e01bd756166934f0dd8960b
                    • Opcode Fuzzy Hash: df0268b9b77d12c2947511c98ddea068c98aec6b98c9bf6ab5e6048e27781387
                    • Instruction Fuzzy Hash: 2711C871500200AFEB20DF55DD85BAAF7ACDF44324F0488AAE949CB651D774A504CAB1
                    Function 04E62BCA Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    • SetProcessWorkingSetSize.KERNEL32(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 04E62C23
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: ProcessSizeWorking
                    • String ID:
                    • API String ID: 3584180929-0
                    • Opcode ID: df0268b9b77d12c2947511c98ddea068c98aec6b98c9bf6ab5e6048e27781387
                    • Instruction ID: 411042700c18d0f4b533bac7df7138c461f3fd1d2a44fddb73a304dae1578e31
                    • Opcode Fuzzy Hash: df0268b9b77d12c2947511c98ddea068c98aec6b98c9bf6ab5e6048e27781387
                    • Instruction Fuzzy Hash: F1110475600200AFEB20CF14CD85BAAF7A8EF05324F0488BAEE09CB641D774A508CBB1
                    Function 00EAA573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EAA5DE
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 26ff7b3895805b9732396c2cd771de46b955432a8b8792ef2ad7afb6cabb37c0
                    • Instruction ID: 73e03a077ad8d5da168699824d64b1ace0296a1a5ad00a1dc43acccd7e27aefb
                    • Opcode Fuzzy Hash: 26ff7b3895805b9732396c2cd771de46b955432a8b8792ef2ad7afb6cabb37c0
                    • Instruction Fuzzy Hash: C3117271409380AFDB228F51DC44A62FFF4EF4A310F0888DAE9858B562D275A918DB62
                    Function 04E62A0A Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    • GetExitCodeProcess.KERNELBASE(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 04E62A60
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: CodeExitProcess
                    • String ID:
                    • API String ID: 3861947596-0
                    • Opcode ID: 7e3872b9ece71e0a68239a133e5159cefc63678c369f3a3fd230a9542341fd5c
                    • Instruction ID: 5411c3cfa77922358ff38c6688915dccfa986a384732c966449f43ee9b0de533
                    • Opcode Fuzzy Hash: 7e3872b9ece71e0a68239a133e5159cefc63678c369f3a3fd230a9542341fd5c
                    • Instruction Fuzzy Hash: 5411CA71600204AFEB30DF15DD45BAAF7E8DF45324F0484BAED45DB651E7B4E5048AB1
                    Function 00EAAEAE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                    Download Yara Rule
                    APIs
                    • WriteFile.KERNELBASE(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 00EAAF0D
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: FileWrite
                    • String ID:
                    • API String ID: 3934441357-0
                    • Opcode ID: d8376d5a0fdf5bf4b2da909d0608b6da1f836c9c23b152c605a8d8b96f8921f3
                    • Instruction ID: 4e0e66da95bfd84f0d57b155b90ac5f3da7f308c3d869d98f50470bae3c50c4d
                    • Opcode Fuzzy Hash: d8376d5a0fdf5bf4b2da909d0608b6da1f836c9c23b152c605a8d8b96f8921f3
                    • Instruction Fuzzy Hash: D211E671500300AFEB318F55DD40FA6F7E8EF09314F08886AE9489F651D375A508CBB2
                    Function 00EAB885 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileW.KERNELBASE(?), ref: 00EAB8E4
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: ecb85272d6411040c4f82b93e5eec55e6b164e8b1c92296e58f6fa2543ac7f32
                    • Instruction ID: 528e05045e56287d02ba7055c4bf80f6cfbaa1d985f4a62cac8bb0723fa30d4a
                    • Opcode Fuzzy Hash: ecb85272d6411040c4f82b93e5eec55e6b164e8b1c92296e58f6fa2543ac7f32
                    • Instruction Fuzzy Hash: C61160719093805FDB21CB25DC45B66BFE8EF46220F0984EAE989DF253D264E948CB61
                    Function 04E6285A Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                    Download Yara Rule
                    APIs
                    • ioctlsocket.WS2_32(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 04E628B3
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: ioctlsocket
                    • String ID:
                    • API String ID: 3577187118-0
                    • Opcode ID: 38b1a77cb324b1c06934d2f85d7eacfbd24bb39c6ee5a581bb84d54c0c1a76af
                    • Instruction ID: 1dd9adf13eb7e45428dda8f85f2ec8948ecf1ce6a6ec9af1f49b02eff8bcf886
                    • Opcode Fuzzy Hash: 38b1a77cb324b1c06934d2f85d7eacfbd24bb39c6ee5a581bb84d54c0c1a76af
                    • Instruction Fuzzy Hash: 2F11E371500300AFEB30DF54DD44BAAF7A8EF44324F0488AAEE498B641D774A508CBB1
                    Function 04E61D66 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNELBASE(?,00000E24), ref: 04E61DCF
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 2006b129198214e049742d268b2536e5bd3b1258310dcac7cdba85add72cffb4
                    • Instruction ID: f9d21c8d19028781e000f1f84510fc826bdcedef71adde6fe6c33ff3ad619e9c
                    • Opcode Fuzzy Hash: 2006b129198214e049742d268b2536e5bd3b1258310dcac7cdba85add72cffb4
                    • Instruction Fuzzy Hash: D511E571540300AEEB31DF15DD41FA6F7A8DF44724F1484AAED094A781D7B4F608CAB5
                    Function 04E62936 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: select
                    • String ID:
                    • API String ID: 1274211008-0
                    • Opcode ID: 998f7a226b1f69034aae3982ca2aa6fd2b4d3bdc8514a6ffb7730b44c833bb52
                    • Instruction ID: e70aba8a9d3ebea43f9285a1cf3763ff9529c07c60b17af08549ae10ba3f5996
                    • Opcode Fuzzy Hash: 998f7a226b1f69034aae3982ca2aa6fd2b4d3bdc8514a6ffb7730b44c833bb52
                    • Instruction Fuzzy Hash: 4C116D716002049FEB20DF15D884BA6FBE8EF44354F0888AADE4ACB656E374F508CB71
                    Function 00EAB7E2 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                    Download Yara Rule
                    APIs
                    • CopyFileW.KERNELBASE(?,?,?), ref: 00EAB82A
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: CopyFile
                    • String ID:
                    • API String ID: 1304948518-0
                    • Opcode ID: cadb94de9d12b80f5663f27db7125501f8c4816dbe634dcb768fb391c5199a46
                    • Instruction ID: c91b519b2dfc791b792896c035b6c1e7c7f1eefb311672ed908de56371783ce0
                    • Opcode Fuzzy Hash: cadb94de9d12b80f5663f27db7125501f8c4816dbe634dcb768fb391c5199a46
                    • Instruction Fuzzy Hash: 51113071A002409FDB24CF29D885B66FBE8EF19714F0884AADD49DF652D778E904CA71
                    Function 00EAB9F2 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                    Download Yara Rule
                    APIs
                    • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00EABA3A
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: LookupPrivilegeValue
                    • String ID:
                    • API String ID: 3899507212-0
                    • Opcode ID: cadb94de9d12b80f5663f27db7125501f8c4816dbe634dcb768fb391c5199a46
                    • Instruction ID: 71a5eaf5a626789e12b3a23083dc3ae9703ef11ee5efd60e807f404927497cb9
                    • Opcode Fuzzy Hash: cadb94de9d12b80f5663f27db7125501f8c4816dbe634dcb768fb391c5199a46
                    • Instruction Fuzzy Hash: 79117C716042009FEB20CF29D885B66FBE8EF09324F0884AADC49DF652E774E904CA61
                    Function 00EAAC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                    Download Yara Rule
                    APIs
                    • GetFileType.KERNELBASE(?,00000E24,F59BA511,00000000,00000000,00000000,00000000), ref: 00EAACBD
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: FileType
                    • String ID:
                    • API String ID: 3081899298-0
                    • Opcode ID: 762287ed761cb24d63ad95bdd04115e4d8e4a0a1ce69a85fd1eb686c7d221e68
                    • Instruction ID: 26b55dd018162c517a975a31cd51578bbdf5924e42a2e78875add1b2de1fdc63
                    • Opcode Fuzzy Hash: 762287ed761cb24d63ad95bdd04115e4d8e4a0a1ce69a85fd1eb686c7d221e68
                    • Instruction Fuzzy Hash: 6801C471504304AFEB308B15DD85BAAF7A8DF49724F1884A6ED089F751D774E908CAB2
                    Function 00EAB718 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                    Download Yara Rule
                    APIs
                    • WaitForInputIdle.USER32(?,?), ref: 00EAB76F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: IdleInputWait
                    • String ID:
                    • API String ID: 2200289081-0
                    • Opcode ID: 4bf34a63223f7b52d2fcfbdfc0e092b78e4ce2894e624e1dec766e9808c98a72
                    • Instruction ID: 3b8122f4c00fb9efb7078048070f1e72945cc23d138d30b727f6c6a2011b5d33
                    • Opcode Fuzzy Hash: 4bf34a63223f7b52d2fcfbdfc0e092b78e4ce2894e624e1dec766e9808c98a72
                    • Instruction Fuzzy Hash: D0119E714083809FDB21CF15DC84B56BFA4EF46320F0984DAED448F262D279A908CB62
                    Function 04E61ABA Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                    Download Yara Rule
                    APIs
                    • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04E61B06
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: Connect
                    • String ID:
                    • API String ID: 3144859779-0
                    • Opcode ID: fdce1fbc2d804031795faff4d6467961a69e09fbbf32a3bcf8e2471fb04ba927
                    • Instruction ID: 67d31d1a9f933e925feda9007a218f42148495f456ed47803f494c0b348af13a
                    • Opcode Fuzzy Hash: fdce1fbc2d804031795faff4d6467961a69e09fbbf32a3bcf8e2471fb04ba927
                    • Instruction Fuzzy Hash: B2117C31500244DFDB31CF55D984B66FBE8EF08350F0889AADD8A8B622E375E518DB62
                    Function 00EAB8AA Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileW.KERNELBASE(?), ref: 00EAB8E4
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: ea2c013509fd5e3ae1c7513612c35cc5ac9f59240421462cdfc4218e1ccbb284
                    • Instruction ID: be817d9e57c10145d5069e4c48622834a71778a8f9dbfa30274a9b2dd42e03b3
                    • Opcode Fuzzy Hash: ea2c013509fd5e3ae1c7513612c35cc5ac9f59240421462cdfc4218e1ccbb284
                    • Instruction Fuzzy Hash: 28019271A002049FEB20CF29D885766FBE8EF45324F0884AADD49DF742D378E904CB61
                    Function 00EAA59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EAA5DE
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 645a36df9c4e8774814fd11cb75821f53f95bfb8d2fba7cbc5b064e347bb1a81
                    • Instruction ID: a44908d6a1bbfdd0378e0ab466aafe7b9782399464939c985fc6c2095b681c57
                    • Opcode Fuzzy Hash: 645a36df9c4e8774814fd11cb75821f53f95bfb8d2fba7cbc5b064e347bb1a81
                    • Instruction Fuzzy Hash: 78015B729007009FDF218F55D944B66FBE0EF49320F0888AADE495BA52D376E518DF62
                    Function 00EAA72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                    Download Yara Rule
                    APIs
                    • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 00EAA77E
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: Clipboard
                    • String ID:
                    • API String ID: 220874293-0
                    • Opcode ID: dd6d62debc148411d597be5807f9b80f0b6f551a91dabce333e5202b64674d7f
                    • Instruction ID: c863220b4244c4da813be16fd3c0f5806e32b19a65b82bbe3ea8782d69d75ecc
                    • Opcode Fuzzy Hash: dd6d62debc148411d597be5807f9b80f0b6f551a91dabce333e5202b64674d7f
                    • Instruction Fuzzy Hash: DB01A271540201ABD210DF1ACD46B66FBE8FB89A20F14815AED089BB41D771F915CBE5
                    Function 04E60C8E Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 04E60CDE
                    Memory Dump Source
                    • Source File: 00000000.00000002.4123758014.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4e60000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: 7bf77493363463f60249bc97b5786e6e74bd86bcfd7e88529d0aeccb528090be
                    • Instruction ID: e2f0575aaec8328f7f8f5398b594a3c42848c4341dc71d8d668505011d1a3353
                    • Opcode Fuzzy Hash: 7bf77493363463f60249bc97b5786e6e74bd86bcfd7e88529d0aeccb528090be
                    • Instruction Fuzzy Hash: 7501F271500200ABD210DF0ACC46B26FBE8FB88A20F14811AED088BB41D371F915CBE1
                    Function 00EAA186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: send
                    • String ID:
                    • API String ID: 2809346765-0
                    • Opcode ID: ac2e5c55a6d1f3a1b760896cba245403027c391692ed2770906b77c4502a043e
                    • Instruction ID: 0b27c5e8deff0cf4e96fe0d38af00da7265ab6674f57494c729779531b945a63
                    • Opcode Fuzzy Hash: ac2e5c55a6d1f3a1b760896cba245403027c391692ed2770906b77c4502a043e
                    • Instruction Fuzzy Hash: A6019E71505340AFDB20CF55D984B66FBE0EF59320F0888AADD499F612D375A508DBB2
                    Function 00EAB73A Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                    Download Yara Rule
                    APIs
                    • WaitForInputIdle.USER32(?,?), ref: 00EAB76F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: IdleInputWait
                    • String ID:
                    • API String ID: 2200289081-0
                    • Opcode ID: 935b32f32ba34726ac973f52c6adc9214d7b7f5f713a76856599f9f46588d024
                    • Instruction ID: 2fe767f600819db759b28b04d729bd2fc3bc6a725b06a53e048b0ef6935d6dad
                    • Opcode Fuzzy Hash: 935b32f32ba34726ac973f52c6adc9214d7b7f5f713a76856599f9f46588d024
                    • Instruction Fuzzy Hash: F301BC319002009FEB208F15D984B65FBA4EF49320F0888AAED489F652D3B9A504CA61
                    Function 00EAAA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNELBASE(?), ref: 00EAAA44
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: b898c650305c9ea0c354bb73c3291f0c4904c56932770abc01df612944127698
                    • Instruction ID: a65526b62b1b2fae6f5a1c79ca2b9dd6c5c085b72bfe31309508f194d95cbcf8
                    • Opcode Fuzzy Hash: b898c650305c9ea0c354bb73c3291f0c4904c56932770abc01df612944127698
                    • Instruction Fuzzy Hash: CDF08C355043449FDB208F15DA84BA5FBE0EF49724F08C0EADD495F752D3B9AA08CEA2
                    Function 00EAAB7C Relevance: 1.3, APIs: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • CloseHandle.KERNELBASE(?), ref: 00EAABF0
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: CloseHandle
                    • String ID:
                    • API String ID: 2962429428-0
                    • Opcode ID: b7d7839aa2372fc2aedb8e00b67dae3547b99bc5e0ceed5d999c5acc9d337c8a
                    • Instruction ID: 6b7ef1443273d4329d962c83eaab47548ecf2a6cc3f9b9faf44c77ba61c9e250
                    • Opcode Fuzzy Hash: b7d7839aa2372fc2aedb8e00b67dae3547b99bc5e0ceed5d999c5acc9d337c8a
                    • Instruction Fuzzy Hash: F421D4715093809FDB128B25DD91752BFA8EF46320F0984EADC858F2A3D2649908CB62
                    Function 00EABC08 Relevance: 1.3, APIs: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • CloseHandle.KERNELBASE(?), ref: 00EABC74
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: CloseHandle
                    • String ID:
                    • API String ID: 2962429428-0
                    • Opcode ID: 4ecd6687f6b5bb0e2c2b9921078fcf622e18af2f4169d8febaafab7189ea8a24
                    • Instruction ID: d577b9a042324c646c83dbc9d0bb519e9063c5bcdf017193f9e1db18f42ea803
                    • Opcode Fuzzy Hash: 4ecd6687f6b5bb0e2c2b9921078fcf622e18af2f4169d8febaafab7189ea8a24
                    • Instruction Fuzzy Hash: B921C3715093C05FDB12CB25DC94B92BFB4AF57324F0984DAE8858F663D274A908CB72
                    Function 00EAA61E Relevance: 1.3, APIs: 1, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    • CloseHandle.KERNELBASE(?), ref: 00EAA690
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: CloseHandle
                    • String ID:
                    • API String ID: 2962429428-0
                    • Opcode ID: d317cbb263592af59eb5540cb807ca8cffe90fc52d1a268a3bec8161c88272e1
                    • Instruction ID: 3a985199391ea527d67869863adce35409bd0c73e8037668a139fccde9611e10
                    • Opcode Fuzzy Hash: d317cbb263592af59eb5540cb807ca8cffe90fc52d1a268a3bec8161c88272e1
                    • Instruction Fuzzy Hash: 13216D714093C05FDB128B25DC94752BFB4DF47220F0D84DBD8849F1A3D2656A08CB72
                    Function 00EABC42 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                    Download Yara Rule
                    APIs
                    • CloseHandle.KERNELBASE(?), ref: 00EABC74
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: CloseHandle
                    • String ID:
                    • API String ID: 2962429428-0
                    • Opcode ID: 4a82d588f24600183a64e04fe3087dd4a86be1df3d254eb2f298450922b942f7
                    • Instruction ID: 2a6633f885f38dab7f858dc34482ec0e842b92fda08a95a62ae71f2034575316
                    • Opcode Fuzzy Hash: 4a82d588f24600183a64e04fe3087dd4a86be1df3d254eb2f298450922b942f7
                    • Instruction Fuzzy Hash: 9601B1715042009FDB20CF29D984B96FBE4EF45320F08C4AADC499F752D775E508CA72
                    Function 00EAABBE Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                    Download Yara Rule
                    APIs
                    • CloseHandle.KERNELBASE(?), ref: 00EAABF0
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: CloseHandle
                    • String ID:
                    • API String ID: 2962429428-0
                    • Opcode ID: 4099ab29bd2b594cadc3e769e7da3f41916e7356a0a8ae23ed403862ff44f1f6
                    • Instruction ID: a873c8bad1a9da1d0c06e69f12c563883f5b486ddb3a7d2ebab18cdd379b92fa
                    • Opcode Fuzzy Hash: 4099ab29bd2b594cadc3e769e7da3f41916e7356a0a8ae23ed403862ff44f1f6
                    • Instruction Fuzzy Hash: DE01BC716042009FEB208F19D9847A6FBA4EF49320F08C4BADC099F642D379E908CA62
                    Function 00EAA65E Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                    Download Yara Rule
                    APIs
                    • CloseHandle.KERNELBASE(?), ref: 00EAA690
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122628727.0000000000EAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eaa000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID: CloseHandle
                    • String ID:
                    • API String ID: 2962429428-0
                    • Opcode ID: 0c1724445d575a8309f4f76fba45c213048d7bae4af5bb83c3aae313600cff3d
                    • Instruction ID: 651c54855b2ee5df57b9c2a491e2688a5d90acfe5b4437d60948a7dd797056d4
                    • Opcode Fuzzy Hash: 0c1724445d575a8309f4f76fba45c213048d7bae4af5bb83c3aae313600cff3d
                    • Instruction Fuzzy Hash: EC018F715043409FDB20CF15D9847A5FBA4EF49324F0CC4BADD489F656D379A504CEA2
                    Function 00FE7D18 Relevance: 1.2, Instructions: 1241COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 52acb5a075bdcc07cae32ed4ac1b1e379cd3c64dbc22341a69c9bee62a942cfc
                    • Instruction ID: a4c86cab549eaeb23adb71f9d1a0f4ada365995b5ba3d2c7559aecdf973a632c
                    • Opcode Fuzzy Hash: 52acb5a075bdcc07cae32ed4ac1b1e379cd3c64dbc22341a69c9bee62a942cfc
                    • Instruction Fuzzy Hash: 5CB2B638B00295CFEB21AF3AE9107BD7BB6AB48344F144066D859E3794DB349D95EF20
                    Function 00FE7D94 Relevance: 1.1, Instructions: 1079COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a005fd60b4fd8a655ee28f05d96b647ab47c9b3a239945a408dd24d7881c5af2
                    • Instruction ID: 3e7003359ba4936543d2a7559e24ed01cc9c2cce21a19947466df78484eb6702
                    • Opcode Fuzzy Hash: a005fd60b4fd8a655ee28f05d96b647ab47c9b3a239945a408dd24d7881c5af2
                    • Instruction Fuzzy Hash: 4F92E338B002909FEF356B3ED8117BD3BB6AB88744F1444669849E37A4EF349D55EB20
                    Function 00FE7DCE Relevance: 1.1, Instructions: 1076COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 97ae49f78c1e688fa4da1077151ec0139ea58eef43bedeeb75069a31c648410e
                    • Instruction ID: aeda8e5f9031d1d0815a1127652a5c4066ecb0fb08359e49fbbe0b15161ee2c9
                    • Opcode Fuzzy Hash: 97ae49f78c1e688fa4da1077151ec0139ea58eef43bedeeb75069a31c648410e
                    • Instruction Fuzzy Hash: 3F92F438B002909FEF316B3ED8117BD3BB6AB88744F1444669849E37A4EF349D55EB20
                    Function 00FE7DFD Relevance: 1.1, Instructions: 1075COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f282508f13dbaa03b6865fbad4bb0517e6cfb785621136e8abfc07f100b9f5aa
                    • Instruction ID: c1fe8dd103cda23390d634cf36bb4b2c3e1429fb0a6f41d8343c09d73bc8a5c5
                    • Opcode Fuzzy Hash: f282508f13dbaa03b6865fbad4bb0517e6cfb785621136e8abfc07f100b9f5aa
                    • Instruction Fuzzy Hash: 1A92F338B002909FEF316B3ED9117BD3BB6AB88744F1444669849E37A4EF349D55EB20
                    Function 00FE562A Relevance: 1.0, Instructions: 963COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3c7861686d3c155ce042893f97fc49702fa864638db88632ed9da21b590f8841
                    • Instruction ID: 29244d01c4e182aa4582ffb65b8efd1c26e670b59e71a46ce0022c499df4b454
                    • Opcode Fuzzy Hash: 3c7861686d3c155ce042893f97fc49702fa864638db88632ed9da21b590f8841
                    • Instruction Fuzzy Hash: D5B21778A01228CFDB25EF31D955BA9B7B2FB48304F1041E9D909A7394DB36AE81DF50
                    Function 00FE57A1 Relevance: .9, Instructions: 906COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4aa605fba5755c6a03e5c6c5803aa1eed303fe00d97f352b9f36242eebb80eaf
                    • Instruction ID: b63826e97b331072dfa32080ade600f6fadc115bd83e8d9fee4bc59f5633a1da
                    • Opcode Fuzzy Hash: 4aa605fba5755c6a03e5c6c5803aa1eed303fe00d97f352b9f36242eebb80eaf
                    • Instruction Fuzzy Hash: E6A21778A01228CFDB25EF35D955BA9B7B2FB48304F1041E9D909A7395DB36AE81CF40
                    Function 00FE5918 Relevance: .8, Instructions: 849COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b0a3646f2569dbe58a0962c60bc28e24a2b51ab34b5fcf0b3a0153ccdb605e67
                    • Instruction ID: 0f06bf562ba1100b3ac167681eea1926ea7ca73225a1a89ceb6fe92ea1d23fab
                    • Opcode Fuzzy Hash: b0a3646f2569dbe58a0962c60bc28e24a2b51ab34b5fcf0b3a0153ccdb605e67
                    • Instruction Fuzzy Hash: 40920778A01228CFDB25EF35D955BA9B7B2FB48304F1041E9D909A7395DB36AE81CF40
                    Function 00FE5A8F Relevance: .8, Instructions: 792COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b2a253611b19c5b1543e7cc445c30110c1c353b82e4d8c2768f1bdaa39d2268d
                    • Instruction ID: 6368a593fbd7db4d791b563fa3e4d5a16a4ab326557a10083ef8a3885a2cdba7
                    • Opcode Fuzzy Hash: b2a253611b19c5b1543e7cc445c30110c1c353b82e4d8c2768f1bdaa39d2268d
                    • Instruction Fuzzy Hash: F3920778A01228CFDB25EF35D955BA9B7B2FB48304F1041E9D909A7395DB36AE81CF40
                    Function 00FE5C06 Relevance: .7, Instructions: 735COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c25d52d2d66bf478427a538684bd8d3b1afc5b13ffe8cbe3cdc55c7794d07588
                    • Instruction ID: ab4817b3f3e9801b15269d9466090b2cf43b8d125afeba96e21e937fdca9a7ec
                    • Opcode Fuzzy Hash: c25d52d2d66bf478427a538684bd8d3b1afc5b13ffe8cbe3cdc55c7794d07588
                    • Instruction Fuzzy Hash: 47821878A01228CFDB25EF35D895BA9B7B6FB48304F1041E9D909A7395DB369E81CF40
                    Function 00FE5D7D Relevance: .7, Instructions: 678COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bc755ec028142c82c0544e522aa17e06dceb94212e2088156f3d635aecc87885
                    • Instruction ID: f541c4aa34a9f4af262bfeeb1e855470a79ea755214f5935eafb94b9aab34e4e
                    • Opcode Fuzzy Hash: bc755ec028142c82c0544e522aa17e06dceb94212e2088156f3d635aecc87885
                    • Instruction Fuzzy Hash: 03722878A01228CFDB25EF35D855BA9B7B6FB48304F1041E9E909A7395DB369E81CF40
                    Function 00FE5EF4 Relevance: .6, Instructions: 621COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 397b9ab97ece1311c69be6de538d2e26d0892686dbaeaab9e8c8a07b7576556e
                    • Instruction ID: a0a468d25c21f18125e1674200cfab77feb4552c4dc69186cf3649977df09134
                    • Opcode Fuzzy Hash: 397b9ab97ece1311c69be6de538d2e26d0892686dbaeaab9e8c8a07b7576556e
                    • Instruction Fuzzy Hash: 5F621978A01228CFDB25EF35D895BA9B7B6FB48304F1041E9E909A7395DB359E81CF40
                    Function 00FE606B Relevance: .6, Instructions: 564COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0adceba0d6d197f8d7b5049462d2fd55b7d4784998a2e68636ba14af1cd260d7
                    • Instruction ID: 661563b0327475d2c6ace8f57ee39634bae2e1446353e50ab4296ef00f5e07ce
                    • Opcode Fuzzy Hash: 0adceba0d6d197f8d7b5049462d2fd55b7d4784998a2e68636ba14af1cd260d7
                    • Instruction Fuzzy Hash: EA521878A01228CFDB25EF35D895BA9B7B6FB48304F1041E9E909A7395DB359E81CF40
                    Function 00FE61E2 Relevance: .5, Instructions: 507COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0e03f5b0ab3e0e38ed13d721abd084c2775f1bb82944882acd14fb4c4de8424d
                    • Instruction ID: d4f4d102c6283672dc44ec02998d613694c28640261f613c959f7b27d72db7d4
                    • Opcode Fuzzy Hash: 0e03f5b0ab3e0e38ed13d721abd084c2775f1bb82944882acd14fb4c4de8424d
                    • Instruction Fuzzy Hash: DE421978A01228CFDB25EF35D895BA9B7B6FB48304F1041E9E909A7395DB359E81CF40
                    Function 00FE3801 Relevance: .5, Instructions: 500COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9c49e619ab53e1bef6a18c7e8a50c85e857154718bce5c23b65f1bdb90ff4c20
                    • Instruction ID: 78c4f7182cd70e249173024bcf945ccea9315f458e23245edac1c872bd8e8d69
                    • Opcode Fuzzy Hash: 9c49e619ab53e1bef6a18c7e8a50c85e857154718bce5c23b65f1bdb90ff4c20
                    • Instruction Fuzzy Hash: 5B323834A00268CFDB24EF75C855BEDB7B2AF48308F1045A9D509AB3A5DB399E85CF50
                    Function 00FE6359 Relevance: .4, Instructions: 450COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 97886982e54405b5c7a07d93d1f470fa5a7bdea3bd16725cbeff4e967c572d14
                    • Instruction ID: 8eea9d0401a82ab578e7c0bc28b7392387ad8519b4efcc11637f9c8c4cd99b70
                    • Opcode Fuzzy Hash: 97886982e54405b5c7a07d93d1f470fa5a7bdea3bd16725cbeff4e967c572d14
                    • Instruction Fuzzy Hash: C8323978A01228CFDB25EF35D895BA9B7B6FB48304F1041E9E909A7395DB359E81CF40
                    Function 00FE6483 Relevance: .4, Instructions: 427COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 955e1ad368c3bbc027c875e8e0ea21d8215d0ab5e7a4cabf05beab1ca292491b
                    • Instruction ID: 6f137ad58eda504a394bb4dedb1001f0b04d13207d8286157fc4031f3137f258
                    • Opcode Fuzzy Hash: 955e1ad368c3bbc027c875e8e0ea21d8215d0ab5e7a4cabf05beab1ca292491b
                    • Instruction Fuzzy Hash: A1222978A01228CFDB25EF35D895BA9B7B6FB48304F1041E9E949A7395DB359E81CF00
                    Function 00FE67A9 Relevance: .3, Instructions: 343COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3c642958a8325437ccf1b5d451cb0a9c06b16f0a6730fd00a350b908a6b454c6
                    • Instruction ID: 881a2cabd3d2fdc5f597a37d26e39d65f8be1f8e79dc730dab9d23a82ea38b9c
                    • Opcode Fuzzy Hash: 3c642958a8325437ccf1b5d451cb0a9c06b16f0a6730fd00a350b908a6b454c6
                    • Instruction Fuzzy Hash: 35024878A01228CFDB25EF34D895BA9B7B6FB48304F1041E9E949A7395DB359E81CF40
                    Function 00FE9340 Relevance: .3, Instructions: 335COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 80b5a70c17665d03a1f69aa7e83acf593707f563152eae105869e7ea196b4807
                    • Instruction ID: d2abdac6cb3a58b0cfabbab16c953d828e1d0550510b6ccc1c225bc92e1c2268
                    • Opcode Fuzzy Hash: 80b5a70c17665d03a1f69aa7e83acf593707f563152eae105869e7ea196b4807
                    • Instruction Fuzzy Hash: A1D13139E00204DFDB19EFB5E85175D77B2AF88348B648529E805E73A8DF399C42DB90
                    Function 00FE690A Relevance: .3, Instructions: 287COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 114f606dcab12a8b576efa4e53e67dda4ed8d56532ec0428927629d89d8dcf33
                    • Instruction ID: 7e8e2e3f7ef0474b3dcd39fb26728e6e27aed695dffa96fc26709557791e8041
                    • Opcode Fuzzy Hash: 114f606dcab12a8b576efa4e53e67dda4ed8d56532ec0428927629d89d8dcf33
                    • Instruction Fuzzy Hash: 7ED12978A01228CFDB25EF35D895BADB7B6BB48304F2041E9D509A7394DB399E81CF40
                    Function 00FE9338 Relevance: .3, Instructions: 263COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fbd39fe23d079f4af49c5179bc54aed211e7e25b4e3b2fe341f256e85865fdd1
                    • Instruction ID: b51ea4aebf49b9ba5c99196ac1ae76d69991720411d64cbf558763ead3dafc83
                    • Opcode Fuzzy Hash: fbd39fe23d079f4af49c5179bc54aed211e7e25b4e3b2fe341f256e85865fdd1
                    • Instruction Fuzzy Hash: 55A15F39A00204DFDB19EFB5E85175E77B2AF88348B60852DE805D73A8DF3A9C42DB50
                    Function 00FE9445 Relevance: .2, Instructions: 232COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7a40abab0454db9139d92c152b5a1f82eab06f8fe543a0ac74f7726cce4a2387
                    • Instruction ID: 224e8a5e435a68b70d94b19914e956698bc1d8d90723d72da414c63529a4b665
                    • Opcode Fuzzy Hash: 7a40abab0454db9139d92c152b5a1f82eab06f8fe543a0ac74f7726cce4a2387
                    • Instruction Fuzzy Hash: F7915D39A00204DFDB19EFB5E85176D77B2AF88348B60852DE805D73A8DF3A9C42DB50
                    Function 00FE6A6B Relevance: .2, Instructions: 231COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 20ade31162ddd39098c7d58c57799766176ae7e82aa09db59bfb48fdc49d5bd6
                    • Instruction ID: eb373f7d6029b6e0f811eeb9f0b3959bb21e8b43ea62a6fba47683d2e62ddee8
                    • Opcode Fuzzy Hash: 20ade31162ddd39098c7d58c57799766176ae7e82aa09db59bfb48fdc49d5bd6
                    • Instruction Fuzzy Hash: BEB13974A012288FDB29EF35D851BAD77B2AF88304F6045EDD509AB394DB399E81CF40
                    Function 00FE94A3 Relevance: .2, Instructions: 221COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d9074a8289055abeadf9283560ddc153cd59919f60745a4a1a270b35d3dc47f6
                    • Instruction ID: 337db36ed36da2371fa0f2af2e522962432a18b4c330a38d4427b0053b33ef1c
                    • Opcode Fuzzy Hash: d9074a8289055abeadf9283560ddc153cd59919f60745a4a1a270b35d3dc47f6
                    • Instruction Fuzzy Hash: 0C915038A00204DFDB19EF75E85175D73B2AF88748B60852DE805973A8DF3A9C52DB90
                    Function 00FE94F3 Relevance: .2, Instructions: 214COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fa076534ae49f86021f0b687495041ce273aa70693043bbd247c1a72f1e97f43
                    • Instruction ID: e1e737cf76e0bb5068ad3d29177acd49a9dc09d86654dc68ae0372e90ce6ff5e
                    • Opcode Fuzzy Hash: fa076534ae49f86021f0b687495041ce273aa70693043bbd247c1a72f1e97f43
                    • Instruction Fuzzy Hash: 57814F38A00204DFDB19EF75E85176D73B2AF88748B60852DE805973A8DF3A9C52DB90
                    Function 00FE6B55 Relevance: .2, Instructions: 198COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f68e2d8f2b8d170f76e3ed2d765e701f9615fe151ad7168b689194e14b3dfc3a
                    • Instruction ID: 55f25af615f9b72e661fd576611b0242d6901675388c8ab3a15a8c1742d5db90
                    • Opcode Fuzzy Hash: f68e2d8f2b8d170f76e3ed2d765e701f9615fe151ad7168b689194e14b3dfc3a
                    • Instruction Fuzzy Hash: EF913D74A012688FDB25EF35D855BAD73B2AF88304F6045ED9509AB394DF399E81CF40
                    Function 00FE3DCC Relevance: .2, Instructions: 193COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3d290a2f9ddd97cc53c269e1b9dc2d91ed6bf083470d885e21555ee0be7b6b9d
                    • Instruction ID: 62deaccd7b9aabd71738793f9623fef4cde998ef217c7d8701db72ac144e7994
                    • Opcode Fuzzy Hash: 3d290a2f9ddd97cc53c269e1b9dc2d91ed6bf083470d885e21555ee0be7b6b9d
                    • Instruction Fuzzy Hash: E4A1C678A00228CFDB25EF74D945BEDB7B2BB48308F1045A9D949AB355DB369E81CF40
                    Function 00FE9575 Relevance: .2, Instructions: 193COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f0b3932b3f5fe4a8c4bef742089b4fc27da85f3cf0a8b7196f3d935e8df9a353
                    • Instruction ID: 8afbb8f06c9a69f145ad7d65e4c813c209ea38605e94c4dc720299de7514a5c0
                    • Opcode Fuzzy Hash: f0b3932b3f5fe4a8c4bef742089b4fc27da85f3cf0a8b7196f3d935e8df9a353
                    • Instruction Fuzzy Hash: AB715138B00204DFDB19AF75E85176D73B2AF88758B60852DE805D73A8DF3A9C52DB90
                    Function 00FE39BF Relevance: .2, Instructions: 182COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 61800b869de3f3489da839370bda844a46d5aa43a250f4eb9609a40d16d8b364
                    • Instruction ID: 72020c371c5b4b311ff8c17e6f84afd15f76d656da1e35673a13d67ee31b42ac
                    • Opcode Fuzzy Hash: 61800b869de3f3489da839370bda844a46d5aa43a250f4eb9609a40d16d8b364
                    • Instruction Fuzzy Hash: DB818E34A00258CFDB24EFB5C855BEDB7B2AF89308F1045A9D00AAB394DB795E85CF51
                    Function 00FE6C46 Relevance: .2, Instructions: 163COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5a5600de063bffa29978db1a06452a3d0c0e3290847f16f6dd4b71d9ee68298e
                    • Instruction ID: ffff75308ae1f4abf0620919b0096da047c7b0a0f5856cbcc7810778367e81d9
                    • Opcode Fuzzy Hash: 5a5600de063bffa29978db1a06452a3d0c0e3290847f16f6dd4b71d9ee68298e
                    • Instruction Fuzzy Hash: C8613E74A01268CFDB25EF35C895BAD73B2AF88304F2045ED9509AB394DB399E81CF40
                    Function 00FE3B18 Relevance: .1, Instructions: 111COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: af8d17f4c6f8c30402a3c4c68fc37a2401b0219c1f88fd36789ee2fab2ea4ce9
                    • Instruction ID: d69ef5c28d7d33edd2e65eb4fd406598d113ab01ae2edb206cb2cd695625ff4b
                    • Opcode Fuzzy Hash: af8d17f4c6f8c30402a3c4c68fc37a2401b0219c1f88fd36789ee2fab2ea4ce9
                    • Instruction Fuzzy Hash: B7416C34E002588FDB24EBB9C955BEDB7F2BF89308F1041A9D009AB295DB795E85CF11
                    Function 00FE3558 Relevance: .1, Instructions: 109COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1dfbd13d946ee03c9052a968487c252d1eb0a8eac78dcc1a0b2c20434abb8a73
                    • Instruction ID: f0acfcacaf34e4657fc9035e40ce3b09eb3b57fb5febc40e45af9da4e9df8605
                    • Opcode Fuzzy Hash: 1dfbd13d946ee03c9052a968487c252d1eb0a8eac78dcc1a0b2c20434abb8a73
                    • Instruction Fuzzy Hash: 00310635B002118FD724BB7AD812BBE33A69B88208F14443AD505D77A5EF3DAD168BA1
                    Function 00FE9C40 Relevance: .1, Instructions: 107COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bffea5bf9912eda5b805139a6d7761ad1c028f2ee6ae06c50e2ac9a9eff9ffff
                    • Instruction ID: 84b0ad77202e886185ddee5e2f7a0dd5ddb37c7b02f9fa42161f9fa34d9151e3
                    • Opcode Fuzzy Hash: bffea5bf9912eda5b805139a6d7761ad1c028f2ee6ae06c50e2ac9a9eff9ffff
                    • Instruction Fuzzy Hash: 9F31D331B042159FDB24DB3ACC45BAEBBE6AF88314F244139E405EB3A0DBB49C059B90
                    Function 00FE00B8 Relevance: .1, Instructions: 95COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4352ed61abac2d3109f3906d38913a3fd2f4498d937bb54c71c95068ad434c4a
                    • Instruction ID: c77879523b3621d42e57c32bf165b9c894d35fa9d61c7d4b8d6fc61ae8f3e4bf
                    • Opcode Fuzzy Hash: 4352ed61abac2d3109f3906d38913a3fd2f4498d937bb54c71c95068ad434c4a
                    • Instruction Fuzzy Hash: 4F3105317043409FD715EB7998527AE3BA79BC2244F2485BED041EF2D2DF798C0A87A2
                    Function 00FE717B Relevance: .1, Instructions: 81COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dafd4c7117eceeb0da53b9f93a37c2814ea51f31a694aed7456aef81f91903d0
                    • Instruction ID: a800f4178530ceb5f192f4c8545a469829e04184027f0436e1cec050a135404b
                    • Opcode Fuzzy Hash: dafd4c7117eceeb0da53b9f93a37c2814ea51f31a694aed7456aef81f91903d0
                    • Instruction Fuzzy Hash: F621A43460E3C04FD32667785C6516A3F729B8320171945EFD4C1DB2A7DB285C4AD763
                    Function 00FE9960 Relevance: .1, Instructions: 61COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4b0a529c0879401cf5cb0aff89ec6d562fce096a7d3f311e6500c01055513bfc
                    • Instruction ID: 51c204e082c446b4106c3241685df5ced319f943922917ce462713b61f830e8c
                    • Opcode Fuzzy Hash: 4b0a529c0879401cf5cb0aff89ec6d562fce096a7d3f311e6500c01055513bfc
                    • Instruction Fuzzy Hash: 2611CE71A002159FCB15EF78D8526AE77FAAF89244720447ED40AE3344EB3A4E52CB91
                    Function 0675222C Relevance: .1, Instructions: 60COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4125377204.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_6750000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f43a450d8c99ab3d186f4eefe5d7b2654f3db54a2370ea93e4c40cde38780cd9
                    • Instruction ID: 4c9fc7e46e67916c15d175a00fa610abf164a52e7f43e4a3ac897d6ed13715e3
                    • Opcode Fuzzy Hash: f43a450d8c99ab3d186f4eefe5d7b2654f3db54a2370ea93e4c40cde38780cd9
                    • Instruction Fuzzy Hash: 6011BDB5508341AFD750CF19D940A5BFBE4FB88664F04896EF998D7311D271EA048FA2
                    Function 00FB0814 Relevance: .1, Instructions: 59COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122884965.0000000000FB0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fb0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3259bf8a2e2b7e60b121c5da9c13eb09bcdfcbaf993f8c65bd15b474d86fc339
                    • Instruction ID: 487c044f69299eabd7fc8be72f29b96a5fe455e36f394ca623604eb4a3348553
                    • Opcode Fuzzy Hash: 3259bf8a2e2b7e60b121c5da9c13eb09bcdfcbaf993f8c65bd15b474d86fc339
                    • Instruction Fuzzy Hash: 3E11E431604280DFC711CB11D580BA6B7A5EB88718F24C9ACE4490BB43CB3BD902EE91
                    Function 00FE0118 Relevance: .1, Instructions: 58COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ae05c907f22378d3cb9e03fd96f4b3fb9c2cd41f408a23d2ad6f60442de0f3ee
                    • Instruction ID: d911ee082cc95c9eeb6e6b7a5bde8c7ffd5f78991e6b398bbc8d62e793077672
                    • Opcode Fuzzy Hash: ae05c907f22378d3cb9e03fd96f4b3fb9c2cd41f408a23d2ad6f60442de0f3ee
                    • Instruction Fuzzy Hash: 3111C6317042404FD325F77D985266E2A979BC2248728447DD041EB3A2DF798C0A87A3
                    Function 00FE71C8 Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 14acce4877ada1ce74d6b900fde5627d3c779ca464e99743bd6c8cd05313c368
                    • Instruction ID: c6ba0c0c80ee02a19e03384af7e3fbe22bb8d0f79682b34c3c9248405fbee4a2
                    • Opcode Fuzzy Hash: 14acce4877ada1ce74d6b900fde5627d3c779ca464e99743bd6c8cd05313c368
                    • Instruction Fuzzy Hash: 23018F3820A3804FD3262778586107F3B769BC620675945AFD4819B3AADB295C4A83A3
                    Function 067520D0 Relevance: .1, Instructions: 52COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4125377204.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_6750000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: da4882e6e7cc501a1518322b79dbcafcd0f8e5479154cdcb161607d146887031
                    • Instruction ID: bf6cde672176576e7184d16ed68c2bd70921eb6e3e5226949674719e5251a148
                    • Opcode Fuzzy Hash: da4882e6e7cc501a1518322b79dbcafcd0f8e5479154cdcb161607d146887031
                    • Instruction Fuzzy Hash: A31100B5508301AFD750CF09DC80E5BFBE9EB88660F048C2EF95897311D271E9088FA2
                    Function 00EBB36C Relevance: .1, Instructions: 52COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122678276.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eba000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 238af85ae6cfb9a44495a57f0ce55cdaed7ba1d65782bc7398ff3fdb0c33393c
                    • Instruction ID: 73d8eed8eccab3ce6f01f6117b0e575234da54a0b3a4b2612264c5f91653041a
                    • Opcode Fuzzy Hash: 238af85ae6cfb9a44495a57f0ce55cdaed7ba1d65782bc7398ff3fdb0c33393c
                    • Instruction Fuzzy Hash: F711FEB5508301AFD750CF09DC40E5BFBE8EB88660F04892EF95897311D271E9088FA2
                    Function 00FE0014 Relevance: .1, Instructions: 51COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 24d35d638dac64d948e892a5f9b2e8cfe23930ce8b6df2e02464059e08084d70
                    • Instruction ID: 94b62c59b7c19b9a0e97c6f72ec192f5e55f45b69cf269707babb35f0ab5a89a
                    • Opcode Fuzzy Hash: 24d35d638dac64d948e892a5f9b2e8cfe23930ce8b6df2e02464059e08084d70
                    • Instruction Fuzzy Hash: 7B01DC6048E3C29FD31393789C2A6913FB59F47608B4E86CBD8C19B5A7D65C190EE362
                    Function 00FB07F2 Relevance: .0, Instructions: 50COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122884965.0000000000FB0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fb0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1126ee5fcb10b7faa5afed918837da5fbeeb75b1190084f9a324f5b9d6105d84
                    • Instruction ID: 12b5904c77f7a13fb479b9933a093838bd58122bcbe7c51954ffbe96775742b0
                    • Opcode Fuzzy Hash: 1126ee5fcb10b7faa5afed918837da5fbeeb75b1190084f9a324f5b9d6105d84
                    • Instruction Fuzzy Hash: 8C111C3050D3C49FCB17CB20C990B55BFB1AF46618F1985EED4898B6A3C63A9816DB52
                    Function 00FB05E0 Relevance: .0, Instructions: 43COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122884965.0000000000FB0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fb0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ee53e5d473b5ab9eda13ad32c96d61f151673f5a298f2fe83e0cad1c79f6817c
                    • Instruction ID: 982c0de9f43edf0ef03415e8100656732c105f78f034b6a22c0b93e9ab996370
                    • Opcode Fuzzy Hash: ee53e5d473b5ab9eda13ad32c96d61f151673f5a298f2fe83e0cad1c79f6817c
                    • Instruction Fuzzy Hash: 3D01867650D7806FD7128B15AC40866FFB8DF86520709C4EFEC498B653D269A909CB72
                    Function 00FE00A8 Relevance: .0, Instructions: 40COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c87ac635e43a7021b70e892e19d9977cccba0855550cbe447eaa0de9657869c4
                    • Instruction ID: 70655898250b3a6a9953079584b92f7e0059c30658cd600a6c0980864995cabc
                    • Opcode Fuzzy Hash: c87ac635e43a7021b70e892e19d9977cccba0855550cbe447eaa0de9657869c4
                    • Instruction Fuzzy Hash: E2F0F632B04344AFEB14DEB08C52BAE7BA6DF81714F10867EE5859B1C1DA7548428740
                    Function 00FB08D0 Relevance: .0, Instructions: 31COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122884965.0000000000FB0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fb0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e5ea9dab5dd5d1ef0c403e4a29202dcc4282872e17b0cfe76990cc76da85d1b3
                    • Instruction ID: fa9a022d7a16e83b113af1446a4685e8f7184e57f36237ae7b9f7b630fd07489
                    • Opcode Fuzzy Hash: e5ea9dab5dd5d1ef0c403e4a29202dcc4282872e17b0cfe76990cc76da85d1b3
                    • Instruction Fuzzy Hash: B9F0FB35504644DFC715CF00D580B56FBA2EB89718F24CAA9E94917A52C737D912DE81
                    Function 00FB0606 Relevance: .0, Instructions: 27COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122884965.0000000000FB0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fb0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c1087402b6f5e0521d8dce2c39472f2b0634e5d55a3bb6777929f7476776c1c2
                    • Instruction ID: 52204e459208d79e165fde657ab910cfd38ae8960b1b2a6ed8a2184db839ecfc
                    • Opcode Fuzzy Hash: c1087402b6f5e0521d8dce2c39472f2b0634e5d55a3bb6777929f7476776c1c2
                    • Instruction Fuzzy Hash: EEE092B66056005B9650CF0AEC81462F7D8EB84630718C47FDC0D8BB01D279B608CAA5
                    Function 06751B43 Relevance: .0, Instructions: 26COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4125377204.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_6750000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ff19cadbe283934cf17cc6665f196a65bc93b7926b6ec1652d245c263fd21bf9
                    • Instruction ID: 0d35c511c18c6459a5f2a03c14b6f37bf3e8bef0c534e64d70b6343620cead87
                    • Opcode Fuzzy Hash: ff19cadbe283934cf17cc6665f196a65bc93b7926b6ec1652d245c263fd21bf9
                    • Instruction Fuzzy Hash: 22E0D8B250020067D6209F06AC45F63FB98DB80D30F04C46BED081B702E1B2B614CDF1
                    Function 0675211F Relevance: .0, Instructions: 26COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4125377204.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_6750000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a16db37203962bd0384bfe17e4e40527adc1f8f71873275183d7f446093f942f
                    • Instruction ID: 988fc18d94c4a7db4048b7c8b099b71bc9538e921a56b3b45b690e16d006ffe6
                    • Opcode Fuzzy Hash: a16db37203962bd0384bfe17e4e40527adc1f8f71873275183d7f446093f942f
                    • Instruction Fuzzy Hash: 64E0D8B250030467D6609F069C85F63FB98DB40930F04C46BED0C1B702E1B2B6048DF1
                    Function 06752297 Relevance: .0, Instructions: 26COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4125377204.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_6750000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c6a4cd20e0b00bafd7ce51a9f05de0762981973f4a517c64d30b212b3ababc6e
                    • Instruction ID: bd44015c89b2a25700872b75fb7047e2a357763c81f57a029fb7ae43aef6a4ba
                    • Opcode Fuzzy Hash: c6a4cd20e0b00bafd7ce51a9f05de0762981973f4a517c64d30b212b3ababc6e
                    • Instruction Fuzzy Hash: 1CE0D8B254020067D6208F069D45F62FB98DB94931F04C46BED085B742E1B1B61489F1
                    Function 00EBB3BB Relevance: .0, Instructions: 26COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122678276.0000000000EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBA000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_eba000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1b5fdef2b4ce2df590b4c36b2a42c999dc2264d5534b7cd976df3ea6309d98bf
                    • Instruction ID: 2822e2ff01591fe8ec33b784be8b1330570284fec1b6200e2e587dc6af29f658
                    • Opcode Fuzzy Hash: 1b5fdef2b4ce2df590b4c36b2a42c999dc2264d5534b7cd976df3ea6309d98bf
                    • Instruction Fuzzy Hash: 68E0D8B254020467D6208F069C45F62FB98DB50931F04C56BED081B702E1B1BA048DF1
                    Function 00FE3510 Relevance: .0, Instructions: 19COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 364ecfed7abcca8751285791ff89252d9983a48fdb43de2383e7ba0d0b6bcbaa
                    • Instruction ID: a8543dd1cf2ccb47f4c03ca3c9992df20db4db0c49adc62f177b0a30ab00e865
                    • Opcode Fuzzy Hash: 364ecfed7abcca8751285791ff89252d9983a48fdb43de2383e7ba0d0b6bcbaa
                    • Instruction Fuzzy Hash: 5AE0C23120A352CFC3192B35A41862C3739AB4A20875808FED4068B392EB3ED882CB81
                    Function 00FE9C01 Relevance: .0, Instructions: 18COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0b2b1bc373a3805f69f199dceeb900dd99361072178dd4e98a84bb2dabb34a93
                    • Instruction ID: 1585252f697449d744358bc4a155b1d1bbf7fd5097b46effbc2b1af9d149b352
                    • Opcode Fuzzy Hash: 0b2b1bc373a3805f69f199dceeb900dd99361072178dd4e98a84bb2dabb34a93
                    • Instruction Fuzzy Hash: BED05E7050E3C89FC706E7B69D166AD7F788A0360071100EBE449AB6A3D9691E18E766
                    Function 00FE7CBE Relevance: .0, Instructions: 17COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9d8fa478a1436ed94a4e21b65f2eca33028478970e33640dafce0d28de329ebd
                    • Instruction ID: 9de2d93b6ceeb1dfd5c92e9e97733d45f4e72add3fe4992975542d98fe6c8977
                    • Opcode Fuzzy Hash: 9d8fa478a1436ed94a4e21b65f2eca33028478970e33640dafce0d28de329ebd
                    • Instruction Fuzzy Hash: 66D05E2060979889DB15737A180FB7E29812F56259F08037CC0459E1A2EF6C878852A3
                    Function 00EA23F4 Relevance: .0, Instructions: 15COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122613446.0000000000EA2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA2000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_ea2000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b430fa73c0cb4f3631d56a40f08ce62759570299010af8185ec26f2044080f5b
                    • Instruction ID: f1606a6c8831b4f3ee311431ea55d813a93a334f47ce2530173598dc6bae5917
                    • Opcode Fuzzy Hash: b430fa73c0cb4f3631d56a40f08ce62759570299010af8185ec26f2044080f5b
                    • Instruction Fuzzy Hash: 0BD05E792057D14FD32A9A1CC6A4B9937D4AB5A718F4A44FDA800DF763C768E981E600
                    Function 00EA23BC Relevance: .0, Instructions: 14COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122613446.0000000000EA2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA2000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_ea2000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 747af43a617b2105687b954301e38bf97b3d3c83453ffaa53ba7eaace13c980e
                    • Instruction ID: 3bbeacf3ed0616d7442a341921b611c03a4ad8d9b8eca4407fe2b01270b7a470
                    • Opcode Fuzzy Hash: 747af43a617b2105687b954301e38bf97b3d3c83453ffaa53ba7eaace13c980e
                    • Instruction Fuzzy Hash: 1CD05E342002824BCB25DA0CC6D4F5937D4AF46718F0648ECAC109F762C7B8E8C9DA00
                    Function 00FE4210 Relevance: .0, Instructions: 14COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 55d538bd4fdbe291008471dc156c8c38865530efba1bc1c9b6bca266d2518fd6
                    • Instruction ID: d9fc02879e32ca23e0ae1fede155e81754974b63363587132edd9cb919d4fcc0
                    • Opcode Fuzzy Hash: 55d538bd4fdbe291008471dc156c8c38865530efba1bc1c9b6bca266d2518fd6
                    • Instruction Fuzzy Hash: B7D0C971A15208EF8B44EFA9DD0189EB7F9EB49215B1142AAA80AD3750EE325E04DB81
                    Function 00FE420F Relevance: .0, Instructions: 14COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c906bd50f425e2e426a771989e73ad42fc042fd1349e0b8f15f9a6e0ed28b5eb
                    • Instruction ID: 6498e5cddd0e5a8c38c9b295b9e5e24b73baf701c867ee265cf8d387eb86d121
                    • Opcode Fuzzy Hash: c906bd50f425e2e426a771989e73ad42fc042fd1349e0b8f15f9a6e0ed28b5eb
                    • Instruction Fuzzy Hash: 26D09E719191489F8B44DF64D9518AD7BB5AB4520571142AED40AD3651DA710E04DB41

                    Non-executed Functions

                    Function 00FE726E Relevance: .3, Instructions: 349COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f221ba252c83aec57346aa260811330fcd676af7921ee5c5760294a0d731518c
                    • Instruction ID: 0799f50cab6004755d0545c8e3133199088b1d162ff3075c0d41c22134d26396
                    • Opcode Fuzzy Hash: f221ba252c83aec57346aa260811330fcd676af7921ee5c5760294a0d731518c
                    • Instruction Fuzzy Hash: 8BB17B3AA0A3E38BD735EB33A85023677E57A402613294176F490CB1E5EF28DD86F751
                    Function 00EA2BCF Relevance: .1, Instructions: 79COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122613446.0000000000EA2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA2000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_ea2000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 956f5b167f884177c21e59223b663effea0e7f60982996a1c851f1704e1a8570
                    • Instruction ID: a28b0c52e6502a29ca15dc488fd4f65b1947dc484546dd12f45ee1f96473df82
                    • Opcode Fuzzy Hash: 956f5b167f884177c21e59223b663effea0e7f60982996a1c851f1704e1a8570
                    • Instruction Fuzzy Hash: 7031256140EBC58FC707CF3448A60457F71AE5360479A82EFC485DF5EBE71A990AC7A2
                    Function 00FE36F0 Relevance: 5.1, Strings: 4, Instructions: 88COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: N$N$N$N
                    • API String ID: 0-91100018
                    • Opcode ID: 9aec51e123050e1ac1cc2093f1777a452fd15d623ed6ebaad4f55dbeeb2839df
                    • Instruction ID: 80361b737ed42a08d06a7434b596f5bafe5cdd5f49d30bb42890656d40a9a75a
                    • Opcode Fuzzy Hash: 9aec51e123050e1ac1cc2093f1777a452fd15d623ed6ebaad4f55dbeeb2839df
                    • Instruction Fuzzy Hash: 2A2182B5B002499FEB20DB6ED885BAA73E5FFCA344F140868E501EB784E770ED018790
                    Function 00FE36EC Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4122920151.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_fe0000_Vhl3X1aYeU.jbxd
                    Similarity
                    • API ID:
                    • String ID: N$N$N$N
                    • API String ID: 0-91100018
                    • Opcode ID: a5b195c3b9de1788841a271f885a367c7c08f32345b128ee83f0c28e014923aa
                    • Instruction ID: 1e48a356f568d326dafcc5a1714c9d36e1fdfc39212dea9317962db958645cc2
                    • Opcode Fuzzy Hash: a5b195c3b9de1788841a271f885a367c7c08f32345b128ee83f0c28e014923aa
                    • Instruction Fuzzy Hash: 252194B5B012499FEB20DB6AD885BAA73E5FFCA344F140868D501EB784EB70ED018790

                    Execution Graph

                    Execution Coverage:12.6%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:52
                    Total number of Limit Nodes:4
                    execution_graph 1780 f1a573 1781 f1a59a DuplicateHandle 1780->1781 1783 f1a5e6 1781->1783 1745 f1aa12 1746 f1aa3e SetErrorMode 1745->1746 1748 f1aa67 1745->1748 1747 f1aa53 1746->1747 1748->1746 1784 f1aa75 1785 f1aaa6 CreateFileW 1784->1785 1787 f1ab2d 1785->1787 1804 f1ac37 1805 f1ac6a GetFileType 1804->1805 1807 f1accc 1805->1807 1788 f1af76 1790 f1afaa CreateMutexW 1788->1790 1791 f1b025 1790->1791 1749 f1a59a 1750 f1a610 1749->1750 1751 f1a5d8 DuplicateHandle 1749->1751 1750->1751 1752 f1a5e6 1751->1752 1792 f1ab7c 1793 f1abbe CloseHandle 1792->1793 1795 f1abf8 1793->1795 1808 f1a9bf 1811 f1a9c9 SetErrorMode 1808->1811 1810 f1aa53 1811->1810 1753 f1a65e 1754 f1a6c0 1753->1754 1755 f1a68a OleInitialize 1753->1755 1754->1755 1756 f1a698 1755->1756 1757 f1abbe 1758 f1ac29 1757->1758 1759 f1abea CloseHandle 1757->1759 1758->1759 1760 f1abf8 1759->1760 1812 f1a61e 1815 f1a65e OleInitialize 1812->1815 1814 f1a698 1815->1814 1761 f1aaa6 1762 f1aade CreateFileW 1761->1762 1764 f1ab2d 1762->1764 1769 f1afaa 1772 f1afe2 CreateMutexW 1769->1772 1771 f1b025 1772->1771 1773 f1adee 1774 f1ae23 WriteFile 1773->1774 1776 f1ae55 1774->1776 1796 f1a6ce 1797 f1a72e OleGetClipboard 1796->1797 1799 f1a78c 1797->1799 1800 f1adce 1802 f1adee WriteFile 1800->1802 1803 f1ae55 1802->1803

                    Callgraph

                    • Executed
                    • Not Executed
                    • Opacity -> Relevance
                    • Disassembly available
                    callgraph 0 Function_01010000 1 Function_00F121F0 2 Function_04E301E1 4 Function_01010606 2->4 89 Function_010105DF 2->89 3 Function_00F123F4 5 Function_00F1ACF8 6 Function_0101000C 7 Function_00F1A2FE 8 Function_01010710 9 Function_04E337F9 10 Function_04E33CF9 11 Function_04E341F8 12 Function_00F1ADEE 13 Function_00F1A7D1 14 Function_00F120D0 15 Function_00F1AED2 16 Function_00F1A2D2 17 Function_04E302C0 43 Function_04E300B8 17->43 18 Function_04E33FC0 19 Function_00F12BD4 20 Function_04E33DC4 21 Function_00F1A4D8 22 Function_00F124C5 23 Function_0101073B 24 Function_00F1A3CA 25 Function_00F1A6CE 26 Function_00F1ADCE 27 Function_00F1A2B0 28 Function_00F1A7B0 29 Function_04E302A2 30 Function_00F1B0B2 31 Function_00F122B4 32 Function_01010648 49 Function_0101066A 32->49 33 Function_04E300A8 33->4 33->9 39 Function_04E339B7 33->39 85 Function_00F1A23A 33->85 33->89 98 Function_04E33B10 33->98 103 Function_00F1A20C 33->103 34 Function_00F123BC 35 Function_00F1A9BF 36 Function_00F1ABBE 37 Function_00F1A0BE 38 Function_04E302B1 38->43 40 Function_00F1AAA6 41 Function_00F1A3A8 42 Function_00F1AFAA 43->4 43->9 43->39 43->85 43->89 43->98 43->103 44 Function_00F12691 45 Function_00F12194 46 Function_00F1AE97 47 Function_00F12098 48 Function_00F1A59A 50 Function_00F1A384 51 Function_01010074 52 Function_00F1A186 53 Function_0101067F 54 Function_00F1A573 55 Function_00F1A472 56 Function_04E33160 57 Function_00F1AA75 58 Function_00F1B074 59 Function_00F1AF76 60 Function_00F1A078 61 Function_00F1AB7C 62 Function_00F1A865 63 Function_00F12264 64 Function_00F12364 65 Function_00F1AC6A 66 Function_04E34278 79 Function_04E33058 66->79 67 Function_04E33141 68 Function_00F1AD52 69 Function_04E33047 70 Function_04E34147 71 Function_00F12458 72 Function_04E30449 73 Function_00F1A65E 74 Function_00F1A140 75 Function_010104B5 76 Function_04E32656 77 Function_00F12044 78 Function_00F1A44A 80 Function_04E33C5E 81 Function_010105BF 82 Function_00F12430 83 Function_00F1AC37 84 Function_00F1A836 86 Function_00F1213C 87 Function_010105CF 88 Function_04E34230 90 Function_00F1A72E 91 Function_00F1A02E 92 Function_00F12310 93 Function_00F1AA12 94 Function_04E30007 95 Function_04E34208 96 Function_00F1A61E 97 Function_04E33010 97->4 97->89 99 Function_00F1A005 100 Function_00F12005 101 Function_00F1A50A 102 Function_04E30118 102->4 102->9 102->39 102->89 102->98

                    Executed Functions

                    Function 00F1AA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 f1aa75-f1aafe 4 f1ab00 0->4 5 f1ab03-f1ab0f 0->5 4->5 6 f1ab11 5->6 7 f1ab14-f1ab1d 5->7 6->7 8 f1ab1f-f1ab43 CreateFileW 7->8 9 f1ab6e-f1ab73 7->9 12 f1ab75-f1ab7a 8->12 13 f1ab45-f1ab6b 8->13 9->8 12->13
                    APIs
                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00F1AB25
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836576406.0000000000F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f1a000_Explower.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 54cefa036b59e77121e6cc5064aef43ac597ee7566b729637cdd68e8ecf660f6
                    • Instruction ID: 7666406d85d9b902478e139f4b4579031f5a93b0e06319531bc65c5da6810f7b
                    • Opcode Fuzzy Hash: 54cefa036b59e77121e6cc5064aef43ac597ee7566b729637cdd68e8ecf660f6
                    • Instruction Fuzzy Hash: A2318271509380AFE721CF65DC45F96BBF8EF06320F08889AE9458B652D375E948CB71
                    Function 00F1AF76 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 16 f1af76-f1aff9 20 f1affb 16->20 21 f1affe-f1b007 16->21 20->21 22 f1b009 21->22 23 f1b00c-f1b015 21->23 22->23 24 f1b017-f1b03b CreateMutexW 23->24 25 f1b066-f1b06b 23->25 28 f1b06d-f1b072 24->28 29 f1b03d-f1b063 24->29 25->24 28->29
                    APIs
                    • CreateMutexW.KERNELBASE(?,?), ref: 00F1B01D
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836576406.0000000000F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f1a000_Explower.jbxd
                    Similarity
                    • API ID: CreateMutex
                    • String ID:
                    • API String ID: 1964310414-0
                    • Opcode ID: 5f96ffc93689ac2001a5a6584d31bdc8a88e324bfc0fba518d1e9c6f81dc66c0
                    • Instruction ID: 21bbb239b83a1b7c5a41888f64b8952422240e5647688484fcc163926d766228
                    • Opcode Fuzzy Hash: 5f96ffc93689ac2001a5a6584d31bdc8a88e324bfc0fba518d1e9c6f81dc66c0
                    • Instruction Fuzzy Hash: B13181B15093809FE721CB65DD45B96BFF8EF06310F08849AE984CB292D375E909C772
                    Function 00F1A6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 32 f1a6ce-f1a72b 33 f1a72e-f1a786 OleGetClipboard 32->33 35 f1a78c-f1a7a2 33->35
                    APIs
                    • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 00F1A77E
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836576406.0000000000F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f1a000_Explower.jbxd
                    Similarity
                    • API ID: Clipboard
                    • String ID:
                    • API String ID: 220874293-0
                    • Opcode ID: 122a971a9474cc1daaf0afcad436ea0a38129b2fa86db8635e2c0446d3f8ea51
                    • Instruction ID: f1a2f9198d9b50fd43c309cb3a0392656d6489cccc78cfa5c3bc2e2f657003d2
                    • Opcode Fuzzy Hash: 122a971a9474cc1daaf0afcad436ea0a38129b2fa86db8635e2c0446d3f8ea51
                    • Instruction Fuzzy Hash: 1C31807504D3C06FD3138B259C61B61BFB4EF47610F0A40DBE884CB6A3D2296919D772
                    Function 00F1AAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 36 f1aaa6-f1aafe 39 f1ab00 36->39 40 f1ab03-f1ab0f 36->40 39->40 41 f1ab11 40->41 42 f1ab14-f1ab1d 40->42 41->42 43 f1ab1f-f1ab27 CreateFileW 42->43 44 f1ab6e-f1ab73 42->44 45 f1ab2d-f1ab43 43->45 44->43 47 f1ab75-f1ab7a 45->47 48 f1ab45-f1ab6b 45->48 47->48
                    APIs
                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00F1AB25
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836576406.0000000000F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f1a000_Explower.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: c097d94a850114734d7cb2af2dad2234e26168f56ce290ca10c88f37ab74f3c8
                    • Instruction ID: fbebdaa43bc000d87e1b473fb814bd083994d0b8a2dccb4af1df5f90dbbc3f5a
                    • Opcode Fuzzy Hash: c097d94a850114734d7cb2af2dad2234e26168f56ce290ca10c88f37ab74f3c8
                    • Instruction Fuzzy Hash: 4121D171605240AFEB21CF65DD44FA6FBE8EF08320F04886AE9498B751D375E808DB72
                    Function 00F1AC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 62 f1ac37-f1acb5 66 f1acb7-f1acca GetFileType 62->66 67 f1acea-f1acef 62->67 68 f1acf1-f1acf6 66->68 69 f1accc-f1ace9 66->69 67->66 68->69
                    APIs
                    • GetFileType.KERNELBASE(?,00000E24,EEC1E3C1,00000000,00000000,00000000,00000000), ref: 00F1ACBD
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836576406.0000000000F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f1a000_Explower.jbxd
                    Similarity
                    • API ID: FileType
                    • String ID:
                    • API String ID: 3081899298-0
                    • Opcode ID: e5e6601326d53a9e98ee0420198dce04940804d165160c40b2163685eaa5792f
                    • Instruction ID: 2f3bbda345eeb945726dcb0ea211f472c21cd103e6f1a798e8511531fbb35c8d
                    • Opcode Fuzzy Hash: e5e6601326d53a9e98ee0420198dce04940804d165160c40b2163685eaa5792f
                    • Instruction Fuzzy Hash: 7C21D5B54093806FE7228B55DC40BA2BFB8DF47324F0884DBE9848B293D274A909D772
                    Function 00F1A9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 51 f1a9bf-f1aa3c 56 f1aa67-f1aa6c 51->56 57 f1aa3e-f1aa51 SetErrorMode 51->57 56->57 58 f1aa53-f1aa66 57->58 59 f1aa6e-f1aa73 57->59 59->58
                    APIs
                    • SetErrorMode.KERNELBASE(?), ref: 00F1AA44
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836576406.0000000000F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f1a000_Explower.jbxd
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: 50e795dc1a4f07249d22b911b8968ff45bb8a89897493d0123f29f0db21be4f1
                    • Instruction ID: 43ef8d531f7b27378903ae442ffb5b7223c464d0db58e31d458263a3292ab411
                    • Opcode Fuzzy Hash: 50e795dc1a4f07249d22b911b8968ff45bb8a89897493d0123f29f0db21be4f1
                    • Instruction Fuzzy Hash: A321486540E3C09FDB138B259C64A51BFB4AF57624F0E80DBD984CF6A3D2689848DB72
                    Function 00F1AFAA Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 73 f1afaa-f1aff9 76 f1affb 73->76 77 f1affe-f1b007 73->77 76->77 78 f1b009 77->78 79 f1b00c-f1b015 77->79 78->79 80 f1b017-f1b01f CreateMutexW 79->80 81 f1b066-f1b06b 79->81 82 f1b025-f1b03b 80->82 81->80 84 f1b06d-f1b072 82->84 85 f1b03d-f1b063 82->85 84->85
                    APIs
                    • CreateMutexW.KERNELBASE(?,?), ref: 00F1B01D
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836576406.0000000000F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f1a000_Explower.jbxd
                    Similarity
                    • API ID: CreateMutex
                    • String ID:
                    • API String ID: 1964310414-0
                    • Opcode ID: 54cea938ac28535c78eaf09359743e046dc976572711a46a3ef119d0267f2238
                    • Instruction ID: 1f521c281c86c63cb4a132a43a19d2defa2b3868a43f7bcb2035014a49f0467b
                    • Opcode Fuzzy Hash: 54cea938ac28535c78eaf09359743e046dc976572711a46a3ef119d0267f2238
                    • Instruction Fuzzy Hash: 5421B0715002009FEB20DF25DD45BA6FBE8EF08320F04886AE948CB741D775E948DB71
                    Function 00F1ADCE Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 88 f1adce-f1ae45 92 f1ae47-f1ae67 WriteFile 88->92 93 f1ae89-f1ae8e 88->93 96 f1ae90-f1ae95 92->96 97 f1ae69-f1ae86 92->97 93->92 96->97
                    APIs
                    • WriteFile.KERNELBASE(?,00000E24,EEC1E3C1,00000000,00000000,00000000,00000000), ref: 00F1AE4D
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836576406.0000000000F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f1a000_Explower.jbxd
                    Similarity
                    • API ID: FileWrite
                    • String ID:
                    • API String ID: 3934441357-0
                    • Opcode ID: b64b2096844bf57138e63ab835055c74fdcce5c95004cea310a920c8f1d7208e
                    • Instruction ID: afbe1b6602e69eea77be90e02164026c910d440ead61bdb008983f1a2fa92855
                    • Opcode Fuzzy Hash: b64b2096844bf57138e63ab835055c74fdcce5c95004cea310a920c8f1d7208e
                    • Instruction Fuzzy Hash: 0121A471405340AFDB22CF55DD44F97BFB8EF49320F08889AE9449B652D234A908CBB2
                    Function 00F1A61E Relevance: 1.6, APIs: 1, Instructions: 65comCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 100 f1a61e-f1a688 102 f1a6c0-f1a6c5 100->102 103 f1a68a-f1a692 OleInitialize 100->103 102->103 104 f1a698-f1a6aa 103->104 106 f1a6c7-f1a6cc 104->106 107 f1a6ac-f1a6bf 104->107 106->107
                    APIs
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836576406.0000000000F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f1a000_Explower.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: b225c6f91b2ba23da805f4f5f7347f428c6e89c8bc5ed07a6bd343170bfadddf
                    • Instruction ID: 4f0ebadf9f64e74a63a844276482b5be96aa5f43b857d1ae4669501448d4be50
                    • Opcode Fuzzy Hash: b225c6f91b2ba23da805f4f5f7347f428c6e89c8bc5ed07a6bd343170bfadddf
                    • Instruction Fuzzy Hash: 32215B7140E3C05FDB138B259C94692BFB4DF07220F0D84DBD8848F2A3D2699908D772
                    Function 00F1A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 109 f1a573-f1a5d6 111 f1a610-f1a615 109->111 112 f1a5d8-f1a5e0 DuplicateHandle 109->112 111->112 113 f1a5e6-f1a5f8 112->113 115 f1a617-f1a61c 113->115 116 f1a5fa-f1a60d 113->116 115->116
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F1A5DE
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836576406.0000000000F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f1a000_Explower.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: fb834db208cabbef15c2026ff3c88d1c0137d5a1ed493ced7390a3ff9aeb7abe
                    • Instruction ID: 74c3403d33c6f1d79613da137c96ab749f3bbddb1cbb9e0f66b59c7b079ff383
                    • Opcode Fuzzy Hash: fb834db208cabbef15c2026ff3c88d1c0137d5a1ed493ced7390a3ff9aeb7abe
                    • Instruction Fuzzy Hash: 1F118771405380AFDB228F51DC44A62FFF4EF4A320F0888DAED858B552D275A918DB72
                    Function 00F1ADEE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 118 f1adee-f1ae45 121 f1ae47-f1ae4f WriteFile 118->121 122 f1ae89-f1ae8e 118->122 124 f1ae55-f1ae67 121->124 122->121 125 f1ae90-f1ae95 124->125 126 f1ae69-f1ae86 124->126 125->126
                    APIs
                    • WriteFile.KERNELBASE(?,00000E24,EEC1E3C1,00000000,00000000,00000000,00000000), ref: 00F1AE4D
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836576406.0000000000F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f1a000_Explower.jbxd
                    Similarity
                    • API ID: FileWrite
                    • String ID:
                    • API String ID: 3934441357-0
                    • Opcode ID: 14281d3b0703da62cc3c3aaa2850a21dbea488b709f6268a71dfe526967ad93a
                    • Instruction ID: ba92b86c61ef6aceadf5ac410307798b96882bd98635c0b7606afffb33436707
                    • Opcode Fuzzy Hash: 14281d3b0703da62cc3c3aaa2850a21dbea488b709f6268a71dfe526967ad93a
                    • Instruction Fuzzy Hash: D411C472500300AFEB31CF56DD44FA6FBE8EF08324F04886AE9498B651D374A548DBB2
                    Function 00F1AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 129 f1ac6a-f1acb5 132 f1acb7-f1acca GetFileType 129->132 133 f1acea-f1acef 129->133 134 f1acf1-f1acf6 132->134 135 f1accc-f1ace9 132->135 133->132 134->135
                    APIs
                    • GetFileType.KERNELBASE(?,00000E24,EEC1E3C1,00000000,00000000,00000000,00000000), ref: 00F1ACBD
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836576406.0000000000F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f1a000_Explower.jbxd
                    Similarity
                    • API ID: FileType
                    • String ID:
                    • API String ID: 3081899298-0
                    • Opcode ID: 0e083b7c459d16ef27bd4b7092dfb4c92002315aad02c7277b554a19eda908bc
                    • Instruction ID: fbbf04b3b9edb375b5d81c0816d3d19e64fc626706af7c16933597f304307957
                    • Opcode Fuzzy Hash: 0e083b7c459d16ef27bd4b7092dfb4c92002315aad02c7277b554a19eda908bc
                    • Instruction Fuzzy Hash: AD010471500300AFEB208F05DD84BA6F7A8DF05324F0484A6ED088B741D674E8489AB2
                    Function 00F1A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 139 f1a59a-f1a5d6 140 f1a610-f1a615 139->140 141 f1a5d8-f1a5e0 DuplicateHandle 139->141 140->141 142 f1a5e6-f1a5f8 141->142 144 f1a617-f1a61c 142->144 145 f1a5fa-f1a60d 142->145 144->145
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F1A5DE
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836576406.0000000000F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f1a000_Explower.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 155c12a200ed88d13dcd4b6cd31aec20864381a673a5222a2adb1a8ea6e816ec
                    • Instruction ID: 94de18b2f7353eb5330a14b49976621d10adb30d3b02a307ea4159ba15e6e9dc
                    • Opcode Fuzzy Hash: 155c12a200ed88d13dcd4b6cd31aec20864381a673a5222a2adb1a8ea6e816ec
                    • Instruction Fuzzy Hash: A2016D729046009FDF218F55D944B56FFF0EF48320F0888AADE498BA51D376E458EF62
                    Function 00F1A72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 147 f1a72e-f1a786 OleGetClipboard 149 f1a78c-f1a7a2 147->149
                    APIs
                    • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 00F1A77E
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836576406.0000000000F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f1a000_Explower.jbxd
                    Similarity
                    • API ID: Clipboard
                    • String ID:
                    • API String ID: 220874293-0
                    • Opcode ID: 52d043431579cfb99bf150249a242958c81d1de5d6dcf197c88c39cf906c0282
                    • Instruction ID: dfaec14a57c528a38be02bac88f199f59b1bea83cce163032be700e5798d312b
                    • Opcode Fuzzy Hash: 52d043431579cfb99bf150249a242958c81d1de5d6dcf197c88c39cf906c0282
                    • Instruction Fuzzy Hash: 74018F71540201ABD210DF1ACD46B66FBE8EB89A20F14815AED089BB41D731F915CAE5
                    Function 00F1A65E Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 150 f1a65e-f1a688 151 f1a6c0-f1a6c5 150->151 152 f1a68a-f1a692 OleInitialize 150->152 151->152 153 f1a698-f1a6aa 152->153 155 f1a6c7-f1a6cc 153->155 156 f1a6ac-f1a6bf 153->156 155->156
                    APIs
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836576406.0000000000F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f1a000_Explower.jbxd
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 35e3b9cd079dac29b4fd7cfde09178bac8319db9bb1486b5255d46e1b807baef
                    • Instruction ID: a659ee0fa507beb543c05d24b7a0260d7d46f7229e03e9181e89ee8aa6e9f00b
                    • Opcode Fuzzy Hash: 35e3b9cd079dac29b4fd7cfde09178bac8319db9bb1486b5255d46e1b807baef
                    • Instruction Fuzzy Hash: 2F01A2719012408FDB20CF55D9847A5FBE4DF04320F08C4AADD488F756D279E444DEA2
                    Function 00F1AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNELBASE(?), ref: 00F1AA44
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836576406.0000000000F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f1a000_Explower.jbxd
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: 19a958e3d52bb5e7070c37f57ab3de6f7d759a60930f66d40539c3f0c4ea99a3
                    • Instruction ID: fa44d34b11ae7a4231f26121d869b710af4981b7db7df334c497c43e7b516beb
                    • Opcode Fuzzy Hash: 19a958e3d52bb5e7070c37f57ab3de6f7d759a60930f66d40539c3f0c4ea99a3
                    • Instruction Fuzzy Hash: 96F0AF75901244DFDB208F05DA84BA5FBE0EF04724F08C0AADD494B752E279E948EEA2
                    Function 00F1AB7C Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                    Download Yara Rule
                    APIs
                    • CloseHandle.KERNELBASE(?), ref: 00F1ABF0
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836576406.0000000000F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f1a000_Explower.jbxd
                    Similarity
                    • API ID: CloseHandle
                    • String ID:
                    • API String ID: 2962429428-0
                    • Opcode ID: 975421e133337b2dbf0903b56d315642620efda60b46e6dcbcb75e96637416e4
                    • Instruction ID: b21b7a44ed9176a6d6d983e9d540f432a93c69e0cc14b99cd87f4909e64d7509
                    • Opcode Fuzzy Hash: 975421e133337b2dbf0903b56d315642620efda60b46e6dcbcb75e96637416e4
                    • Instruction Fuzzy Hash: A921D7755093C05FD7128F25DC95652BFB8EF07320F0984DBDC858F2A3D2649908D762
                    Function 00F1ABBE Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                    Download Yara Rule
                    APIs
                    • CloseHandle.KERNELBASE(?), ref: 00F1ABF0
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836576406.0000000000F1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f1a000_Explower.jbxd
                    Similarity
                    • API ID: CloseHandle
                    • String ID:
                    • API String ID: 2962429428-0
                    • Opcode ID: 4c8a68b7f901aac6ca90211b8d3cf2b79d5d37a59305610a2bf0cee16978d0b2
                    • Instruction ID: ab4cf2d3a7811630f12b303d447c85caa8add1bfdf2f8deb39aaf1a90f0ce29f
                    • Opcode Fuzzy Hash: 4c8a68b7f901aac6ca90211b8d3cf2b79d5d37a59305610a2bf0cee16978d0b2
                    • Instruction Fuzzy Hash: 0001D4759052408FDB20CF15D9847A5FBE4DF04320F08C4ABDC09CF745D275E444EAA2
                    Function 04E337F9 Relevance: .5, Instructions: 498COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1837137478.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4e30000_Explower.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: af0397e83c8d5c989cb26e700655f92c9f7a8bd1f77c977b83c218e7d811227f
                    • Instruction ID: 1b6c4df29e0236d37fad2d64b65c05a453ae405541cf3d72c40b12258f17e0ec
                    • Opcode Fuzzy Hash: af0397e83c8d5c989cb26e700655f92c9f7a8bd1f77c977b83c218e7d811227f
                    • Instruction Fuzzy Hash: 37324934A00268CFDB25EF74C855BEDB7B2BB48309F1145A9D509AB3A4DB399E81CF50
                    Function 04E339B7 Relevance: .2, Instructions: 182COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1837137478.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4e30000_Explower.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4c295bbef1727861db25034571291286c6aa7bc5d1edcb5084f6af45af9ff0d3
                    • Instruction ID: 05526d79b75385f319ba764e10cc4c9276dc3becaa2742cf29faeb316a08710b
                    • Opcode Fuzzy Hash: 4c295bbef1727861db25034571291286c6aa7bc5d1edcb5084f6af45af9ff0d3
                    • Instruction Fuzzy Hash: D1817A30A00258CFDB24EFB4C855BEDB7B2AF49308F1045A9D50AAB3A4DB795E85CF51
                    Function 04E33B10 Relevance: .1, Instructions: 111COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1837137478.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4e30000_Explower.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: feb483eb6214d8145a0e15a28a4dcae0224b3ddcb3bacbe6cb7a9d1c921d0812
                    • Instruction ID: bc7088c67e99e712cdbc94a834ed85da712a6ff637dad17577329f6f0d5f6a93
                    • Opcode Fuzzy Hash: feb483eb6214d8145a0e15a28a4dcae0224b3ddcb3bacbe6cb7a9d1c921d0812
                    • Instruction Fuzzy Hash: 27416A34A00258CFDB24EFB4C955BECB7B2BF48309F5041A9D409AB2A5DB795E84CF61
                    Function 04E302C0 Relevance: .1, Instructions: 109COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1837137478.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4e30000_Explower.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 69d8631bc4ea55ff6e536a1852bc7ead4807b9a7db10da7ae260b432baa31f42
                    • Instruction ID: 6c486ec5ffeeb436a445de2d9901fe2f01003ca846197bb8c8f8de6d6287c8b1
                    • Opcode Fuzzy Hash: 69d8631bc4ea55ff6e536a1852bc7ead4807b9a7db10da7ae260b432baa31f42
                    • Instruction Fuzzy Hash: 6F31E331B002118FE725BB79D9557AE33A79B8820CF14483AD105D77A9EF3DAD06C7A1
                    Function 04E300B8 Relevance: .1, Instructions: 97COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1837137478.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4e30000_Explower.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c487e1d27a0e187bf1b179ad88a1b73aea26622d83cbe092602df92257a9e721
                    • Instruction ID: 2353c5a30bd2fa0cdeeee9ec3ce25827b8216b7166943b5463b06364a6e7f949
                    • Opcode Fuzzy Hash: c487e1d27a0e187bf1b179ad88a1b73aea26622d83cbe092602df92257a9e721
                    • Instruction Fuzzy Hash: 3531E231A043809FC719AB7898127AE3BA79B82358F1445AED041DF296DF795C0597A2
                    Function 04E30118 Relevance: .1, Instructions: 60COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1837137478.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4e30000_Explower.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5f9c1fb062b411d3e573170875b2c1dabb5b1c372cbc58cff0736caf3339eea8
                    • Instruction ID: 92da7ec74708a8352fcd65ee500e6bc0b16b5830500dbb2b78a02bbd574fcf36
                    • Opcode Fuzzy Hash: 5f9c1fb062b411d3e573170875b2c1dabb5b1c372cbc58cff0736caf3339eea8
                    • Instruction Fuzzy Hash: 0011E9357042804FC725E77CA8116AD37A39BC6358724457DD042DF356DF7D4C05A7A2
                    Function 04E30007 Relevance: .1, Instructions: 58COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1837137478.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4e30000_Explower.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: de4b53ad69823ab3dd112f2ecff5da71291b2646e75702928b0302b2b38096c6
                    • Instruction ID: ac97def7122523942804b313d9bf92b169199732dd75af256997e3ca5f89dd61
                    • Opcode Fuzzy Hash: de4b53ad69823ab3dd112f2ecff5da71291b2646e75702928b0302b2b38096c6
                    • Instruction Fuzzy Hash: 0B11B3A688F3C18FD3039764AC696913FB0AF67218B5F44CBC081CF1A7E65C590AD762
                    Function 010105DF Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836814307.0000000001010000.00000040.00000020.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_1010000_Explower.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0b62005ffd1f5f4da09d3df621a2c30c68edb1c60badcc11b8d16dad42eba897
                    • Instruction ID: 5888998420ddfd5caaf6de6bc9b7ca37aa659beae3b8ff5f8d197c3ae496945f
                    • Opcode Fuzzy Hash: 0b62005ffd1f5f4da09d3df621a2c30c68edb1c60badcc11b8d16dad42eba897
                    • Instruction Fuzzy Hash: 010167B65097816FD7128F169C40862FFF8DF8662070985ABEC498B752E225A904C772
                    Function 04E301E1 Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1837137478.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4e30000_Explower.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: da43e6997b59d1cae688b5940e65d5b4c649c1a387649c52279648c78eb32ccf
                    • Instruction ID: 2ae42864cfc09fa4f9be7dfc7a182331584fdf5e4e78fe9b40654edc9ae5d175
                    • Opcode Fuzzy Hash: da43e6997b59d1cae688b5940e65d5b4c649c1a387649c52279648c78eb32ccf
                    • Instruction Fuzzy Hash: 4B01C43420A381CFCB11EB78D99888C7BE1EFC4318B09886DE485CB356EB349C44DB52
                    Function 04E300A8 Relevance: .0, Instructions: 40COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1837137478.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4e30000_Explower.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0dcf4598260cd762b3b8fee805901866898fc0ca349cbae3419356a3298030ae
                    • Instruction ID: e4018ebc459305d6685917dc5eab55d8fdfcb3ecc106d3ddd0cce23be66f9052
                    • Opcode Fuzzy Hash: 0dcf4598260cd762b3b8fee805901866898fc0ca349cbae3419356a3298030ae
                    • Instruction Fuzzy Hash: 22F0C272A04344AFEB14DEB08C52BAE7B669F81B28F1082AED541DB1D2DA794841C780
                    Function 01010606 Relevance: .0, Instructions: 27COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836814307.0000000001010000.00000040.00000020.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_1010000_Explower.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9562e58b4bbc6a5bd51ce43e9ab673e99319ad37911a82115008537df3317e36
                    • Instruction ID: e82e3f0f0e879991cad951af01cf40604948b55f9df977df25a09e2c41cdf5cb
                    • Opcode Fuzzy Hash: 9562e58b4bbc6a5bd51ce43e9ab673e99319ad37911a82115008537df3317e36
                    • Instruction Fuzzy Hash: 59E092B66416004B9650CF0BFC81452F7E8EB88630708C47FDC0D8BB01E239B508CAA5
                    Function 04E33010 Relevance: .0, Instructions: 17COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1837137478.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4e30000_Explower.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b4a60e383fcd154c73696efb0374d3102a40f7830d669f28eb7c25e525e871e4
                    • Instruction ID: 831f727e02c96a2c98cfc16b07abdcc77022f21fd3014132d0d47fb96d5d72c4
                    • Opcode Fuzzy Hash: b4a60e383fcd154c73696efb0374d3102a40f7830d669f28eb7c25e525e871e4
                    • Instruction Fuzzy Hash: 3BE0EC3414D395CFC726573464289683B726F4620931904FEC85A8B666D67A9441EF40
                    Function 00F123F4 Relevance: .0, Instructions: 15COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836562339.0000000000F12000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F12000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f12000_Explower.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cb14d7212f1205f6728eb5ee2e05048d1b0ce75d21231a1b09c24ea2e83f7105
                    • Instruction ID: cbc7ec30e81604e83db05795cd48047ae476f1e1f97f38af3b7848598e922921
                    • Opcode Fuzzy Hash: cb14d7212f1205f6728eb5ee2e05048d1b0ce75d21231a1b09c24ea2e83f7105
                    • Instruction Fuzzy Hash: 50D05E796056D14FD326DA1CC6A4BD937D4AB51724F4A44F9A800CB763C768E9D1E600
                    Function 00F123BC Relevance: .0, Instructions: 14COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1836562339.0000000000F12000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F12000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_f12000_Explower.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 895ec062f4c8ae4d38a8a05dc3fcd244679bf460a7a6bec2392855ee565500d1
                    • Instruction ID: ed69a546eb8c40c132f69aebf27630abfdc60822b3e8992e8825b15e8089e412
                    • Opcode Fuzzy Hash: 895ec062f4c8ae4d38a8a05dc3fcd244679bf460a7a6bec2392855ee565500d1
                    • Instruction Fuzzy Hash: 23D05E346002814FC725DA4CC2D4F9937D4AB40724F0644E8AC208B762CBB8D8D5EA00