Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7UpMyeV5pj.exe

Overview

General Information

Sample name:7UpMyeV5pj.exe
renamed because original name is a hash value
Original sample name:a458a33e5591c3fd7f7c8ae58d50ce55.exe
Analysis ID:1510282
MD5:a458a33e5591c3fd7f7c8ae58d50ce55
SHA1:e9342f2bd7db767d12e0b5faa1f2918bdabafe77
SHA256:95e922bc96ec909a9eb80ae3716af0038ee3de24fc22b569c527764bf3be27a1
Tags:exenjratRAT
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Creates autorun.inf (USB autostart)
Disables the Windows task manager (taskmgr)
Disables zone checking for all users
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the program root directory (C:\Program Files)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7UpMyeV5pj.exe (PID: 7104 cmdline: "C:\Users\user\Desktop\7UpMyeV5pj.exe" MD5: A458A33E5591C3FD7F7C8AE58D50CE55)
    • netsh.exe (PID: 6452 cmdline: netsh firewall add allowedprogram "C:\Users\user\Desktop\7UpMyeV5pj.exe" "7UpMyeV5pj.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Explower.exe (PID: 5308 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe" MD5: A458A33E5591C3FD7F7C8AE58D50CE55)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "Victim", "Version": "0.7d", "Install Name": "c9ab3737857dedd15cd55323eac58732", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
7UpMyeV5pj.exeJoeSecurity_NjratYara detected NjratJoe Security
    7UpMyeV5pj.exeWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x1266a:$a1: get_Registry
    • 0x15177:$a2: SEE_MASK_NOZONECHECKS
    • 0x14e19:$a3: Download ERROR
    • 0x153cd:$a4: cmd.exe /c ping 0 -n 2 & del "
    • 0x13356:$a5: netsh firewall delete allowedprogram "
    7UpMyeV5pj.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x153cd:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x12ee2:$s1: winmgmts:\\.\root\SecurityCenter2
    • 0x14e37:$s3: Executed As
    • 0x1165d:$s5: Stub.exe
    • 0x14e19:$s6: Download ERROR
    • 0x12ea4:$s8: Select * From AntiVirusProduct
    7UpMyeV5pj.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x15177:$reg: SEE_MASK_NOZONECHECKS
    • 0x14dfd:$msg: Execute ERROR
    • 0x14e51:$msg: Execute ERROR
    • 0x153cd:$ping: cmd.exe /c ping 0 -n 2 & del
    7UpMyeV5pj.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
    • 0x13356:$s1: netsh firewall delete allowedprogram
    • 0x133a8:$s2: netsh firewall add allowedprogram
    • 0x153cd:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
    • 0x14dfd:$s4: Execute ERROR
    • 0x14e51:$s4: Execute ERROR
    • 0x14e19:$s5: Download ERROR

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files (x86)\Explower.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\Program Files (x86)\Explower.exeWindows_Trojan_Njrat_30f3c220unknownunknown
      • 0x1266a:$a1: get_Registry
      • 0x15177:$a2: SEE_MASK_NOZONECHECKS
      • 0x14e19:$a3: Download ERROR
      • 0x153cd:$a4: cmd.exe /c ping 0 -n 2 & del "
      • 0x13356:$a5: netsh firewall delete allowedprogram "
      C:\Program Files (x86)\Explower.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
      • 0x153cd:$x1: cmd.exe /c ping 0 -n 2 & del "
      • 0x12ee2:$s1: winmgmts:\\.\root\SecurityCenter2
      • 0x14e37:$s3: Executed As
      • 0x1165d:$s5: Stub.exe
      • 0x14e19:$s6: Download ERROR
      • 0x12ea4:$s8: Select * From AntiVirusProduct
      C:\Program Files (x86)\Explower.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x15177:$reg: SEE_MASK_NOZONECHECKS
      • 0x14dfd:$msg: Execute ERROR
      • 0x14e51:$msg: Execute ERROR
      • 0x153cd:$ping: cmd.exe /c ping 0 -n 2 & del
      C:\Program Files (x86)\Explower.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
      • 0x13356:$s1: netsh firewall delete allowedprogram
      • 0x133a8:$s2: netsh firewall add allowedprogram
      • 0x153cd:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
      • 0x14dfd:$s4: Execute ERROR
      • 0x14e51:$s4: Execute ERROR
      • 0x14e19:$s5: Download ERROR
      Click to see the 60 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
        • 0x1246a:$a1: get_Registry
        • 0x14f77:$a2: SEE_MASK_NOZONECHECKS
        • 0x14c19:$a3: Download ERROR
        • 0x151cd:$a4: cmd.exe /c ping 0 -n 2 & del "
        • 0x13156:$a5: netsh firewall delete allowedprogram "
        00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
        • 0x14f77:$reg: SEE_MASK_NOZONECHECKS
        • 0x14bfd:$msg: Execute ERROR
        • 0x14c51:$msg: Execute ERROR
        • 0x151cd:$ping: cmd.exe /c ping 0 -n 2 & del
        00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
          Process Memory Space: 7UpMyeV5pj.exe PID: 7104JoeSecurity_NjratYara detected NjratJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.7UpMyeV5pj.exe.b60000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
              0.0.7UpMyeV5pj.exe.b60000.0.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
              • 0x1266a:$a1: get_Registry
              • 0x15177:$a2: SEE_MASK_NOZONECHECKS
              • 0x14e19:$a3: Download ERROR
              • 0x153cd:$a4: cmd.exe /c ping 0 -n 2 & del "
              • 0x13356:$a5: netsh firewall delete allowedprogram "
              0.0.7UpMyeV5pj.exe.b60000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
              • 0x153cd:$x1: cmd.exe /c ping 0 -n 2 & del "
              • 0x12ee2:$s1: winmgmts:\\.\root\SecurityCenter2
              • 0x14e37:$s3: Executed As
              • 0x1165d:$s5: Stub.exe
              • 0x14e19:$s6: Download ERROR
              • 0x12ea4:$s8: Select * From AntiVirusProduct
              0.0.7UpMyeV5pj.exe.b60000.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
              • 0x15177:$reg: SEE_MASK_NOZONECHECKS
              • 0x14dfd:$msg: Execute ERROR
              • 0x14e51:$msg: Execute ERROR
              • 0x153cd:$ping: cmd.exe /c ping 0 -n 2 & del
              0.0.7UpMyeV5pj.exe.b60000.0.unpackMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
              • 0x13356:$s1: netsh firewall delete allowedprogram
              • 0x133a8:$s2: netsh firewall add allowedprogram
              • 0x153cd:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
              • 0x14dfd:$s4: Execute ERROR
              • 0x14e51:$s4: Execute ERROR
              • 0x14e19:$s5: Download ERROR

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\7UpMyeV5pj.exe, ProcessId: 7104, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-12T19:12:07.209155+020020211761Malware Command and Control Activity Detected192.168.2.4497303.124.142.20511348TCP
              2024-09-12T19:13:10.390914+020020211761Malware Command and Control Activity Detected192.168.2.44973818.192.31.16511348TCP
              2024-09-12T19:14:15.626582+020020211761Malware Command and Control Activity Detected192.168.2.44973918.192.31.16511348TCP
              2024-09-12T19:15:18.931966+020020211761Malware Command and Control Activity Detected192.168.2.44974018.192.31.16511348TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-12T19:12:07.209155+020020331321Malware Command and Control Activity Detected192.168.2.4497303.124.142.20511348TCP
              2024-09-12T19:13:10.390914+020020331321Malware Command and Control Activity Detected192.168.2.44973818.192.31.16511348TCP
              2024-09-12T19:14:15.626582+020020331321Malware Command and Control Activity Detected192.168.2.44973918.192.31.16511348TCP
              2024-09-12T19:15:18.931966+020020331321Malware Command and Control Activity Detected192.168.2.44974018.192.31.16511348TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-12T19:12:13.524657+020028255641Malware Command and Control Activity Detected192.168.2.4497303.124.142.20511348TCP
              2024-09-12T19:13:17.417672+020028255641Malware Command and Control Activity Detected192.168.2.44973818.192.31.16511348TCP
              2024-09-12T19:14:26.767361+020028255641Malware Command and Control Activity Detected192.168.2.44973918.192.31.16511348TCP
              2024-09-12T19:15:26.630243+020028255641Malware Command and Control Activity Detected192.168.2.44974018.192.31.16511348TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: 7UpMyeV5pj.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\system.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Umbrella.flv.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Notepad.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Found malware configuration
              Source: 0.0.7UpMyeV5pj.exe.b60000.0.unpackMalware Configuration Extractor: Njrat {"Campaign ID": "Victim", "Version": "0.7d", "Install Name": "c9ab3737857dedd15cd55323eac58732", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}
              Multi AV Scanner detection for dropped file
              Source: C:\Notepad.exeReversingLabs: Detection: 84%
              Source: C:\Program Files (x86)\Explower.exeReversingLabs: Detection: 84%
              Source: C:\Umbrella.flv.exeReversingLabs: Detection: 84%
              Source: C:\Users\user\AppData\Local\Explower.exeReversingLabs: Detection: 84%
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exeReversingLabs: Detection: 84%
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exeReversingLabs: Detection: 84%
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exeReversingLabs: Detection: 84%
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeReversingLabs: Detection: 84%
              Source: C:\Users\user\Desktop\Explower.exeReversingLabs: Detection: 84%
              Source: C:\Users\user\Documents\Explower.exeReversingLabs: Detection: 84%
              Source: C:\Users\user\Favorites\Explower.exeReversingLabs: Detection: 84%
              Source: C:\Windows\SysWOW64\Explower.exeReversingLabs: Detection: 84%
              Source: C:\system.exeReversingLabs: Detection: 84%
              Multi AV Scanner detection for submitted file
              Source: 7UpMyeV5pj.exeReversingLabs: Detection: 84%
              Yara detected Njrat
              Source: Yara matchFile source: 7UpMyeV5pj.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 7UpMyeV5pj.exe PID: 7104, type: MEMORYSTR
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Notepad.exe, type: DROPPED
              Source: Yara matchFile source: C:\system.exe, type: DROPPED
              Source: Yara matchFile source: C:\Umbrella.flv.exe, type: DROPPED
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\system.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Umbrella.flv.exeJoe Sandbox ML: detected
              Source: C:\Notepad.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: 7UpMyeV5pj.exeJoe Sandbox ML: detected
              Source: 7UpMyeV5pj.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
              Source: 7UpMyeV5pj.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Spreading

              barindex
              Contains functionality to spread to USB devices (.Net source)
              Source: 7UpMyeV5pj.exe, -.cs.Net Code: @
              Source: Explower.exe.0.dr, -.cs.Net Code: @
              Source: Explower.exe0.0.dr, -.cs.Net Code: @
              Source: system.exe.0.dr, -.cs.Net Code: @
              Source: Notepad.exe.0.dr, -.cs.Net Code: @
              Source: Explower.exe1.0.dr, -.cs.Net Code: @
              Source: Explower.exe2.0.dr, -.cs.Net Code: @
              Source: Explower.exe3.0.dr, -.cs.Net Code: @
              Source: Explower.exe4.0.dr, -.cs.Net Code: @
              Creates autorun.inf (USB autostart)
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\autorun.infJump to behavior
              Source: 7UpMyeV5pj.exe, 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: \autorun.inf
              Source: 7UpMyeV5pj.exe, 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
              Source: 7UpMyeV5pj.exe, 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \autorun.inf
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf$OZk
              Source: 7UpMyeV5pj.exeBinary or memory string: \autorun.inf
              Source: 7UpMyeV5pj.exeBinary or memory string: [autorun]
              Source: 7UpMyeV5pj.exeBinary or memory string: autorun.inf
              Source: system.exe.0.drBinary or memory string: \autorun.inf
              Source: system.exe.0.drBinary or memory string: [autorun]
              Source: system.exe.0.drBinary or memory string: autorun.inf
              Source: Explower.exe2.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe2.0.drBinary or memory string: [autorun]
              Source: Explower.exe2.0.drBinary or memory string: autorun.inf
              Source: Umbrella.flv.exe.0.drBinary or memory string: \autorun.inf
              Source: Umbrella.flv.exe.0.drBinary or memory string: [autorun]
              Source: Umbrella.flv.exe.0.drBinary or memory string: autorun.inf
              Source: Notepad.exe.0.drBinary or memory string: \autorun.inf
              Source: Notepad.exe.0.drBinary or memory string: [autorun]
              Source: Notepad.exe.0.drBinary or memory string: autorun.inf
              Source: Explower.exe8.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe8.0.drBinary or memory string: [autorun]
              Source: Explower.exe8.0.drBinary or memory string: autorun.inf
              Source: Explower.exe.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe.0.drBinary or memory string: [autorun]
              Source: Explower.exe.0.drBinary or memory string: autorun.inf
              Source: Explower.exe1.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe1.0.drBinary or memory string: [autorun]
              Source: Explower.exe1.0.drBinary or memory string: autorun.inf
              Source: Explower.exe4.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe4.0.drBinary or memory string: [autorun]
              Source: Explower.exe4.0.drBinary or memory string: autorun.inf
              Source: Explower.exe3.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe3.0.drBinary or memory string: [autorun]
              Source: Explower.exe3.0.drBinary or memory string: autorun.inf
              Source: Explower.exe7.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe7.0.drBinary or memory string: [autorun]
              Source: Explower.exe7.0.drBinary or memory string: autorun.inf
              Source: Explower.exe6.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe6.0.drBinary or memory string: [autorun]
              Source: Explower.exe6.0.drBinary or memory string: autorun.inf
              Source: Explower.exe0.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe0.0.drBinary or memory string: [autorun]
              Source: Explower.exe0.0.drBinary or memory string: autorun.inf
              Source: Explower.exe5.0.drBinary or memory string: \autorun.inf
              Source: Explower.exe5.0.drBinary or memory string: [autorun]
              Source: Explower.exe5.0.drBinary or memory string: autorun.inf
              Source: autorun.inf.0.drBinary or memory string: [autorun]
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49730 -> 3.124.142.205:11348
              Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49738 -> 18.192.31.165:11348
              Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49740 -> 18.192.31.165:11348
              Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49740 -> 18.192.31.165:11348
              Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49738 -> 18.192.31.165:11348
              Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49730 -> 3.124.142.205:11348
              Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49739 -> 18.192.31.165:11348
              Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49739 -> 18.192.31.165:11348
              Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49738 -> 18.192.31.165:11348
              Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49739 -> 18.192.31.165:11348
              Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49730 -> 3.124.142.205:11348
              Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49740 -> 18.192.31.165:11348
              Source: global trafficTCP traffic: 192.168.2.4:49730 -> 3.124.142.205:11348
              Source: global trafficTCP traffic: 192.168.2.4:49738 -> 18.192.31.165:11348
              Source: Joe Sandbox ViewIP Address: 3.124.142.205 3.124.142.205
              Source: Joe Sandbox ViewIP Address: 18.192.31.165 18.192.31.165
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: 0.tcp.eu.ngrok.io
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              E-Banking Fraud

              barindex
              Yara detected Njrat
              Source: Yara matchFile source: 7UpMyeV5pj.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 7UpMyeV5pj.exe PID: 7104, type: MEMORYSTR
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Notepad.exe, type: DROPPED
              Source: Yara matchFile source: C:\system.exe, type: DROPPED
              Source: Yara matchFile source: C:\Umbrella.flv.exe, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 7UpMyeV5pj.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: 7UpMyeV5pj.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 7UpMyeV5pj.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 7UpMyeV5pj.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\system.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\system.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\system.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeCode function: 0_2_0125BEFE NtQuerySystemInformation,0_2_0125BEFE
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeCode function: 0_2_0125BECD NtQuerySystemInformation,0_2_0125BECD
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Windows\SysWOW64\Explower.exeJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Windows\SysWOW64\Explower.exe:Zone.Identifier:$DATAJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeCode function: 0_2_015074180_2_01507418
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeCode function: 0_2_015042980_2_01504298
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeCode function: 0_2_015042690_2_01504269
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeCode function: 0_2_015073FE0_2_015073FE
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4137881403.000000000129E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs 7UpMyeV5pj.exe
              Source: 7UpMyeV5pj.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 7UpMyeV5pj.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: 7UpMyeV5pj.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 7UpMyeV5pj.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 7UpMyeV5pj.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Notepad.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\system.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\system.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\system.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\system.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\system.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: classification engineClassification label: mal100.spre.phis.troj.adwa.evad.winEXE@5/30@4/2
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeCode function: 0_2_0125BD82 AdjustTokenPrivileges,0_2_0125BD82
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeCode function: 0_2_0125BD4B AdjustTokenPrivileges,0_2_0125BD4B
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Program Files (x86)\Explower.exeJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Users\user\AppData\Roaming\appJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeMutant created: NULL
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMutant created: \Sessions\1\BaseNamedObjects\c9ab3737857dedd15cd55323eac58732
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_03
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Users\user\AppData\Local\Temp\FransescoPast.txtJump to behavior
              Source: 7UpMyeV5pj.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 7UpMyeV5pj.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 7UpMyeV5pj.exeReversingLabs: Detection: 84%
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile read: C:\Users\user\Desktop\7UpMyeV5pj.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\7UpMyeV5pj.exe "C:\Users\user\Desktop\7UpMyeV5pj.exe"
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\7UpMyeV5pj.exe" "7UpMyeV5pj.exe" ENABLE
              Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe"
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\7UpMyeV5pj.exe" "7UpMyeV5pj.exe" ENABLEJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
              Source: 7UpMyeV5pj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
              Source: 7UpMyeV5pj.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: 7UpMyeV5pj.exe, -.cs.Net Code: @ System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe.0.dr, -.cs.Net Code: @ System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe0.0.dr, -.cs.Net Code: @ System.Reflection.Assembly.Load(byte[])
              Source: system.exe.0.dr, -.cs.Net Code: @ System.Reflection.Assembly.Load(byte[])
              Source: Notepad.exe.0.dr, -.cs.Net Code: @ System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe1.0.dr, -.cs.Net Code: @ System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe2.0.dr, -.cs.Net Code: @ System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe3.0.dr, -.cs.Net Code: @ System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe4.0.dr, -.cs.Net Code: @ System.Reflection.Assembly.Load(byte[])
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeCode function: 3_2_05053140 push ebx; ret 3_2_05053154

              Persistence and Installation Behavior

              barindex
              Drops PE files to the document folder of the user
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Users\user\Documents\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\system.exeJump to dropped file
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Notepad.exeJump to dropped file
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Windows\SysWOW64\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Users\user\Desktop\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Users\user\AppData\Local\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Program Files (x86)\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Umbrella.flv.exeJump to dropped file
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Users\user\Documents\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Users\user\Favorites\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Program Files (x86)\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Windows\SysWOW64\Explower.exeJump to dropped file

              Boot Survival

              barindex
              Drops PE files to the startup folder
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe\:Zone.Identifier:$DATAJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 14B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 31C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 51C0000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 6310000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 7310000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: A620000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: B620000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: B880000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: C880000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: CD30000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: DD30000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: ED30000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: FD30000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 10D30000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 11D30000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 12D30000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 13D30000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 14680000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 15680000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 16680000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 17680000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 18680000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 19680000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1A680000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1B680000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1C680000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1D680000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1E680000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1F680000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 20680000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 21680000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 22680000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 23680000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 24680000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: B920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 25920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 26920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 27920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 28920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 29920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 2A920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 2B920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 2C920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 2D920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 2E920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 2F920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 30920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 31920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 32920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 33920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 34920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 35920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: BA20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: CA20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: DA20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: D160000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: D2A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: EB20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: FB20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 10B20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 11B20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 12B20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 13B20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 14B20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 15B20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 16B20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 17B20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 18B20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 19B20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1AB20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1BB20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1CB20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1DB20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1EB20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1FB20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 20B20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 21B20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 22B20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 36920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 37920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 38920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 39920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 3A920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 3B920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 3C920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 3D920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 3E920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 3F920000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: FAA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 10AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 11AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 12AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 13AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 14AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 15AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 16AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 17AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 18AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 19AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1AAA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1BAA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1CAA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1DAA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1EAA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1FAA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 20AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 21AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 22AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: F6E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 106E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 116E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 126E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 136E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 146E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 156E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 166E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 176E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 186E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 196E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1A6E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1B6E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1C6E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1D6E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1E6E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 1F6E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 206E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 216E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: 226E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeMemory allocated: 11B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeMemory allocated: 2E60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeMemory allocated: 4E60000 memory commit | memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeWindow / User API: threadDelayed 2945Jump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeWindow / User API: threadDelayed 1870Jump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeWindow / User API: foregroundWindowGot 453Jump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeWindow / User API: foregroundWindowGot 481Jump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exe TID: 4856Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exe TID: 4856Thread sleep count: 213 > 30Jump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exe TID: 3020Thread sleep count: 2945 > 30Jump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exe TID: 3020Thread sleep time: -1472500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exe TID: 7144Thread sleep count: 35 > 30Jump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exe TID: 3020Thread sleep count: 1870 > 30Jump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exe TID: 3020Thread sleep time: -935000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe TID: 3496Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138031209.000000000133C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWlicationName="
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138031209.000000000133C000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000001.00000002.1729988687.00000000013DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeMemory allocated: page read and write | page guardJump to behavior
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:48 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:13:34 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:22 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 14:09:56 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:02 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/17 | 10:17:45 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 23:09:33 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:35 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 54:27 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:14:39 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 7 | 07:42:10 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/19 | 14:44:17 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:13:14 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:13:41 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 21:40:10 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:27 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:13:00 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/19 | 17:35:09 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:14 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:13:59 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:01 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:13:06 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:13:20 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/17 | 07:42:10 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/19 | 17:42:47 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/17 | 05:19:00 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:41 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:51 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:31 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 14:17:10 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:13:02 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:37 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/17 | 00:17:41 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:57 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:47 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:20 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/17 | 06:09:18 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:15:05 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:13:32 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:26 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:50 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 23:28:46 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:19:10 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:16 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:30 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:40 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:13:48 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/17 | 00:28:10 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:58 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:45 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/17 | 06:33:31 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138677784.000000000556B000.00000004.00000010.00020000.00000000.sdmp, 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, 7UpMyeV5pj.exe, 00000000.00000002.4138883948.000000000667D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:32 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:25 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:14:10 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/19 | 17:54:27 - Program Manager
              Source: 7UpMyeV5pj.exe, system.exe.0.dr, Explower.exe2.0.dr, Umbrella.flv.exe.0.dr, Notepad.exe.0.dr, Explower.exe8.0.dr, Explower.exe.0.dr, Explower.exe1.0.dr, Explower.exe4.0.dr, Explower.exe3.0.dr, Explower.exe7.0.dr, Explower.exe6.0.dr, Explower.exe0.0.drBinary or memory string: ProgMan
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 14:22:39 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:13:17 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:13:31 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:04 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:17 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:13:03 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:11 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:52 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138677784.000000000556B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: dProgram ManagerU
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/17 | 10:22:06 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 21:27:57 - Program Manager
              Source: 7UpMyeV5pj.exe, system.exe.0.dr, Explower.exe2.0.dr, Umbrella.flv.exe.0.dr, Notepad.exe.0.dr, Explower.exe8.0.dr, Explower.exe.0.dr, Explower.exe1.0.dr, Explower.exe4.0.dr, Explower.exe3.0.dr, Explower.exe7.0.dr, Explower.exe6.0.dr, Explower.exe0.0.drBinary or memory string: Shell_traywnd+MostrarBarraDeTarefas
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:14:01 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:15:49 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:19 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/17 | 00:02:04 - Program Manager
              Source: 7UpMyeV5pj.exe, system.exe.0.dr, Explower.exe2.0.dr, Umbrella.flv.exe.0.dr, Notepad.exe.0.dr, Explower.exe8.0.dr, Explower.exe.0.dr, Explower.exe1.0.dr, Explower.exe4.0.dr, Explower.exe3.0.dr, Explower.exe7.0.dr, Explower.exe6.0.dr, Explower.exe0.0.drBinary or memory string: Shell_TrayWnd
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/17 | 09:52:02 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:34 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:14:31 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138883948.000000000667D000.00000004.00000800.00020000.00000000.sdmp, Explower.exe, 00000003.00000002.1850814531.0000000002E61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -ledProgram Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/17 | 02:09:47 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:14:16 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:17:10 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:59 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/14 | 17:58:49 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:49 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:15:28 - Program Manager
              Source: 7UpMyeV5pj.exe, 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/12 | 13:12:03 - Program Manager
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Contains functionality to disable the Task Manager (.Net Source)
              Source: 7UpMyeV5pj.exe, -.cs.Net Code: @
              Source: Explower.exe.0.dr, -.cs.Net Code: @
              Source: Explower.exe0.0.dr, -.cs.Net Code: @
              Source: system.exe.0.dr, -.cs.Net Code: @
              Source: Notepad.exe.0.dr, -.cs.Net Code: @
              Source: Explower.exe1.0.dr, -.cs.Net Code: @
              Source: Explower.exe2.0.dr, -.cs.Net Code: @
              Source: Explower.exe3.0.dr, -.cs.Net Code: @
              Source: Explower.exe4.0.dr, -.cs.Net Code: @
              Disables the Windows task manager (taskmgr)
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgrJump to behavior
              Disables zone checking for all users
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeRegistry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKSJump to behavior
              Modifies the windows firewall
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\7UpMyeV5pj.exe" "7UpMyeV5pj.exe" ENABLE
              Uses netsh to modify the Windows network and firewall settings
              Source: C:\Users\user\Desktop\7UpMyeV5pj.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\7UpMyeV5pj.exe" "7UpMyeV5pj.exe" ENABLE

              Stealing of Sensitive Information

              barindex
              Yara detected Njrat
              Source: Yara matchFile source: 7UpMyeV5pj.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 7UpMyeV5pj.exe PID: 7104, type: MEMORYSTR
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Notepad.exe, type: DROPPED
              Source: Yara matchFile source: C:\system.exe, type: DROPPED
              Source: Yara matchFile source: C:\Umbrella.flv.exe, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected Njrat
              Source: Yara matchFile source: 7UpMyeV5pj.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.7UpMyeV5pj.exe.b60000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 7UpMyeV5pj.exe PID: 7104, type: MEMORYSTR
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Notepad.exe, type: DROPPED
              Source: Yara matchFile source: C:\system.exe, type: DROPPED
              Source: Yara matchFile source: C:\Umbrella.flv.exe, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure21
              Replication Through Removable Media              		Windows Management Instrumentation12
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		32
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading              		2
              Process Injection              		51
              Disable or Modify Tools              		LSASS Memory2
              Process Discovery              		Remote Desktop Protocol1
              Clipboard Data              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)12
              Registry Run Keys / Startup Folder              		31
              Virtualization/Sandbox Evasion              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              DLL Side-Loading              		1
              Access Token Manipulation              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture1
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
              Process Injection              		LSA Secrets1
              Peripheral Device Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Obfuscated Files or Information              		Cached Domain Credentials1
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Software Packing              		DCSync12
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              7UpMyeV5pj.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              7UpMyeV5pj.exe100%AviraTR/Dropper.Gen
              7UpMyeV5pj.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\system.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Umbrella.flv.exe100%AviraTR/Dropper.Gen
              C:\Notepad.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\system.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Umbrella.flv.exe100%Joe Sandbox ML
              C:\Notepad.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Notepad.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Program Files (x86)\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Umbrella.flv.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Users\user\AppData\Local\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Users\user\Desktop\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Users\user\Documents\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Users\user\Favorites\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\Windows\SysWOW64\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT
              C:\system.exe84%ReversingLabsByteCode-MSIL.Backdoor.njRAT

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              0.tcp.eu.ngrok.io
              		3.124.142.205
              		truetrue
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                3.124.142.205
                		0.tcp.eu.ngrok.ioUnited States
                		16509AMAZON-02UStrue
                18.192.31.165
                		unknownUnited States
                		16509AMAZON-02UStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1510282
                Start date and time:2024-09-12 19:11:05 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 8m 1s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:8
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:7UpMyeV5pj.exe
                renamed because original name is a hash value
                Original Sample Name:a458a33e5591c3fd7f7c8ae58d50ce55.exe
                Detection:MAL
                Classification:mal100.spre.phis.troj.adwa.evad.winEXE@5/30@4/2
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 98%
                • Number of executed functions: 159
                • Number of non-executed functions: 1
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240s for sample files taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: 7UpMyeV5pj.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                13:12:39API Interceptor138052x Sleep call for process: 7UpMyeV5pj.exe modified
                18:12:05AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                3.124.142.205xaa.doc.docxGet hashmaliciousCVE-2021-40444Browse
                • 259f-88-231-63-13.eu.ngrok.io/
                18.192.31.165muyq8X8qXp.exeGet hashmaliciousUnknownBrowse
                • 3eae-79-191-34-149.eu.ngrok.io/sysvndump/send

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                0.tcp.eu.ngrok.io7tjt3u68PZ.exeGet hashmaliciousNjratBrowse
                • 3.125.209.94
                kOBRIUczY0.exeGet hashmaliciousNjratBrowse
                • 3.125.102.39
                QbkuoGa4nm.exeGet hashmaliciousNjratBrowse
                • 3.125.223.134
                SecuriteInfo.com.Trojan.Siggen29.14708.13579.16480.exeGet hashmaliciousStormKitty, XWormBrowse
                • 18.192.31.165
                Windows21.exeGet hashmaliciousZTratBrowse
                • 3.125.209.94
                1Md4DEEyQN.exeGet hashmaliciousNjratBrowse
                • 3.125.223.134
                TiXxNKsN4C.exeGet hashmaliciousNjratBrowse
                • 18.158.249.75
                tWBQ8JmsVy.exeGet hashmaliciousNjratBrowse
                • 3.125.209.94
                Sd5Q0qD0YF.exeGet hashmaliciousNjratBrowse
                • 3.125.223.134
                91023930344124.EXE.exeGet hashmaliciousUnknownBrowse
                • 3.125.209.94

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                AMAZON-02USBrownsburg Fire Territory.pdfGet hashmaliciousUnknownBrowse
                • 13.227.219.106
                SecuriteInfo.com.Riskware.Application.5189.31489.exeGet hashmaliciousUnknownBrowse
                • 54.230.228.76
                P09Qwe9fqsKdQIyTGnGxNs8xS[1]Get hashmaliciousTycoon2FABrowse
                • 3.161.119.34
                https://ftp.hp.com/pub/softlib/software13/HPSA/HPSupportSolutionsFramework-13.0.1.131.exeGet hashmaliciousUnknownBrowse
                • 34.213.84.38
                vm AUDIO_QzOXYQIfIQZ VOICE September 11th, 2024 attachment.htmlGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                • 18.239.83.96
                http://url7829.pcsrdesk.com/ls/click?upn=u001.nbKFt0-2FCe8GqWYb6aRzVSspOoKxL-2B8Qs9N3b7IrNTNDWMvcMhiA0nesbfLr2sei5CzkpSMzLWSWF6HncRdiGtg-3D-3Dd1IV_PBm3xKPXITlLipppzFDXCirI58RSdMKdXdG-2F80SohbBy4zq53iNVTA5ei1o8HwzpS93FlvZ275SNJFmlTeRSpI8EUZ4xHQqPo8gDvVG2BEHNznD1ry3PWBBHGL6G0-2BrzMelUuaUp9ztyBG3043BYwIdAYuOH3xNZvMfwqdVCLRE3AF7pMJ-2FMZtqfsuyRf2sjgMjsT1YXN9CTKoqmwN-2FAW6hETjOVm0QS9VoHqiLVjrTRrBJcX-2BcDm2Z1X9OF7ehMOfPQ3evnGTEtoWkAk-2Bh7ORnv-2Fj2fQjC2p7H5-2FCkdn4Mpv5fBX6ZZ5RswUz6VRlnrB7mOCBabsE2DJMUHfAb3vgLhZdV2viCUsGG-2BHUJzT24sSm1337AgZrFc-2BvtX8zUghrJUabZ-2ByMWOT5Lh46BgD0M8clhcSRb3zqPnMEmzDOEM1TbAL0M8z0-2FJKRsfPcVAqIMmOpK-2FPO1TrpSTvmrU-2BVP1fURRCEyX1PrI29lcVLFWonx9AnPvlFgSTSwoBrq2ilDwXPS8Cl-2B6YQGebYmy6SdCjN-2B7ahp-2FnbrrpNfLSsm5cLkcOtk9OG1tnApG7l7ngD40KKnNlcGsG86mZ3rqwaEYKfEIGmifKLU23sQguKhcISeAE32aHj0dKUn1j3Gt9L-2FpxcoQ-2B1JEVN6VCqf1i6gitCRd17fUf9xvlxVmVudH3iZULVl3mRZz3YdKEnPYkveXaSWcTdVwY3-2BI6MY6EMPmC9rVkdOa3Grj5lNwi3dHAoYjqYOVnMa5PFeRHliiZgtLD1engEGaKd7qhhJVt8zOyibK1DjClIo7VbPkVTmx4Xu1R62oVmw5HBwZEHksYA0eh4y1sEIIeLaVgP52DQ-3D-3DGet hashmaliciousUnknownBrowse
                • 13.227.219.40
                https://oakvillemdcsignin.softr.app/Get hashmaliciousUnknownBrowse
                • 99.84.238.130
                https://www.lsswis.org/Get hashmaliciousUnknownBrowse
                • 18.239.49.193
                http://url7829.pcsrdesk.com/ls/click?upn=u001.nbKFt0-2FCe8GqWYb6aRzVSspOoKxL-2B8Qs9N3b7IrNTNDWMvcMhiA0nesbfLr2sei5CzkpSMzLWSWF6HncRdiGtg-3D-3Depjf_Iw3cex3ZqTITszazbri0K-2FC6JX9CYcSKeNEkHAD5yqLsyD40a8pdQeubh5eh65p8UWVnJYpmbNi4BEl2mHF7eCQ-2FecEyeftHVzEYyT4NHcqNcqCJLjf1XRDH630GoNx70cuNZz5POYp9-2BqFLTo8y7ihDDU3kAVg-2FPsVVQJG2nwQDDTKBTm26VVzvCbds3WN7nYVB9LxL-2FyxZLPQ5UnpJzHXFwotm0-2BO9-2BTbaL6c81yivS9jvMAjDlyPwMKHDOkT2ZA9ppkt7uWMfkl5H0Z2Mp9kUufr4F-2FVhuugfMM1U-2FgRrGbyHHh3LOh0dXsc0VYHm6jsPKxv4l-2FbnpDiizlXu8mFqKMFgwR1xWBYr8NQAUFZG-2BSWHgm9DWgXaI-2F5h6FYnzlDAqprfEYlTqckwUC1MqgO2Ja6X41xqyke1o-2BaSlvLQXI0rAL1nFy1VPzJYLR0-2BIJk5NKQ-2Fjb-2FFyn9zv-2Fq-2FfdBsztBKKWCBYi7XeJM-2FivOTrrWUbD2VYbwqrpg1y7znL10SQbyrWDfP8hHkZ5rnFfcKuQ-2BpAizc-2FunPcTwL-2B-2FU0cxOMGLeY6JTMlgiuaCIyIu-2B2x3vah-2B5ARLzG2Lch8k2-2FOlKGfOCh8dOY53sX3zBM3HudvdmANsn0iMODjyfdDzekW02-2B8hRFUwcBOjndWCElGAQTgy1auVik7xT-2FxnERpcR8wxKKW-2BYUWgejF9obdSwL8Xzbe2KIZXpwagsBHc0ZsYtLAMVn3OGiyTMwQw5kZV6XKn3xK9LkmAdvyz8HN7jXgrus32COEwOVhC7aSpisZ175hOiStlmDZTS-2FYsN8h0eMkADTrPRa-2FLhCFn58l8jf0zX4-2B90FyrKW5nHPAp9iBSEXm-2F6Gq8YNkqJbm8o-3D&c=E,1,-YhqrxALbOoF7IYLASSHnoG1WrToqWwedPF4140vsVzLoA8fupXcjEywNR8DEHCUyf-RZJcaCTQyfQGcFjeKaaGjBD2d0iZLNR9P1EHQZCRRc6jDHlA_zd51Tg,,&typo=1Get hashmaliciousUnknownBrowse
                • 13.227.219.25
                https://bit.ly/4dU5cz3#CIgedJLuqmncgJYdTfeyaCNmWsrQtR&4sWlQeNzELg&135070/182/fldptionns.home.php?sq=1726-248&lk=267585-14&page=362Get hashmaliciousPhisherBrowse
                • 13.35.58.10
                AMAZON-02USBrownsburg Fire Territory.pdfGet hashmaliciousUnknownBrowse
                • 13.227.219.106
                SecuriteInfo.com.Riskware.Application.5189.31489.exeGet hashmaliciousUnknownBrowse
                • 54.230.228.76
                P09Qwe9fqsKdQIyTGnGxNs8xS[1]Get hashmaliciousTycoon2FABrowse
                • 3.161.119.34
                https://ftp.hp.com/pub/softlib/software13/HPSA/HPSupportSolutionsFramework-13.0.1.131.exeGet hashmaliciousUnknownBrowse
                • 34.213.84.38
                vm AUDIO_QzOXYQIfIQZ VOICE September 11th, 2024 attachment.htmlGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                • 18.239.83.96
                http://url7829.pcsrdesk.com/ls/click?upn=u001.nbKFt0-2FCe8GqWYb6aRzVSspOoKxL-2B8Qs9N3b7IrNTNDWMvcMhiA0nesbfLr2sei5CzkpSMzLWSWF6HncRdiGtg-3D-3Dd1IV_PBm3xKPXITlLipppzFDXCirI58RSdMKdXdG-2F80SohbBy4zq53iNVTA5ei1o8HwzpS93FlvZ275SNJFmlTeRSpI8EUZ4xHQqPo8gDvVG2BEHNznD1ry3PWBBHGL6G0-2BrzMelUuaUp9ztyBG3043BYwIdAYuOH3xNZvMfwqdVCLRE3AF7pMJ-2FMZtqfsuyRf2sjgMjsT1YXN9CTKoqmwN-2FAW6hETjOVm0QS9VoHqiLVjrTRrBJcX-2BcDm2Z1X9OF7ehMOfPQ3evnGTEtoWkAk-2Bh7ORnv-2Fj2fQjC2p7H5-2FCkdn4Mpv5fBX6ZZ5RswUz6VRlnrB7mOCBabsE2DJMUHfAb3vgLhZdV2viCUsGG-2BHUJzT24sSm1337AgZrFc-2BvtX8zUghrJUabZ-2ByMWOT5Lh46BgD0M8clhcSRb3zqPnMEmzDOEM1TbAL0M8z0-2FJKRsfPcVAqIMmOpK-2FPO1TrpSTvmrU-2BVP1fURRCEyX1PrI29lcVLFWonx9AnPvlFgSTSwoBrq2ilDwXPS8Cl-2B6YQGebYmy6SdCjN-2B7ahp-2FnbrrpNfLSsm5cLkcOtk9OG1tnApG7l7ngD40KKnNlcGsG86mZ3rqwaEYKfEIGmifKLU23sQguKhcISeAE32aHj0dKUn1j3Gt9L-2FpxcoQ-2B1JEVN6VCqf1i6gitCRd17fUf9xvlxVmVudH3iZULVl3mRZz3YdKEnPYkveXaSWcTdVwY3-2BI6MY6EMPmC9rVkdOa3Grj5lNwi3dHAoYjqYOVnMa5PFeRHliiZgtLD1engEGaKd7qhhJVt8zOyibK1DjClIo7VbPkVTmx4Xu1R62oVmw5HBwZEHksYA0eh4y1sEIIeLaVgP52DQ-3D-3DGet hashmaliciousUnknownBrowse
                • 13.227.219.40
                https://oakvillemdcsignin.softr.app/Get hashmaliciousUnknownBrowse
                • 99.84.238.130
                https://www.lsswis.org/Get hashmaliciousUnknownBrowse
                • 18.239.49.193
                http://url7829.pcsrdesk.com/ls/click?upn=u001.nbKFt0-2FCe8GqWYb6aRzVSspOoKxL-2B8Qs9N3b7IrNTNDWMvcMhiA0nesbfLr2sei5CzkpSMzLWSWF6HncRdiGtg-3D-3Depjf_Iw3cex3ZqTITszazbri0K-2FC6JX9CYcSKeNEkHAD5yqLsyD40a8pdQeubh5eh65p8UWVnJYpmbNi4BEl2mHF7eCQ-2FecEyeftHVzEYyT4NHcqNcqCJLjf1XRDH630GoNx70cuNZz5POYp9-2BqFLTo8y7ihDDU3kAVg-2FPsVVQJG2nwQDDTKBTm26VVzvCbds3WN7nYVB9LxL-2FyxZLPQ5UnpJzHXFwotm0-2BO9-2BTbaL6c81yivS9jvMAjDlyPwMKHDOkT2ZA9ppkt7uWMfkl5H0Z2Mp9kUufr4F-2FVhuugfMM1U-2FgRrGbyHHh3LOh0dXsc0VYHm6jsPKxv4l-2FbnpDiizlXu8mFqKMFgwR1xWBYr8NQAUFZG-2BSWHgm9DWgXaI-2F5h6FYnzlDAqprfEYlTqckwUC1MqgO2Ja6X41xqyke1o-2BaSlvLQXI0rAL1nFy1VPzJYLR0-2BIJk5NKQ-2Fjb-2FFyn9zv-2Fq-2FfdBsztBKKWCBYi7XeJM-2FivOTrrWUbD2VYbwqrpg1y7znL10SQbyrWDfP8hHkZ5rnFfcKuQ-2BpAizc-2FunPcTwL-2B-2FU0cxOMGLeY6JTMlgiuaCIyIu-2B2x3vah-2B5ARLzG2Lch8k2-2FOlKGfOCh8dOY53sX3zBM3HudvdmANsn0iMODjyfdDzekW02-2B8hRFUwcBOjndWCElGAQTgy1auVik7xT-2FxnERpcR8wxKKW-2BYUWgejF9obdSwL8Xzbe2KIZXpwagsBHc0ZsYtLAMVn3OGiyTMwQw5kZV6XKn3xK9LkmAdvyz8HN7jXgrus32COEwOVhC7aSpisZ175hOiStlmDZTS-2FYsN8h0eMkADTrPRa-2FLhCFn58l8jf0zX4-2B90FyrKW5nHPAp9iBSEXm-2F6Gq8YNkqJbm8o-3D&c=E,1,-YhqrxALbOoF7IYLASSHnoG1WrToqWwedPF4140vsVzLoA8fupXcjEywNR8DEHCUyf-RZJcaCTQyfQGcFjeKaaGjBD2d0iZLNR9P1EHQZCRRc6jDHlA_zd51Tg,,&typo=1Get hashmaliciousUnknownBrowse
                • 13.227.219.25
                https://bit.ly/4dU5cz3#CIgedJLuqmncgJYdTfeyaCNmWsrQtR&4sWlQeNzELg&135070/182/fldptionns.home.php?sq=1726-248&lk=267585-14&page=362Get hashmaliciousPhisherBrowse
                • 13.35.58.10

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Notepad.exe

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):93184
                Entropy (8bit):5.54839144289879
                Encrypted:false
                SSDEEP:768:nGZefiM+0uGAfIi+qXuzMywjZdLJakHX+xWvYR4SYzktFI3tr3/iTnRVOR1MY4ss:hfil0pUjBjZdL4kHG5mktQJVR1Fpiv
                MD5:A458A33E5591C3FD7F7C8AE58D50CE55
                SHA1:E9342F2BD7DB767D12E0B5FAA1F2918BDABAFE77
                SHA-256:95E922BC96EC909A9EB80AE3716AF0038EE3DE24FC22B569C527764BF3BE27A1
                SHA-512:4891D5E2CEE561B87FF2399392168EAEDC4DF7FC312F0F00949DC97E9098BDB74E13F4A07CE42D660205C0AFE55419AC1FBE6C328B343E267D626289B0E6E81E
                Malicious:true
                Yara Hits:
                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Notepad.exe, Author: Joe Security
                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Notepad.exe, Author: Joe Security
                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Notepad.exe, Author: unknown
                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Notepad.exe, Author: unknown
                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Notepad.exe, Author: Florian Roth
                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Notepad.exe, Author: Florian Roth
                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Notepad.exe, Author: JPCERT/CC Incident Response Group
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 84%
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................h..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...df... ...h.................. ..`.reloc...............j..............@..B........................................................@.......H.......................................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                C:\Notepad.exe:Zone.Identifier

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:true
                Reputation:high, very likely benign file
                Preview:[ZoneTransfer]....ZoneId=0

                C:\Program Files (x86)\Explower.exe

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):93184
                Entropy (8bit):5.54839144289879
                Encrypted:false
                SSDEEP:768:nGZefiM+0uGAfIi+qXuzMywjZdLJakHX+xWvYR4SYzktFI3tr3/iTnRVOR1MY4ss:hfil0pUjBjZdL4kHG5mktQJVR1Fpiv
                MD5:A458A33E5591C3FD7F7C8AE58D50CE55
                SHA1:E9342F2BD7DB767D12E0B5FAA1F2918BDABAFE77
                SHA-256:95E922BC96EC909A9EB80AE3716AF0038EE3DE24FC22B569C527764BF3BE27A1
                SHA-512:4891D5E2CEE561B87FF2399392168EAEDC4DF7FC312F0F00949DC97E9098BDB74E13F4A07CE42D660205C0AFE55419AC1FBE6C328B343E267D626289B0E6E81E
                Malicious:true
                Yara Hits:
                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 84%
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................h..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...df... ...h.................. ..`.reloc...............j..............@..B........................................................@.......H.......................................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                C:\Program Files (x86)\Explower.exe:Zone.Identifier

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:true
                Reputation:high, very likely benign file
                Preview:[ZoneTransfer]....ZoneId=0

                C:\Umbrella.flv.exe

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):93184
                Entropy (8bit):5.54839144289879
                Encrypted:false
                SSDEEP:768:nGZefiM+0uGAfIi+qXuzMywjZdLJakHX+xWvYR4SYzktFI3tr3/iTnRVOR1MY4ss:hfil0pUjBjZdL4kHG5mktQJVR1Fpiv
                MD5:A458A33E5591C3FD7F7C8AE58D50CE55
                SHA1:E9342F2BD7DB767D12E0B5FAA1F2918BDABAFE77
                SHA-256:95E922BC96EC909A9EB80AE3716AF0038EE3DE24FC22B569C527764BF3BE27A1
                SHA-512:4891D5E2CEE561B87FF2399392168EAEDC4DF7FC312F0F00949DC97E9098BDB74E13F4A07CE42D660205C0AFE55419AC1FBE6C328B343E267D626289B0E6E81E
                Malicious:true
                Yara Hits:
                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Umbrella.flv.exe, Author: Joe Security
                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Umbrella.flv.exe, Author: unknown
                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Umbrella.flv.exe, Author: unknown
                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Umbrella.flv.exe, Author: unknown
                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Umbrella.flv.exe, Author: unknown
                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Umbrella.flv.exe, Author: Florian Roth
                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Umbrella.flv.exe, Author: JPCERT/CC Incident Response Group
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 84%
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................h..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...df... ...h.................. ..`.reloc...............j..............@..B........................................................@.......H.......................................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                C:\Umbrella.flv.exe:Zone.Identifier

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:true
                Reputation:high, very likely benign file
                Preview:[ZoneTransfer]....ZoneId=0

                C:\Users\user\AppData\Local\Explower.exe

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):93184
                Entropy (8bit):5.54839144289879
                Encrypted:false
                SSDEEP:768:nGZefiM+0uGAfIi+qXuzMywjZdLJakHX+xWvYR4SYzktFI3tr3/iTnRVOR1MY4ss:hfil0pUjBjZdL4kHG5mktQJVR1Fpiv
                MD5:A458A33E5591C3FD7F7C8AE58D50CE55
                SHA1:E9342F2BD7DB767D12E0B5FAA1F2918BDABAFE77
                SHA-256:95E922BC96EC909A9EB80AE3716AF0038EE3DE24FC22B569C527764BF3BE27A1
                SHA-512:4891D5E2CEE561B87FF2399392168EAEDC4DF7FC312F0F00949DC97E9098BDB74E13F4A07CE42D660205C0AFE55419AC1FBE6C328B343E267D626289B0E6E81E
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 84%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................h..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...df... ...h.................. ..`.reloc...............j..............@..B........................................................@.......H.......................................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                C:\Users\user\AppData\Local\Explower.exe:Zone.Identifier

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:false
                Preview:[ZoneTransfer]....ZoneId=0

                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Explower.exe.log

                Download File
                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):525
                Entropy (8bit):5.259753436570609
                Encrypted:false
                SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                MD5:260E01CC001F9C4643CA7A62F395D747
                SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                Malicious:false
                Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):93184
                Entropy (8bit):5.54839144289879
                Encrypted:false
                SSDEEP:768:nGZefiM+0uGAfIi+qXuzMywjZdLJakHX+xWvYR4SYzktFI3tr3/iTnRVOR1MY4ss:hfil0pUjBjZdL4kHG5mktQJVR1Fpiv
                MD5:A458A33E5591C3FD7F7C8AE58D50CE55
                SHA1:E9342F2BD7DB767D12E0B5FAA1F2918BDABAFE77
                SHA-256:95E922BC96EC909A9EB80AE3716AF0038EE3DE24FC22B569C527764BF3BE27A1
                SHA-512:4891D5E2CEE561B87FF2399392168EAEDC4DF7FC312F0F00949DC97E9098BDB74E13F4A07CE42D660205C0AFE55419AC1FBE6C328B343E267D626289B0E6E81E
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 84%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................h..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...df... ...h.................. ..`.reloc...............j..............@..B........................................................@.......H.......................................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe:Zone.Identifier

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:false
                Preview:[ZoneTransfer]....ZoneId=0

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):93184
                Entropy (8bit):5.54839144289879
                Encrypted:false
                SSDEEP:768:nGZefiM+0uGAfIi+qXuzMywjZdLJakHX+xWvYR4SYzktFI3tr3/iTnRVOR1MY4ss:hfil0pUjBjZdL4kHG5mktQJVR1Fpiv
                MD5:A458A33E5591C3FD7F7C8AE58D50CE55
                SHA1:E9342F2BD7DB767D12E0B5FAA1F2918BDABAFE77
                SHA-256:95E922BC96EC909A9EB80AE3716AF0038EE3DE24FC22B569C527764BF3BE27A1
                SHA-512:4891D5E2CEE561B87FF2399392168EAEDC4DF7FC312F0F00949DC97E9098BDB74E13F4A07CE42D660205C0AFE55419AC1FBE6C328B343E267D626289B0E6E81E
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 84%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................h..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...df... ...h.................. ..`.reloc...............j..............@..B........................................................@.......H.......................................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe:Zone.Identifier

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:false
                Preview:[ZoneTransfer]....ZoneId=0

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):93184
                Entropy (8bit):5.54839144289879
                Encrypted:false
                SSDEEP:768:nGZefiM+0uGAfIi+qXuzMywjZdLJakHX+xWvYR4SYzktFI3tr3/iTnRVOR1MY4ss:hfil0pUjBjZdL4kHG5mktQJVR1Fpiv
                MD5:A458A33E5591C3FD7F7C8AE58D50CE55
                SHA1:E9342F2BD7DB767D12E0B5FAA1F2918BDABAFE77
                SHA-256:95E922BC96EC909A9EB80AE3716AF0038EE3DE24FC22B569C527764BF3BE27A1
                SHA-512:4891D5E2CEE561B87FF2399392168EAEDC4DF7FC312F0F00949DC97E9098BDB74E13F4A07CE42D660205C0AFE55419AC1FBE6C328B343E267D626289B0E6E81E
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 84%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................h..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...df... ...h.................. ..`.reloc...............j..............@..B........................................................@.......H.......................................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe:Zone.Identifier

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:false
                Preview:[ZoneTransfer]....ZoneId=0

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):93184
                Entropy (8bit):5.54839144289879
                Encrypted:false
                SSDEEP:768:nGZefiM+0uGAfIi+qXuzMywjZdLJakHX+xWvYR4SYzktFI3tr3/iTnRVOR1MY4ss:hfil0pUjBjZdL4kHG5mktQJVR1Fpiv
                MD5:A458A33E5591C3FD7F7C8AE58D50CE55
                SHA1:E9342F2BD7DB767D12E0B5FAA1F2918BDABAFE77
                SHA-256:95E922BC96EC909A9EB80AE3716AF0038EE3DE24FC22B569C527764BF3BE27A1
                SHA-512:4891D5E2CEE561B87FF2399392168EAEDC4DF7FC312F0F00949DC97E9098BDB74E13F4A07CE42D660205C0AFE55419AC1FBE6C328B343E267D626289B0E6E81E
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 84%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................h..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...df... ...h.................. ..`.reloc...............j..............@..B........................................................@.......H.......................................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe:Zone.Identifier

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:false
                Preview:[ZoneTransfer]....ZoneId=0

                C:\Users\user\AppData\Roaming\app

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                Category:dropped
                Size (bytes):5
                Entropy (8bit):2.321928094887362
                Encrypted:false
                SSDEEP:3:xn:x
                MD5:311D687FAFFAED10F44EA27C024986B6
                SHA1:EECE910EA8CB7AED467E2E7700F7C223D3FBBC9E
                SHA-256:608547D80BF0E4B3D9CFFFD324702B4AA38DB2F0BFB3DB4BD517B556FDF4DE2B
                SHA-512:296D2CBBBF39917B174682A73E571A98130B2FE1C2DCB7C84ADBD185A0B3A81384AD556E3A88CDEAA01FBD5CB486C58C1E1DFF22F77CD3E9DF7315B93355272B
                Malicious:false
                Preview:.12

                C:\Users\user\Desktop\Explower.exe

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):93184
                Entropy (8bit):5.54839144289879
                Encrypted:false
                SSDEEP:768:nGZefiM+0uGAfIi+qXuzMywjZdLJakHX+xWvYR4SYzktFI3tr3/iTnRVOR1MY4ss:hfil0pUjBjZdL4kHG5mktQJVR1Fpiv
                MD5:A458A33E5591C3FD7F7C8AE58D50CE55
                SHA1:E9342F2BD7DB767D12E0B5FAA1F2918BDABAFE77
                SHA-256:95E922BC96EC909A9EB80AE3716AF0038EE3DE24FC22B569C527764BF3BE27A1
                SHA-512:4891D5E2CEE561B87FF2399392168EAEDC4DF7FC312F0F00949DC97E9098BDB74E13F4A07CE42D660205C0AFE55419AC1FBE6C328B343E267D626289B0E6E81E
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 84%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................h..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...df... ...h.................. ..`.reloc...............j..............@..B........................................................@.......H.......................................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                C:\Users\user\Desktop\Explower.exe:Zone.Identifier

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:false
                Preview:[ZoneTransfer]....ZoneId=0

                C:\Users\user\Documents\Explower.exe

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):93184
                Entropy (8bit):5.54839144289879
                Encrypted:false
                SSDEEP:768:nGZefiM+0uGAfIi+qXuzMywjZdLJakHX+xWvYR4SYzktFI3tr3/iTnRVOR1MY4ss:hfil0pUjBjZdL4kHG5mktQJVR1Fpiv
                MD5:A458A33E5591C3FD7F7C8AE58D50CE55
                SHA1:E9342F2BD7DB767D12E0B5FAA1F2918BDABAFE77
                SHA-256:95E922BC96EC909A9EB80AE3716AF0038EE3DE24FC22B569C527764BF3BE27A1
                SHA-512:4891D5E2CEE561B87FF2399392168EAEDC4DF7FC312F0F00949DC97E9098BDB74E13F4A07CE42D660205C0AFE55419AC1FBE6C328B343E267D626289B0E6E81E
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 84%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................h..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...df... ...h.................. ..`.reloc...............j..............@..B........................................................@.......H.......................................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                C:\Users\user\Documents\Explower.exe:Zone.Identifier

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:false
                Preview:[ZoneTransfer]....ZoneId=0

                C:\Users\user\Favorites\Explower.exe

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):93184
                Entropy (8bit):5.54839144289879
                Encrypted:false
                SSDEEP:768:nGZefiM+0uGAfIi+qXuzMywjZdLJakHX+xWvYR4SYzktFI3tr3/iTnRVOR1MY4ss:hfil0pUjBjZdL4kHG5mktQJVR1Fpiv
                MD5:A458A33E5591C3FD7F7C8AE58D50CE55
                SHA1:E9342F2BD7DB767D12E0B5FAA1F2918BDABAFE77
                SHA-256:95E922BC96EC909A9EB80AE3716AF0038EE3DE24FC22B569C527764BF3BE27A1
                SHA-512:4891D5E2CEE561B87FF2399392168EAEDC4DF7FC312F0F00949DC97E9098BDB74E13F4A07CE42D660205C0AFE55419AC1FBE6C328B343E267D626289B0E6E81E
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 84%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................h..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...df... ...h.................. ..`.reloc...............j..............@..B........................................................@.......H.......................................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                C:\Users\user\Favorites\Explower.exe:Zone.Identifier

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:false
                Preview:[ZoneTransfer]....ZoneId=0

                C:\Windows\SysWOW64\Explower.exe

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):93184
                Entropy (8bit):5.54839144289879
                Encrypted:false
                SSDEEP:768:nGZefiM+0uGAfIi+qXuzMywjZdLJakHX+xWvYR4SYzktFI3tr3/iTnRVOR1MY4ss:hfil0pUjBjZdL4kHG5mktQJVR1Fpiv
                MD5:A458A33E5591C3FD7F7C8AE58D50CE55
                SHA1:E9342F2BD7DB767D12E0B5FAA1F2918BDABAFE77
                SHA-256:95E922BC96EC909A9EB80AE3716AF0038EE3DE24FC22B569C527764BF3BE27A1
                SHA-512:4891D5E2CEE561B87FF2399392168EAEDC4DF7FC312F0F00949DC97E9098BDB74E13F4A07CE42D660205C0AFE55419AC1FBE6C328B343E267D626289B0E6E81E
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 84%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................h..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...df... ...h.................. ..`.reloc...............j..............@..B........................................................@.......H.......................................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                C:\Windows\SysWOW64\Explower.exe:Zone.Identifier

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:false
                Preview:[ZoneTransfer]....ZoneId=0

                C:\autorun.inf

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:Microsoft Windows Autorun file
                Category:dropped
                Size (bytes):55
                Entropy (8bit):4.474554204780528
                Encrypted:false
                SSDEEP:3:It1KV2PHQCyK0x:e1KAwCyD
                MD5:40B1630BE21F39CB17BD1963CAE5A207
                SHA1:63C14BD151D42820DD45C033363FA5B9E1D34124
                SHA-256:F87E55F1A423B65FD639146F71F6027DBD4D6E69B65D9A17F1744774AA6589E1
                SHA-512:833112ED4A9A3C621D2FFFC78F83502B2937B82A2CF9BC692D75D907CE2AA46C2D97CFE23C402DB3292B2DD2655FF8692C3CD00D5BA4D792C3D8AF24958E1926
                Malicious:true
                Preview:[autorun]..open=C:\Umbrella.flv.exe..shellexecute=C:\..

                C:\system.exe

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):93184
                Entropy (8bit):5.54839144289879
                Encrypted:false
                SSDEEP:768:nGZefiM+0uGAfIi+qXuzMywjZdLJakHX+xWvYR4SYzktFI3tr3/iTnRVOR1MY4ss:hfil0pUjBjZdL4kHG5mktQJVR1Fpiv
                MD5:A458A33E5591C3FD7F7C8AE58D50CE55
                SHA1:E9342F2BD7DB767D12E0B5FAA1F2918BDABAFE77
                SHA-256:95E922BC96EC909A9EB80AE3716AF0038EE3DE24FC22B569C527764BF3BE27A1
                SHA-512:4891D5E2CEE561B87FF2399392168EAEDC4DF7FC312F0F00949DC97E9098BDB74E13F4A07CE42D660205C0AFE55419AC1FBE6C328B343E267D626289B0E6E81E
                Malicious:true
                Yara Hits:
                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\system.exe, Author: Joe Security
                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\system.exe, Author: Joe Security
                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\system.exe, Author: unknown
                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\system.exe, Author: unknown
                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\system.exe, Author: Florian Roth
                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\system.exe, Author: Florian Roth
                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\system.exe, Author: JPCERT/CC Incident Response Group
                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\system.exe, Author: JPCERT/CC Incident Response Group
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 84%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................h..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...df... ...h.................. ..`.reloc...............j..............@..B........................................................@.......H.......................................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                C:\system.exe:Zone.Identifier

                Download File
                Process:C:\Users\user\Desktop\7UpMyeV5pj.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:true
                Preview:[ZoneTransfer]....ZoneId=0

                \Device\ConDrv

                Download File
                Process:C:\Windows\SysWOW64\netsh.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):313
                Entropy (8bit):4.971939296804078
                Encrypted:false
                SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                MD5:689E2126A85BF55121488295EE068FA1
                SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                Malicious:false
                Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):5.54839144289879
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                • Win32 Executable (generic) a (10002005/4) 49.75%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Windows Screen Saver (13104/52) 0.07%
                • Generic Win/DOS Executable (2004/3) 0.01%
                File name:7UpMyeV5pj.exe
                File size:93'184 bytes
                MD5:a458a33e5591c3fd7f7c8ae58d50ce55
                SHA1:e9342f2bd7db767d12e0b5faa1f2918bdabafe77
                SHA256:95e922bc96ec909a9eb80ae3716af0038ee3de24fc22b569c527764bf3be27a1
                SHA512:4891d5e2cee561b87ff2399392168eaedc4df7fc312f0f00949dc97e9098bdb74e13f4a07ce42d660205c0afe55419ac1fbe6c328b343e267d626289b0e6e81e
                SSDEEP:768:nGZefiM+0uGAfIi+qXuzMywjZdLJakHX+xWvYR4SYzktFI3tr3/iTnRVOR1MY4ss:hfil0pUjBjZdL4kHG5mktQJVR1Fpiv
                TLSH:E593E84E33E550A5E2FE4AF3A870B2404F79F0471742938D49E1A9761A33AD88F54DBB
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................h..........^.... ........@.. ....................................@................................

                File Icon

                Icon Hash:90cececece8e8eb0

                Static PE Info

                General

                Entrypoint:0x41865e
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x66DDA3D1 [Sun Sep 8 13:17:05 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x1860c0x4f.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x166640x1680050913fcfee7479654f3aa61c50d99843False0.36346571180555554data5.5810258478903085IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .reloc0x1a0000xc0x200ff06ea9c63404a08dec111ab855065d8False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-09-12T19:12:07.209155+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4497303.124.142.20511348TCP
                2024-09-12T19:12:07.209155+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4497303.124.142.20511348TCP
                2024-09-12T19:12:13.524657+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4497303.124.142.20511348TCP
                2024-09-12T19:13:10.390914+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44973818.192.31.16511348TCP
                2024-09-12T19:13:10.390914+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44973818.192.31.16511348TCP
                2024-09-12T19:13:17.417672+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.44973818.192.31.16511348TCP
                2024-09-12T19:14:15.626582+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44973918.192.31.16511348TCP
                2024-09-12T19:14:15.626582+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44973918.192.31.16511348TCP
                2024-09-12T19:14:26.767361+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.44973918.192.31.16511348TCP
                2024-09-12T19:15:18.931966+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44974018.192.31.16511348TCP
                2024-09-12T19:15:18.931966+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44974018.192.31.16511348TCP
                2024-09-12T19:15:26.630243+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.44974018.192.31.16511348TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Sep 12, 2024 19:12:06.603899002 CEST4973011348192.168.2.43.124.142.205
                Sep 12, 2024 19:12:06.608886957 CEST11348497303.124.142.205192.168.2.4
                Sep 12, 2024 19:12:06.609121084 CEST4973011348192.168.2.43.124.142.205
                Sep 12, 2024 19:12:07.209155083 CEST4973011348192.168.2.43.124.142.205
                Sep 12, 2024 19:12:07.214140892 CEST11348497303.124.142.205192.168.2.4
                Sep 12, 2024 19:12:07.214201927 CEST4973011348192.168.2.43.124.142.205
                Sep 12, 2024 19:12:07.218981981 CEST11348497303.124.142.205192.168.2.4
                Sep 12, 2024 19:12:13.524657011 CEST4973011348192.168.2.43.124.142.205
                Sep 12, 2024 19:12:13.529761076 CEST11348497303.124.142.205192.168.2.4
                Sep 12, 2024 19:13:08.347505093 CEST11348497303.124.142.205192.168.2.4
                Sep 12, 2024 19:13:08.347678900 CEST4973011348192.168.2.43.124.142.205
                Sep 12, 2024 19:13:10.373028994 CEST4973011348192.168.2.43.124.142.205
                Sep 12, 2024 19:13:10.378176928 CEST11348497303.124.142.205192.168.2.4
                Sep 12, 2024 19:13:10.385195017 CEST4973811348192.168.2.418.192.31.165
                Sep 12, 2024 19:13:10.390109062 CEST113484973818.192.31.165192.168.2.4
                Sep 12, 2024 19:13:10.390193939 CEST4973811348192.168.2.418.192.31.165
                Sep 12, 2024 19:13:10.390913963 CEST4973811348192.168.2.418.192.31.165
                Sep 12, 2024 19:13:10.395777941 CEST113484973818.192.31.165192.168.2.4
                Sep 12, 2024 19:13:10.395858049 CEST4973811348192.168.2.418.192.31.165
                Sep 12, 2024 19:13:10.400701046 CEST113484973818.192.31.165192.168.2.4
                Sep 12, 2024 19:13:17.417671919 CEST4973811348192.168.2.418.192.31.165
                Sep 12, 2024 19:13:17.422574043 CEST113484973818.192.31.165192.168.2.4
                Sep 12, 2024 19:14:12.228375912 CEST113484973818.192.31.165192.168.2.4
                Sep 12, 2024 19:14:12.228466034 CEST4973811348192.168.2.418.192.31.165
                Sep 12, 2024 19:14:14.284995079 CEST4973811348192.168.2.418.192.31.165
                Sep 12, 2024 19:14:14.332241058 CEST113484973818.192.31.165192.168.2.4
                Sep 12, 2024 19:14:14.799984932 CEST4973911348192.168.2.418.192.31.165
                Sep 12, 2024 19:14:14.805140972 CEST113484973918.192.31.165192.168.2.4
                Sep 12, 2024 19:14:14.805376053 CEST4973911348192.168.2.418.192.31.165
                Sep 12, 2024 19:14:15.626581907 CEST4973911348192.168.2.418.192.31.165
                Sep 12, 2024 19:14:15.631624937 CEST113484973918.192.31.165192.168.2.4
                Sep 12, 2024 19:14:15.631692886 CEST4973911348192.168.2.418.192.31.165
                Sep 12, 2024 19:14:15.639007092 CEST113484973918.192.31.165192.168.2.4
                Sep 12, 2024 19:14:26.767360926 CEST4973911348192.168.2.418.192.31.165
                Sep 12, 2024 19:14:26.772316933 CEST113484973918.192.31.165192.168.2.4
                Sep 12, 2024 19:15:16.287909031 CEST113484973918.192.31.165192.168.2.4
                Sep 12, 2024 19:15:16.288014889 CEST4973911348192.168.2.418.192.31.165
                Sep 12, 2024 19:15:18.329113007 CEST4973911348192.168.2.418.192.31.165
                Sep 12, 2024 19:15:18.334920883 CEST113484973918.192.31.165192.168.2.4
                Sep 12, 2024 19:15:18.923003912 CEST4974011348192.168.2.418.192.31.165
                Sep 12, 2024 19:15:18.927954912 CEST113484974018.192.31.165192.168.2.4
                Sep 12, 2024 19:15:18.928037882 CEST4974011348192.168.2.418.192.31.165
                Sep 12, 2024 19:15:18.931966066 CEST4974011348192.168.2.418.192.31.165
                Sep 12, 2024 19:15:18.936803102 CEST113484974018.192.31.165192.168.2.4
                Sep 12, 2024 19:15:18.936856031 CEST4974011348192.168.2.418.192.31.165
                Sep 12, 2024 19:15:18.942363024 CEST113484974018.192.31.165192.168.2.4
                Sep 12, 2024 19:15:26.630243063 CEST4974011348192.168.2.418.192.31.165
                Sep 12, 2024 19:15:26.635476112 CEST113484974018.192.31.165192.168.2.4

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Sep 12, 2024 19:12:06.590308905 CEST5750453192.168.2.41.1.1.1
                Sep 12, 2024 19:12:06.599098921 CEST53575041.1.1.1192.168.2.4
                Sep 12, 2024 19:13:10.374242067 CEST5103553192.168.2.41.1.1.1
                Sep 12, 2024 19:13:10.384324074 CEST53510351.1.1.1192.168.2.4
                Sep 12, 2024 19:14:14.285820961 CEST6123053192.168.2.41.1.1.1
                Sep 12, 2024 19:14:14.336390972 CEST53612301.1.1.1192.168.2.4
                Sep 12, 2024 19:15:18.875526905 CEST5785453192.168.2.41.1.1.1
                Sep 12, 2024 19:15:18.893723011 CEST53578541.1.1.1192.168.2.4

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Sep 12, 2024 19:12:06.590308905 CEST192.168.2.41.1.1.10x8fd8Standard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                Sep 12, 2024 19:13:10.374242067 CEST192.168.2.41.1.1.10x9780Standard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                Sep 12, 2024 19:14:14.285820961 CEST192.168.2.41.1.1.10x9f99Standard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                Sep 12, 2024 19:15:18.875526905 CEST192.168.2.41.1.1.10xc551Standard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Sep 12, 2024 19:12:06.599098921 CEST1.1.1.1192.168.2.40x8fd8No error (0)0.tcp.eu.ngrok.io3.124.142.205A (IP address)IN (0x0001)false
                Sep 12, 2024 19:13:10.384324074 CEST1.1.1.1192.168.2.40x9780No error (0)0.tcp.eu.ngrok.io18.192.31.165A (IP address)IN (0x0001)false
                Sep 12, 2024 19:14:14.336390972 CEST1.1.1.1192.168.2.40x9f99No error (0)0.tcp.eu.ngrok.io18.192.31.165A (IP address)IN (0x0001)false
                Sep 12, 2024 19:15:18.893723011 CEST1.1.1.1192.168.2.40xc551No error (0)0.tcp.eu.ngrok.io18.192.31.165A (IP address)IN (0x0001)false

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:13:12:00
                Start date:12/09/2024
                Path:C:\Users\user\Desktop\7UpMyeV5pj.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\7UpMyeV5pj.exe"
                Imagebase:0xb60000
                File size:93'184 bytes
                MD5 hash:A458A33E5591C3FD7F7C8AE58D50CE55
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.1700381612.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.4138418627.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:false

                General

                Target ID:1
                Start time:13:12:02
                Start date:12/09/2024
                Path:C:\Windows\SysWOW64\netsh.exe
                Wow64 process (32bit):true
                Commandline:netsh firewall add allowedprogram "C:\Users\user\Desktop\7UpMyeV5pj.exe" "7UpMyeV5pj.exe" ENABLE
                Imagebase:0x1560000
                File size:82'432 bytes
                MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:2
                Start time:13:12:02
                Start date:12/09/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:3
                Start time:13:12:13
                Start date:12/09/2024
                Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe"
                Imagebase:0x980000
                File size:93'184 bytes
                MD5 hash:A458A33E5591C3FD7F7C8AE58D50CE55
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Antivirus matches:
                • Detection: 84%, ReversingLabs
                Reputation:low
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:25.4%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:8.7%
                  Total number of Nodes:150
                  Total number of Limit Nodes:6
                  execution_graph 8465 125aaa6 8466 125aade CreateFileW 8465->8466 8468 125ab2d 8466->8468 8615 1851d80 8617 1851da2 getaddrinfo 8615->8617 8618 1851e4f 8617->8618 8671 1851c00 8672 1851c0d GetProcessTimes 8671->8672 8674 1851ca5 8672->8674 8476 125aeae 8479 125aee3 WriteFile 8476->8479 8478 125af15 8479->8478 8747 185220e 8748 185222e LoadLibraryA 8747->8748 8750 18522a6 8748->8750 8480 125b8aa 8483 125b8d0 DeleteFileW 8480->8483 8482 125b8ec 8483->8482 8699 125b7b5 8700 125b7e2 CopyFileW 8699->8700 8702 125b832 8700->8702 8651 125ac37 8653 125ac6a GetFileType 8651->8653 8654 125accc 8653->8654 8484 125bab6 8485 125badf SetFileAttributesW 8484->8485 8487 125bafb 8485->8487 8655 125b036 8658 125b06a CreateMutexW 8655->8658 8657 125b0e5 8658->8657 8659 1852c9d 8661 1852cd6 select 8659->8661 8662 1852d34 8661->8662 8631 125a9bf 8634 125a9c9 SetErrorMode 8631->8634 8633 125aa53 8634->8633 8679 125b885 8682 125b8aa DeleteFileW 8679->8682 8681 125b8ec 8682->8681 8751 1850a24 8754 1850a42 RegCreateKeyExW 8751->8754 8753 1850aec 8754->8753 8492 125a186 8493 125a1f3 8492->8493 8494 125a1bb send 8492->8494 8493->8494 8495 125a1c9 8494->8495 8504 125bd82 8505 125bdb1 AdjustTokenPrivileges 8504->8505 8507 125bdd3 8505->8507 8516 185222e 8517 1852269 LoadLibraryA 8516->8517 8519 18522a6 8517->8519 8528 125aa12 8529 125aa3e SetErrorMode 8528->8529 8531 125aa67 8528->8531 8530 125aa53 8529->8530 8531->8529 8723 18516b2 8724 18516d2 MapViewOfFile 8723->8724 8726 1851759 8724->8726 8727 125a61e 8728 125a65e CloseHandle 8727->8728 8730 125a698 8728->8730 8540 125a59a 8541 125a610 8540->8541 8542 125a5d8 DuplicateHandle 8540->8542 8541->8542 8543 125a5e6 8542->8543 8707 1852f47 8708 1852f6a SetProcessWorkingSetSize 8707->8708 8710 1852fcb 8708->8710 8635 125b1e6 8636 125b1ea RegOpenKeyExW 8635->8636 8638 125b2a0 8636->8638 8548 125b7e2 8551 125b80b CopyFileW 8548->8551 8550 125b832 8551->8550 8711 125bbe2 8714 125bc02 LookupPrivilegeValueW 8711->8714 8713 125bc52 8714->8713 8639 1851949 8640 1851976 shutdown 8639->8640 8642 18519d4 8640->8642 8560 125b06a 8561 125b0a2 CreateMutexW 8560->8561 8563 125b0e5 8561->8563 8715 125b3ea 8717 125b40e RegSetValueExW 8715->8717 8718 125b48f 8717->8718 8735 125aa75 8737 125aaa6 CreateFileW 8735->8737 8738 125ab2d 8737->8738 8687 1852bd7 8689 1852bfa ioctlsocket 8687->8689 8690 1852c5b 8689->8690 8739 125ae77 8741 125aeae WriteFile 8739->8741 8742 125af15 8741->8742 8663 18510d6 8665 18510f6 WSASocketW 8663->8665 8666 185116a 8665->8666 8619 125a573 8620 125a59a DuplicateHandle 8619->8620 8622 125a5e6 8620->8622 8572 125b9f2 8573 125ba1e FindClose 8572->8573 8575 125ba50 8572->8575 8574 125ba33 8573->8574 8575->8573 8719 1851f52 8720 1851f82 WSAConnect 8719->8720 8722 1851fd6 8720->8722 8580 125befe 8581 125bf33 NtQuerySystemInformation 8580->8581 8582 125bf5e 8580->8582 8583 125bf48 8581->8583 8582->8581 8623 125a140 8624 125a186 send 8623->8624 8626 125a1c9 8624->8626 8755 1852e63 8756 1852e86 GetProcessWorkingSetSize 8755->8756 8758 1852ee7 8756->8758 8759 125becd 8762 125befe NtQuerySystemInformation 8759->8762 8761 125bf48 8762->8761 8643 1852d6c 8645 1852d83 GetExitCodeProcess 8643->8645 8646 1852e08 8645->8646 8763 125a6ce 8764 125a72e OleGetClipboard 8763->8764 8766 125a78c 8764->8766 8683 125b4c8 8684 125b4f6 SendMessageTimeoutA 8683->8684 8686 125b579 8684->8686 8627 125bd4b 8630 125bd55 AdjustTokenPrivileges 8627->8630 8629 125bdd3 8630->8629 8647 125b9d0 8648 125b9f2 FindClose 8647->8648 8650 125ba33 8648->8650 8667 18514fc 8668 1851522 ConvertStringSecurityDescriptorToSecurityDescriptorW 8667->8668 8670 185159b 8668->8670 8607 125a65e 8608 125a6c0 8607->8608 8609 125a68a CloseHandle 8607->8609 8608->8609 8610 125a698 8609->8610 8743 125ba5e 8745 125bab6 SetFileAttributesW 8743->8745 8746 125bafb 8745->8746 8767 125b2d9 8768 125b31a RegQueryValueExW 8767->8768 8770 125b3a3 8768->8770

                  Executed Functions

                  Function 01504298 Relevance: 13.2, Strings: 9, Instructions: 1950COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: :@k$:@k$:@k$:@k$:@k$:@k$@$\Ol$2l
                  • API String ID: 0-1979635511
                  • Opcode ID: 87df29ac0adbb10dfa9d0841be92b982bcb1c383e1974ded6065e6460b972b7a
                  • Instruction ID: 4d42f323e58c41464d2254e9081b0418d8b5204188c5c8d346c875c7c266ff79
                  • Opcode Fuzzy Hash: 87df29ac0adbb10dfa9d0841be92b982bcb1c383e1974ded6065e6460b972b7a
                  • Instruction Fuzzy Hash: 25233874A41228CFDB25DF65DD64BA9BBB1FB88304F0041E9D909A73A4DB399E84CF41
                  Function 01504269 Relevance: 13.0, Strings: 9, Instructions: 1759COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: $:@k$:@k$:@k$:@k$:@k$:@k$\Ol$2l
                  • API String ID: 0-38314663
                  • Opcode ID: c303229e1dae1c1e0a156ed714b13d6d0199f4799196e5fa48a2028eaa39508e
                  • Instruction ID: f7e3b49b42aecbee010c70a98c442c459e20773edc879c02fd226be437b6b66b
                  • Opcode Fuzzy Hash: c303229e1dae1c1e0a156ed714b13d6d0199f4799196e5fa48a2028eaa39508e
                  • Instruction Fuzzy Hash: 67132874A41228CFDB25DF65DD64BA9BBB1FB88304F0041E9D909A73A4DB399E84CF41
                  Function 01507418 Relevance: 2.0, Strings: 1, Instructions: 759COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: 2l
                  • API String ID: 0-2574689970
                  • Opcode ID: fb79f6a6787b2620e40fd36ff90234ed10c239e1d89749b36faaf2ebaa4f44ea
                  • Instruction ID: 053fbc18170754b90aec8629c55525b4b1ef3c23cf4fbc419ff9fc3b6a447a1d
                  • Opcode Fuzzy Hash: fb79f6a6787b2620e40fd36ff90234ed10c239e1d89749b36faaf2ebaa4f44ea
                  • Instruction Fuzzy Hash: 1F421532A00221DBEB2A8BB5D95017C7BE2FB89350B158535E5959F2D0EF39FD81CB90
                  Function 0125BD4B Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                  Download Yara Rule
                  APIs
                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0125BDCB
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: AdjustPrivilegesToken
                  • String ID:
                  • API String ID: 2874748243-0
                  • Opcode ID: 030ff52ceb104efae8292b3c0bde308815163e5ab72250351eff2043157d9a72
                  • Instruction ID: 4601028a462b534453e2ddb1137821c07be0686d15da2baf060c160f5ca3bf57
                  • Opcode Fuzzy Hash: 030ff52ceb104efae8292b3c0bde308815163e5ab72250351eff2043157d9a72
                  • Instruction Fuzzy Hash: E6219F755097849FDB138F25DC84BA2BFB4AF06310F08849AEE858B563D2719918DB62
                  Function 0125BECD Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                  Download Yara Rule
                  APIs
                  • NtQuerySystemInformation.NTDLL ref: 0125BF39
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: InformationQuerySystem
                  • String ID:
                  • API String ID: 3562636166-0
                  • Opcode ID: 931defdb06c40a58e0b99c8e9d636a2b9207e87cf0c826642737ada429d719ee
                  • Instruction ID: 29c0ebe0a16729742be158b9bcc997d0bdd362a025c362c2612d8a4dbefc4c1d
                  • Opcode Fuzzy Hash: 931defdb06c40a58e0b99c8e9d636a2b9207e87cf0c826642737ada429d719ee
                  • Instruction Fuzzy Hash: ED1190715097C09FDB228F24DC85A52FFB4EF07314F0984DAED844B663D275A918DB62
                  Function 0125BD82 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                  Download Yara Rule
                  APIs
                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0125BDCB
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: AdjustPrivilegesToken
                  • String ID:
                  • API String ID: 2874748243-0
                  • Opcode ID: 47f731f8ad685c1707a4bf5d124a7f322451c50055b2b9b232912e906f78ef7b
                  • Instruction ID: b13c52ea8fd4fe1e3db8ef0a328276047858577b2f1c90a26c976edb161bcf3f
                  • Opcode Fuzzy Hash: 47f731f8ad685c1707a4bf5d124a7f322451c50055b2b9b232912e906f78ef7b
                  • Instruction Fuzzy Hash: 6611C2756006049FDB60CF55D885B62FBE8EF05320F08C4AADE458B652D371E418DF62
                  Function 0125BEFE Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                  Download Yara Rule
                  APIs
                  • NtQuerySystemInformation.NTDLL ref: 0125BF39
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: InformationQuerySystem
                  • String ID:
                  • API String ID: 3562636166-0
                  • Opcode ID: 4febece4152ea8b1d757bba2caa16e28bc5c08523d686818aae02f2686b65f83
                  • Instruction ID: 5f138e57ec8801f3ebfa00b392ebe6d6236d5e3f08bb055001273d719ebd02b7
                  • Opcode Fuzzy Hash: 4febece4152ea8b1d757bba2caa16e28bc5c08523d686818aae02f2686b65f83
                  • Instruction Fuzzy Hash: 83018B755106049FEB618F19D885B61FBE4EF19720F08C09AEE490A766C376E418CFA2
                  Function 015000B8 Relevance: 5.1, Strings: 4, Instructions: 95COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1119 15000b8-15000cd 1141 15000d0 call 1860606 1119->1141 1142 15000d0 call 18605cf 1119->1142 1143 15000d0 call 18605df 1119->1143 1144 15000d0 call 125a20c 1119->1144 1145 15000d0 call 125a23a 1119->1145 1121 15000d5-15000f7 1124 15000f9-150010a 1121->1124 1125 150010b-15001d5 1121->1125 1146 15001d5 call 1860606 1125->1146 1147 15001d5 call 15037e1 1125->1147 1148 15001d5 call 1503b18 1125->1148 1149 15001d5 call 18605cf 1125->1149 1150 15001d5 call 18605df 1125->1150 1151 15001d5 call 15039bf 1125->1151 1140 15001db-15001de 1141->1121 1142->1121 1143->1121 1144->1121 1145->1121 1146->1140 1147->1140 1148->1140 1149->1140 1150->1140 1151->1140
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: 2l$2l$5]uk^$E]uk^
                  • API String ID: 0-21019206
                  • Opcode ID: 2d0163eff919ed7f38982fd4545a0ff8ae5cf2acf7d554ab06d3331e82912a56
                  • Instruction ID: e661bff2652a406213dc8a03f70e04da29abd6b9a4e74ba3c366b94ef6119a28
                  • Opcode Fuzzy Hash: 2d0163eff919ed7f38982fd4545a0ff8ae5cf2acf7d554ab06d3331e82912a56
                  • Instruction Fuzzy Hash: 1A3129317043409FC719E772D8517AE3BA7ABD2218F0484AAD045CF7D1DF7A9C498792
                  Function 01500118 Relevance: 5.1, Strings: 4, Instructions: 58COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1152 1500118-1500169 1157 1500174-150017a 1152->1157 1158 1500181-15001bd 1157->1158 1163 15001c8-15001d5 1158->1163 1166 15001d5 call 1860606 1163->1166 1167 15001d5 call 15037e1 1163->1167 1168 15001d5 call 1503b18 1163->1168 1169 15001d5 call 18605cf 1163->1169 1170 15001d5 call 18605df 1163->1170 1171 15001d5 call 15039bf 1163->1171 1165 15001db-15001de 1166->1165 1167->1165 1168->1165 1169->1165 1170->1165 1171->1165
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: 2l$2l$5]uk^$E]uk^
                  • API String ID: 0-21019206
                  • Opcode ID: 7bab7719b9f4e707a6a83d205b0be061ff6c609b1605e1de1eb6680c6f8a625b
                  • Instruction ID: 5c29b882dd7e62d3ca08796c1aab068c980860c9e5df23a72730ed4f5b1e8fa4
                  • Opcode Fuzzy Hash: 7bab7719b9f4e707a6a83d205b0be061ff6c609b1605e1de1eb6680c6f8a625b
                  • Instruction Fuzzy Hash: E111E9317042519FC359E776E4557A937D7ABE220830454AED009CB791CF7ACC0D9797
                  Function 01507EA8 Relevance: 3.7, Strings: 2, Instructions: 1243COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: :@k$:@k
                  • API String ID: 0-4032727010
                  • Opcode ID: 4bcba0532ea6b942828305f37b5fbf009487fe5ba93c54882e6ceb93e815e4bd
                  • Instruction ID: 689b114c3b33b20f50b2dba918d360c389de6a5075edb2e4643622dd06eac8cf
                  • Opcode Fuzzy Hash: 4bcba0532ea6b942828305f37b5fbf009487fe5ba93c54882e6ceb93e815e4bd
                  • Instruction Fuzzy Hash: D2C27F34B00165DFEB118B65EC10BA97BF2FB98348F10809B984997795CB38CD94DFA2
                  Function 01507F24 Relevance: 3.6, Strings: 2, Instructions: 1079COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: :@k$:@k
                  • API String ID: 0-4032727010
                  • Opcode ID: 4e29e526d5432c563260eb08fe4075242aae46a8d15577d00464c74423450fd7
                  • Instruction ID: 7721e45a8dcaaf0c834ca43cf005e6f7fb6c2e64046cfba75e83d4ed61ac5b7d
                  • Opcode Fuzzy Hash: 4e29e526d5432c563260eb08fe4075242aae46a8d15577d00464c74423450fd7
                  • Instruction Fuzzy Hash: B392B134B041609BEF128BA5D8107BD7BE6FBA8348F10805B9849977D5CB78CD94DFA2
                  Function 01507F5E Relevance: 3.6, Strings: 2, Instructions: 1076COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: :@k$:@k
                  • API String ID: 0-4032727010
                  • Opcode ID: 3385e92c0b0c732c5bad1a2cc9089454950144f66edb5d4dd2a1390b76246615
                  • Instruction ID: 8a641d8258fefd3e6b40baa7d1300bca824299ffb0cda3e08c1fcadbe5f8f529
                  • Opcode Fuzzy Hash: 3385e92c0b0c732c5bad1a2cc9089454950144f66edb5d4dd2a1390b76246615
                  • Instruction Fuzzy Hash: 0792B134B041609BEF128BA5DC107AD7BE6FBA8348F10805B9849977D5CB78CD94DFA2
                  Function 01507F8D Relevance: 3.6, Strings: 2, Instructions: 1075COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: :@k$:@k
                  • API String ID: 0-4032727010
                  • Opcode ID: 74250c7915699f52a6a8d728b906586edd760ce67301c5f3c7e868f0003f8dc9
                  • Instruction ID: 1014311b699b58d6fcf680622950afe00ddf5371ede46059401b96790ecdbb8a
                  • Opcode Fuzzy Hash: 74250c7915699f52a6a8d728b906586edd760ce67301c5f3c7e868f0003f8dc9
                  • Instruction Fuzzy Hash: 8A92B234B041609BEF128BA5DC107AD7BE6FBA8348F10805B9849977D5CB78CD94DFA2
                  Function 015037E1 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 2725 15037e1-1503911 2742 1503913 2725->2742 2743 1503917-1503919 2725->2743 2744 1503915 2742->2744 2745 150391b 2742->2745 2746 1503920-1503927 2743->2746 2744->2743 2745->2746 2747 15039bd-1503adf 2746->2747 2748 150392d-15039b2 2746->2748 2772 1503ae1-1503b51 2747->2772 2773 1503b5b-1503bae 2747->2773 2748->2747 2772->2773 2781 1503bb0 2773->2781 2782 1503bb5 2773->2782 2781->2782 2862 1503bb5 call 1860606 2782->2862 2863 1503bb5 call 1504298 2782->2863 2864 1503bb5 call 1504269 2782->2864 2865 1503bb5 call 18605cf 2782->2865 2866 1503bb5 call 18605df 2782->2866 2783 1503bbb-1503bcf 2784 1503bd1-1503bfb 2783->2784 2785 1503c06-1503cbb 2783->2785 2784->2785 2796 1503cc1-1503cff 2785->2796 2797 1503d43 2785->2797 2796->2797 2798 15041dd-15041e8 2797->2798 2799 1503d48-1503d66 2798->2799 2800 15041ee-15041f5 2798->2800 2804 1503d71-1503d7c 2799->2804 2805 1503d68-1503d6e 2799->2805 2809 1503d82-1503d96 2804->2809 2810 1504193-15041db 2804->2810 2805->2804 2811 1503d98-1503dca 2809->2811 2812 1503e0e-1503e1f 2809->2812 2810->2798 2811->2812 2813 1503e21-1503e4b 2812->2813 2814 1503e6f-1503e7d 2812->2814 2813->2814 2827 1503e4d-1503e69 call 1509d90 2813->2827 2816 1504191 2814->2816 2817 1503e83-1503f36 2814->2817 2816->2798 2838 1503fc6-15040bd 2817->2838 2839 1503f3c-1503fbf 2817->2839 2827->2814 2854 15040c3-1504146 2838->2854 2855 150414d 2838->2855 2839->2838 2854->2855 2855->2816 2862->2783 2863->2783 2864->2783 2865->2783 2866->2783
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: \Ol$2l
                  • API String ID: 0-1312013075
                  • Opcode ID: 73aec7ccf094efa17f96fcf31fd647d3dd334a02529e984df55110a7c66fe5ce
                  • Instruction ID: c8375b8d5ebb6f06749643a19a1b5a250ce23444e6d8386a3af336e3abb26b4c
                  • Opcode Fuzzy Hash: 73aec7ccf094efa17f96fcf31fd647d3dd334a02529e984df55110a7c66fe5ce
                  • Instruction Fuzzy Hash: 4D321430A002688FDB14DFB5D955BADBBB2FB49308F0045A9D509AB3A4DB399E84CF40
                  Function 01850FE3 Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 3137 1850fe3-1851003 3138 1851025-1851057 3137->3138 3139 1851005-1851024 3137->3139 3143 185105a-18510b2 RegQueryValueExW 3138->3143 3139->3138 3145 18510b8-18510ce 3143->3145
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 018510AA
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: 50bd3db37692ed56f5a1abf435ab6a176dd5c595b300b7f86c14a108f140b49f
                  • Instruction ID: 5cf4f102ac1a577b617ca6bb3b673971bc480dba8f1f47261132a8b68a97f415
                  • Opcode Fuzzy Hash: 50bd3db37692ed56f5a1abf435ab6a176dd5c595b300b7f86c14a108f140b49f
                  • Instruction Fuzzy Hash: 72316D6510E3C06FD3138B258C65A61BFB4EF47610F0E45CBE884CB6A3D2296909D7B2
                  Function 01850A24 Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 3118 1850a24-1850a9a 3122 1850a9c 3118->3122 3123 1850a9f-1850aab 3118->3123 3122->3123 3124 1850ab0-1850ab9 3123->3124 3125 1850aad 3123->3125 3126 1850abe-1850ad5 3124->3126 3127 1850abb 3124->3127 3125->3124 3129 1850b17-1850b1c 3126->3129 3130 1850ad7-1850aea RegCreateKeyExW 3126->3130 3127->3126 3129->3130 3131 1850aec-1850b14 3130->3131 3132 1850b1e-1850b23 3130->3132 3132->3131
                  APIs
                  • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 01850ADD
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: Create
                  • String ID:
                  • API String ID: 2289755597-0
                  • Opcode ID: ff9e472c16bde504307c8e6de9e30c0f88a73849280f4187812bdfa706908ca5
                  • Instruction ID: c416a6a46f2e32c2bfa8b0404329ae52d5c5c1f83810cac03cd024526c1ef065
                  • Opcode Fuzzy Hash: ff9e472c16bde504307c8e6de9e30c0f88a73849280f4187812bdfa706908ca5
                  • Instruction Fuzzy Hash: CE318E71600344AEE7228E65CD40FA7BBECEB09714F08855AF985C7652D220E9498B71
                  Function 0125B1E6 Relevance: 1.6, APIs: 1, Instructions: 97registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 3146 125b1e6-125b1e8 3147 125b1f2-125b26d 3146->3147 3148 125b1ea-125b1f1 3146->3148 3152 125b272-125b289 3147->3152 3153 125b26f 3147->3153 3148->3147 3155 125b2cb-125b2d0 3152->3155 3156 125b28b-125b29e RegOpenKeyExW 3152->3156 3153->3152 3155->3156 3157 125b2a0-125b2c8 3156->3157 3158 125b2d2-125b2d7 3156->3158 3158->3157
                  APIs
                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0125B291
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: Open
                  • String ID:
                  • API String ID: 71445658-0
                  • Opcode ID: d314d2ec6a97fa8b32c74e9dcd75897f76d2f975f3e580e3886f5fe06e87d55a
                  • Instruction ID: f6013f5b0fee6cbb6e15956f08365613ca2dbf8173a7c9ca0d8f3b99caeb6e5a
                  • Opcode Fuzzy Hash: d314d2ec6a97fa8b32c74e9dcd75897f76d2f975f3e580e3886f5fe06e87d55a
                  • Instruction Fuzzy Hash: 683181715093846FD7228B65CC95FA6BFB8EF06210F08849BE984CB693D364E54DC771
                  Function 01851D80 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 3163 1851d80-1851e3f 3169 1851e91-1851e96 3163->3169 3170 1851e41-1851e49 getaddrinfo 3163->3170 3169->3170 3172 1851e4f-1851e61 3170->3172 3173 1851e63-1851e8e 3172->3173 3174 1851e98-1851e9d 3172->3174 3174->3173
                  APIs
                  • getaddrinfo.WS2_32(?,00000E24), ref: 01851E47
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: getaddrinfo
                  • String ID:
                  • API String ID: 300660673-0
                  • Opcode ID: 9c2ffb2219585d87e883e36a2a61dca528c21d68f31e98aed3f61c557fe8c864
                  • Instruction ID: 13092f87be5fe326772df8586dda8017c6a20ab06b658dc4d87496ac09206244
                  • Opcode Fuzzy Hash: 9c2ffb2219585d87e883e36a2a61dca528c21d68f31e98aed3f61c557fe8c864
                  • Instruction Fuzzy Hash: F631B1B1500344AFE721CB51CD84FA6FBACEB04314F04489AFA489B292D374A94DCB71
                  Function 01851C00 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 3194 1851c00-1851c0b 3195 1851c0d-1851c76 3194->3195 3196 1851c78-1851c7a 3194->3196 3195->3196 3197 1851c94-1851c95 3196->3197 3198 1851c7c-1851c91 3196->3198 3200 1851c97-1851c9f GetProcessTimes 3197->3200 3201 1851ce2-1851ce7 3197->3201 3198->3197 3206 1851ca5-1851cb7 3200->3206 3201->3200 3207 1851ce9-1851cee 3206->3207 3208 1851cb9-1851cdf 3206->3208 3207->3208
                  APIs
                  • GetProcessTimes.KERNELBASE(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 01851C9D
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: ProcessTimes
                  • String ID:
                  • API String ID: 1995159646-0
                  • Opcode ID: 7cc41f06f6b6cfda1fbcae5317155bde56f00734fbfb498a370e4c6dd1d6d7eb
                  • Instruction ID: 2306be30f675e7b240305aa731c8f4499c90a9bc7c6f9fb41c52b8bc2b750711
                  • Opcode Fuzzy Hash: 7cc41f06f6b6cfda1fbcae5317155bde56f00734fbfb498a370e4c6dd1d6d7eb
                  • Instruction Fuzzy Hash: 5C31D4725097805FDB128F25DD45BA6BFB8EF06324F0884DAE884CF193D325A949C771
                  Function 0125AA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 3178 125aa75-125aafe 3182 125ab00 3178->3182 3183 125ab03-125ab0f 3178->3183 3182->3183 3184 125ab14-125ab1d 3183->3184 3185 125ab11 3183->3185 3186 125ab1f-125ab43 CreateFileW 3184->3186 3187 125ab6e-125ab73 3184->3187 3185->3184 3190 125ab75-125ab7a 3186->3190 3191 125ab45-125ab6b 3186->3191 3187->3186 3190->3191
                  APIs
                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0125AB25
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: c69ed99875b7c1cd4c5143b0c6cf2a008315f1a24c9ae8567b72e0d90ec3413f
                  • Instruction ID: 8accc736bf656c77b14b392e842964109a5f505f8873f07b705b197f9f658227
                  • Opcode Fuzzy Hash: c69ed99875b7c1cd4c5143b0c6cf2a008315f1a24c9ae8567b72e0d90ec3413f
                  • Instruction Fuzzy Hash: F631A271504340AFE722CF65CC85F52BFF8EF05210F08899AEA858B652D375E908CB71
                  Function 018514FC Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 3244 18514fc-185157d 3248 1851582-185158b 3244->3248 3249 185157f 3244->3249 3250 18515e3-18515e8 3248->3250 3251 185158d-1851595 ConvertStringSecurityDescriptorToSecurityDescriptorW 3248->3251 3249->3248 3250->3251 3253 185159b-18515ad 3251->3253 3254 18515af-18515e0 3253->3254 3255 18515ea-18515ef 3253->3255 3255->3254
                  APIs
                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 01851593
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: DescriptorSecurity$ConvertString
                  • String ID:
                  • API String ID: 3907675253-0
                  • Opcode ID: 492a94ca2e8446a600fc501ac1704563ad89b7af36193d5ceaa188de51fa2098
                  • Instruction ID: 372e48446ff0c38ce5f45803cf3108ebbad1471b91af7ff8bfdd504f68507a39
                  • Opcode Fuzzy Hash: 492a94ca2e8446a600fc501ac1704563ad89b7af36193d5ceaa188de51fa2098
                  • Instruction Fuzzy Hash: B431AE71504344AFE7228B65DC45FA6BBA8EF05314F08849AF985CB652D364E948CB61
                  Function 0125B036 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 3211 125b036-125b0b9 3215 125b0be-125b0c7 3211->3215 3216 125b0bb 3211->3216 3217 125b0cc-125b0d5 3215->3217 3218 125b0c9 3215->3218 3216->3215 3219 125b0d7-125b0fb CreateMutexW 3217->3219 3220 125b126-125b12b 3217->3220 3218->3217 3223 125b12d-125b132 3219->3223 3224 125b0fd-125b123 3219->3224 3220->3219 3223->3224
                  APIs
                  • CreateMutexW.KERNELBASE(?,?), ref: 0125B0DD
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: CreateMutex
                  • String ID:
                  • API String ID: 1964310414-0
                  • Opcode ID: d67df6bd2370a7ebbe273bced97f4991d0af8678c81e5840f4c6bf561c1dc39a
                  • Instruction ID: bbb6ee9ad806a07a40ba4d6c228a7b0b20107dd7cc393016c5923eb432f0c6bd
                  • Opcode Fuzzy Hash: d67df6bd2370a7ebbe273bced97f4991d0af8678c81e5840f4c6bf561c1dc39a
                  • Instruction Fuzzy Hash: DD3190B15093805FE712CB65DC95B96FFF8EF06210F08849AE984CB293D375E908CB62
                  Function 0125B2D9 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 3227 125b2d9-125b357 3230 125b35c-125b365 3227->3230 3231 125b359 3227->3231 3232 125b367 3230->3232 3233 125b36a-125b370 3230->3233 3231->3230 3232->3233 3234 125b375-125b38c 3233->3234 3235 125b372 3233->3235 3237 125b3c3-125b3c8 3234->3237 3238 125b38e-125b3a1 RegQueryValueExW 3234->3238 3235->3234 3237->3238 3239 125b3a3-125b3c0 3238->3239 3240 125b3ca-125b3cf 3238->3240 3240->3239
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 0125B394
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: 2501740baf8fdf7e869f226782d7926c8f53e2cdb266fd689edecd1d2a09e651
                  • Instruction ID: e31b8af60361f89701136d225468ea721894339e40c8ef7397599705f2d0f8eb
                  • Opcode Fuzzy Hash: 2501740baf8fdf7e869f226782d7926c8f53e2cdb266fd689edecd1d2a09e651
                  • Instruction Fuzzy Hash: 0A3193755053806FE722CF65CC84FA2BFB8EF06214F08849AE985DB293D364E948CB61
                  Function 01850A42 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 3259 1850a42-1850a9a 3262 1850a9c 3259->3262 3263 1850a9f-1850aab 3259->3263 3262->3263 3264 1850ab0-1850ab9 3263->3264 3265 1850aad 3263->3265 3266 1850abe-1850ad5 3264->3266 3267 1850abb 3264->3267 3265->3264 3269 1850b17-1850b1c 3266->3269 3270 1850ad7-1850aea RegCreateKeyExW 3266->3270 3267->3266 3269->3270 3271 1850aec-1850b14 3270->3271 3272 1850b1e-1850b23 3270->3272 3272->3271
                  APIs
                  • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 01850ADD
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: Create
                  • String ID:
                  • API String ID: 2289755597-0
                  • Opcode ID: a8dd564ec854ad438d4e4ff2e7cc01471b5754beb151cb89589c3cafe8f403b0
                  • Instruction ID: f4efd9e8395174deb1d9a04afa4dde15405d2b842722af1fa4a1d19f9339937c
                  • Opcode Fuzzy Hash: a8dd564ec854ad438d4e4ff2e7cc01471b5754beb151cb89589c3cafe8f403b0
                  • Instruction Fuzzy Hash: B4218072600704AFEB21DE55CD84FA7BBECEF08714F08855AFD45D7652E720E6488A71
                  Function 015094D0 Relevance: 1.6, Strings: 1, Instructions: 335COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 3281 15094d0-1509528 call 1509af0 3286 1509571-15095d3 call 1504210 3281->3286 3287 150952a-150956c call 1504210 3281->3287 3300 1509619-1509761 3286->3300 3287->3300 3390 1509763 call 1860606 3300->3390 3391 1509763 call 18605cf 3300->3391 3392 1509763 call 18605df 3300->3392 3318 1509768-1509863 3331 1509865-1509873 3318->3331 3332 1509876-150987c 3318->3332 3331->3332 3333 1509894 3332->3333 3334 150987e-1509881 3332->3334 3337 1509899-15098c9 3333->3337 3336 1509883-1509892 3334->3336 3334->3337 3340 15098ce 3336->3340 3337->3340 3342 15098d8-15098f8 3340->3342 3345 1509913-150992a 3342->3345 3346 15098fa-1509911 3342->3346 3351 150995c-1509964 3345->3351 3346->3351 3354 1509966-150997d 3351->3354 3355 150997f-1509993 3351->3355 3358 1509996-1509a73 3354->3358 3355->3358 3373 1509aa2-1509aad 3358->3373 3374 1509a75-1509a78 3373->3374 3375 1509aaf 3373->3375 3376 1509ab6-1509ad5 3374->3376 3377 1509a7a-1509a8a 3374->3377 3378 1509ada-1509aec 3375->3378 3376->3378 3379 1509a8c-1509a9a 3377->3379 3380 1509a9d-1509aa0 3377->3380 3379->3380 3380->3373 3382 1509ab1 3380->3382 3382->3376 3390->3318 3391->3318 3392->3318
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: :@k
                  • API String ID: 0-2277858631
                  • Opcode ID: fa55fe53f6177309ba93c4bb179d955963f2e2f075ed63059d938ca13f30e101
                  • Instruction ID: 81b32b7165c00cc0c02fe99dbede2ff18e81c51a6ada16fd74573b7f7c43e3f6
                  • Opcode Fuzzy Hash: fa55fe53f6177309ba93c4bb179d955963f2e2f075ed63059d938ca13f30e101
                  • Instruction Fuzzy Hash: AED17C31E00205EFCB09DFB6E85199D7BB2FF88248B148529D806973A9DF399C95CF90
                  Function 0125A6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 3277 125a6ce-125a72b 3278 125a72e-125a786 OleGetClipboard 3277->3278 3280 125a78c-125a7a2 3278->3280
                  APIs
                  • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0125A77E
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: Clipboard
                  • String ID:
                  • API String ID: 220874293-0
                  • Opcode ID: b4448a9f87542542b558c29bb15ad09d2cda11e50de7a538e78d5e9222d22529
                  • Instruction ID: 05cf4a80e76b5adef43ece32faacb47209fa384aaf8f2028aa28b1a2728f80b2
                  • Opcode Fuzzy Hash: b4448a9f87542542b558c29bb15ad09d2cda11e50de7a538e78d5e9222d22529
                  • Instruction Fuzzy Hash: DE31517554D3C06FD3138B259C61B61BFB4EF87614F0A40CBE884CB6A3D2256919D772
                  Function 01851DA2 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                  Download Yara Rule
                  APIs
                  • getaddrinfo.WS2_32(?,00000E24), ref: 01851E47
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: getaddrinfo
                  • String ID:
                  • API String ID: 300660673-0
                  • Opcode ID: d5816b89c1258b0dcb79e29c44d889e3252140f8665373ede17c8b62184f2c29
                  • Instruction ID: 77a3d57394a6fc8c6c43a3142a148a71e71ecc8afe3c5ede689e566f0805f4c9
                  • Opcode Fuzzy Hash: d5816b89c1258b0dcb79e29c44d889e3252140f8665373ede17c8b62184f2c29
                  • Instruction Fuzzy Hash: FA21D171600204AEEB21DF50CD85FBAF7ACEF04714F04485AFA48DA681D7B4A64D8B71
                  Function 01850B25 Relevance: 1.6, APIs: 1, Instructions: 84registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegSetValueExW.KERNELBASE(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 01850BD4
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: Value
                  • String ID:
                  • API String ID: 3702945584-0
                  • Opcode ID: ae05655a3541b0a54f60aa971a002c9f006e4224c8ef2af079dba9dd88c96b59
                  • Instruction ID: 8faa652dc310277b4669c34f9aecc5e577d45e10d704dd243ffd575e26e6c9e1
                  • Opcode Fuzzy Hash: ae05655a3541b0a54f60aa971a002c9f006e4224c8ef2af079dba9dd88c96b59
                  • Instruction Fuzzy Hash: 0F31F5725097C06FD7228B248C54B97FFB8EF06310F0885CEE9858B593C364A508C7A2
                  Function 01852D6C Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                  Download Yara Rule
                  APIs
                  • GetExitCodeProcess.KERNELBASE(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 01852E00
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: CodeExitProcess
                  • String ID:
                  • API String ID: 3861947596-0
                  • Opcode ID: 2b8a260fed05b7f30b46f50b9d11cafd339bea517eebec3a1d9cc6d385aa14d6
                  • Instruction ID: d68b7bb3fe505a25b37fbeb1e8c59e03e0e6de62761d32f635bfa1460409e20e
                  • Opcode Fuzzy Hash: 2b8a260fed05b7f30b46f50b9d11cafd339bea517eebec3a1d9cc6d385aa14d6
                  • Instruction Fuzzy Hash: E421E6715093805FD7138B24CC55B96BFA8EF42214F0C84DAE948CF293D264A949C7B1
                  Function 0125B4C8 Relevance: 1.6, APIs: 1, Instructions: 82windowtimeCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageTimeoutA.USER32(?,00000E24), ref: 0125B571
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: MessageSendTimeout
                  • String ID:
                  • API String ID: 1599653421-0
                  • Opcode ID: 0f6d5bdece7278eef07c1da6f4261aad8f370ccaff9aa7c21c5b21a3d82ba836
                  • Instruction ID: eec4f854e507d19245383dc2e1cb1d767684fecf1100af58f9c42f709edb3de6
                  • Opcode Fuzzy Hash: 0f6d5bdece7278eef07c1da6f4261aad8f370ccaff9aa7c21c5b21a3d82ba836
                  • Instruction Fuzzy Hash: D121F671504340AFEB228F61DC44FA2FFB8EF46314F08849AFA858B662D375A509CB71
                  Function 0125BA5E Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                  Download Yara Rule
                  APIs
                  • SetFileAttributesW.KERNELBASE(?,?), ref: 0125BAF3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: 252249063ac6f83c700e89b9bdb7a75ebb4748668be4e2370c065a351a6ff523
                  • Instruction ID: 809e67f0b77076c5807a43a0751c81e314199fb3c111b36fde83160b1726e513
                  • Opcode Fuzzy Hash: 252249063ac6f83c700e89b9bdb7a75ebb4748668be4e2370c065a351a6ff523
                  • Instruction Fuzzy Hash: AD315C7154E3C09FD7138B249CA5A52BFB4AF43210F0A84DBD985CF2A3D2689849CB72
                  Function 01852C9D Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: select
                  • String ID:
                  • API String ID: 1274211008-0
                  • Opcode ID: 151f9b9f2b52460bac8ff45777db809c7ef2745562a749c73f36e0513591195c
                  • Instruction ID: 6ee16a57fa27404bce5b2faec8a53928693120bbd1f5dac304046cc8dbd756fb
                  • Opcode Fuzzy Hash: 151f9b9f2b52460bac8ff45777db809c7ef2745562a749c73f36e0513591195c
                  • Instruction Fuzzy Hash: 83215C755093849FD762CF29C844B92BFF8EF06310F08849AED84CB263D265A909DB61
                  Function 0125AE77 Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON
                  Download Yara Rule
                  APIs
                  • WriteFile.KERNELBASE(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 0125AF0D
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: FileWrite
                  • String ID:
                  • API String ID: 3934441357-0
                  • Opcode ID: faa888e6ec5ad0bc8bde42b18a76751014d3687ee02bed7934f85896955e8ed2
                  • Instruction ID: 10efd6230c168a1b033addf86dc80c9bc6389e7469c1dbf037d15423c8294284
                  • Opcode Fuzzy Hash: faa888e6ec5ad0bc8bde42b18a76751014d3687ee02bed7934f85896955e8ed2
                  • Instruction Fuzzy Hash: 6C21D6B1509380AFD722CF15DD44F96BFB8EF46314F08849AE9849B153D235A508CB71
                  Function 018516B2 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: FileView
                  • String ID:
                  • API String ID: 3314676101-0
                  • Opcode ID: f2eb6a3c2cc1714f577cf431f4af4030a6e9a0b1c4ac3e3801f652021af1e60e
                  • Instruction ID: 58ac231210e42388a1c86b84c8fe84ea543fce94681bd8b80d571cf5b91f01fb
                  • Opcode Fuzzy Hash: f2eb6a3c2cc1714f577cf431f4af4030a6e9a0b1c4ac3e3801f652021af1e60e
                  • Instruction Fuzzy Hash: C721B171505340AFE722CF55CC44F96FBF8EF09214F08849EE9888B252D375A548CB61
                  Function 018510D6 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                  Download Yara Rule
                  APIs
                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 01851162
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: Socket
                  • String ID:
                  • API String ID: 38366605-0
                  • Opcode ID: 2d61fe75cccc64dfa019ec00a35aed6308d7d346a59cbf8e12cc1b9927927ccb
                  • Instruction ID: c6f1507117cd7ee4dc3f7f61084d83f8adba297d23db3ad8237169145860616e
                  • Opcode Fuzzy Hash: 2d61fe75cccc64dfa019ec00a35aed6308d7d346a59cbf8e12cc1b9927927ccb
                  • Instruction Fuzzy Hash: B7219E71505780AFE722CF55CD85B96FFB8EF05210F08889EE9858B652D375A508CB62
                  Function 0125B3EA Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegSetValueExW.KERNELBASE(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 0125B480
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: Value
                  • String ID:
                  • API String ID: 3702945584-0
                  • Opcode ID: 97bf5c21817b2df7f746aad89fdce610789973341e4611d1c1cc5faa54fbcc12
                  • Instruction ID: c81c32ddc5c0c7c2985924eb9c3b14d1dcc2ed5f688ab62316daf58e4cfd8dfc
                  • Opcode Fuzzy Hash: 97bf5c21817b2df7f746aad89fdce610789973341e4611d1c1cc5faa54fbcc12
                  • Instruction Fuzzy Hash: 202192765047806FD7228F15DC94FA3BFBCEF46214F08849AEA85CB252D364E948C771
                  Function 0185140A Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 018514A8
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: 098cc86e906065e9df177e35d3998ca232188e7bcff12c93a04d7c072b851357
                  • Instruction ID: 22aae37c98f4f7675f281fa00143f4a9f8608f51e9c9397a0775e2f1cab877e5
                  • Opcode Fuzzy Hash: 098cc86e906065e9df177e35d3998ca232188e7bcff12c93a04d7c072b851357
                  • Instruction Fuzzy Hash: AF219F71504780AFE722CB55CC84FA7BFF8EF45310F08849AE985DB692D324E948CBA1
                  Function 01851522 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                  Download Yara Rule
                  APIs
                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 01851593
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: DescriptorSecurity$ConvertString
                  • String ID:
                  • API String ID: 3907675253-0
                  • Opcode ID: b063f1ffa7fd73e805893b1ec398e7d959259b5cafd6826ab921fb427a6ca014
                  • Instruction ID: ba6059408617ad5af288112123bbf677ec2f61c23f743a451134c98a374652ab
                  • Opcode Fuzzy Hash: b063f1ffa7fd73e805893b1ec398e7d959259b5cafd6826ab921fb427a6ca014
                  • Instruction Fuzzy Hash: ED21C271600204AFEB209F65DD45FAABBECEF04318F08845AFD45CB641D774E6488B71
                  Function 0125AAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0125AB25
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 13da11c4afa613a9ac34bda84e0b17440301098934bd0e59c75d541480febbbf
                  • Instruction ID: 057c6f0b30df7ba676c98a235e28be8cd7cfcba896c486abd9dded59e9e93f94
                  • Opcode Fuzzy Hash: 13da11c4afa613a9ac34bda84e0b17440301098934bd0e59c75d541480febbbf
                  • Instruction Fuzzy Hash: 22218371600200AFE761CF65CD85B66FBE8EF14614F048959EE458B751E375E508CBB1
                  Function 0125B212 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0125B291
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: Open
                  • String ID:
                  • API String ID: 71445658-0
                  • Opcode ID: cca5db65bd16fe58b0be6d1d8dd899043b4739c3fccd773a6f559f8d127d02cf
                  • Instruction ID: be0dc2f98cf08a76428b5e12646bfb776043a44e258c2743f23cc5984c66ad06
                  • Opcode Fuzzy Hash: cca5db65bd16fe58b0be6d1d8dd899043b4739c3fccd773a6f559f8d127d02cf
                  • Instruction Fuzzy Hash: F421D172500204AEEB219F55CC85FABFBECEF05314F04845AEE45CB642D374E54D8AB2
                  Function 01852E63 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                  Download Yara Rule
                  APIs
                  • GetProcessWorkingSetSize.KERNEL32(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 01852EDF
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: ProcessSizeWorking
                  • String ID:
                  • API String ID: 3584180929-0
                  • Opcode ID: aa7ab8c432f33be486ffeb9840a0ffde2eada1dd05794545dc91ac0507b4bd65
                  • Instruction ID: 6d5299ff3ce0b190d8528ad93d6ea968cfd9fa452c8e40a3e1115b48befa1920
                  • Opcode Fuzzy Hash: aa7ab8c432f33be486ffeb9840a0ffde2eada1dd05794545dc91ac0507b4bd65
                  • Instruction Fuzzy Hash: 7C21A471505380AFDB22CF25DC55FA6BFB8EF46314F08849AE944DB252D374A948CBB1
                  Function 0125AC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                  Download Yara Rule
                  APIs
                  • GetFileType.KERNELBASE(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 0125ACBD
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: FileType
                  • String ID:
                  • API String ID: 3081899298-0
                  • Opcode ID: 95458a8069f7e091d720b70b78218534d3f70383da713b520d12479bb4943acf
                  • Instruction ID: 6d7291f17497fc709c93d1fe9b6669da3bc12074e3165a7e9df52e4761fd1683
                  • Opcode Fuzzy Hash: 95458a8069f7e091d720b70b78218534d3f70383da713b520d12479bb4943acf
                  • Instruction Fuzzy Hash: 4B21D5B55093806FE7128B15DC91BE2BFB8EF47314F0880DAED84CB293D264A909D772
                  Function 0125A9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                  Download Yara Rule
                  APIs
                  • SetErrorMode.KERNELBASE(?), ref: 0125AA44
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: ErrorMode
                  • String ID:
                  • API String ID: 2340568224-0
                  • Opcode ID: b10fbcf0863fadc0c100de90e2c7eb53fc333726ea9efe2c822e89c9aa5aa47b
                  • Instruction ID: 0a176286216602944eb99ea18ffc72775f7c89b514f910e2265a88cd98d892a7
                  • Opcode Fuzzy Hash: b10fbcf0863fadc0c100de90e2c7eb53fc333726ea9efe2c822e89c9aa5aa47b
                  • Instruction Fuzzy Hash: F921486540E3C19FD7138B258C65A51BFB4AF53624F0E81DBD9848F6A3C2689809CB72
                  Function 01851949 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                  Download Yara Rule
                  APIs
                  • shutdown.WS2_32(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 018519CC
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: shutdown
                  • String ID:
                  • API String ID: 2510479042-0
                  • Opcode ID: c0fce0f4a40c8931ccf7c881fe2bb5013663b3276dbc4de4c992ea5afe564c6d
                  • Instruction ID: 0a428eef0f61d75e0f2179e5987c7b9835959b1547c397f0435f4219a26f3b6b
                  • Opcode Fuzzy Hash: c0fce0f4a40c8931ccf7c881fe2bb5013663b3276dbc4de4c992ea5afe564c6d
                  • Instruction Fuzzy Hash: 9B2195B1509380AFD712CB15DC54B96BFB8EF46214F0884DAE984DB252D368A548C7B2
                  Function 0125B06A Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • CreateMutexW.KERNELBASE(?,?), ref: 0125B0DD
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: CreateMutex
                  • String ID:
                  • API String ID: 1964310414-0
                  • Opcode ID: eb8c283dca7901e07c07af6d3a2cae69229446323d8814289b1575bb3e1053af
                  • Instruction ID: a63ee2ee5075a0bf85dafbf4c923446d7c4bdec3c6e6742c3c379c22d1ef07ed
                  • Opcode Fuzzy Hash: eb8c283dca7901e07c07af6d3a2cae69229446323d8814289b1575bb3e1053af
                  • Instruction Fuzzy Hash: 1221A4716002409FE760DF69DD85BA6FBE8EF05224F048469EE48CB742D375E508CB76
                  Function 0125A140 Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: send
                  • String ID:
                  • API String ID: 2809346765-0
                  • Opcode ID: 6e1dfb5b9ca8c14ce56c37b8317128bc7563ddbbdbc183ced0f3fd501b517c05
                  • Instruction ID: dd007d50812bca16983f6f12798c69708342a47c09d426f6cdef7751a23860c6
                  • Opcode Fuzzy Hash: 6e1dfb5b9ca8c14ce56c37b8317128bc7563ddbbdbc183ced0f3fd501b517c05
                  • Instruction Fuzzy Hash: 41219A7150D3C09FDB138B209C95A52BFB4EF47220F0985DBDD848B5A3C279A919DB72
                  Function 01852BD7 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                  Download Yara Rule
                  APIs
                  • ioctlsocket.WS2_32(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 01852C53
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: ioctlsocket
                  • String ID:
                  • API String ID: 3577187118-0
                  • Opcode ID: 460c75fb8c9320c879a92a38990f72cbe63467b78840f393817482b2570a4386
                  • Instruction ID: 9d0d930c5f69667226201b2f5f97919975e598a43cc95771445e4d1f285553a7
                  • Opcode Fuzzy Hash: 460c75fb8c9320c879a92a38990f72cbe63467b78840f393817482b2570a4386
                  • Instruction Fuzzy Hash: FA21C671505380AFD722CF55CC44FA6BFB8EF46314F08849AE948DB252C374A508C7B1
                  Function 0125B7B5 Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON
                  Download Yara Rule
                  APIs
                  • CopyFileW.KERNELBASE(?,?,?), ref: 0125B82A
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: CopyFile
                  • String ID:
                  • API String ID: 1304948518-0
                  • Opcode ID: b32df22459cecc7cac93b47a09a18d5a55b437c22ca7bbc1c67976a1d0223be5
                  • Instruction ID: 53362711c1a44966733f726f2b513b0d3151038aded85d6ba85d01b263c7d39f
                  • Opcode Fuzzy Hash: b32df22459cecc7cac93b47a09a18d5a55b437c22ca7bbc1c67976a1d0223be5
                  • Instruction Fuzzy Hash: 932184716053815FDB518F25CC94B62BFF8EF46610F08849AED85CB652D235E404DB61
                  Function 0125B31A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 0125B394
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: 3115e1a5ecaa0a4e9e8446679fd713d826e955e04bba112792d209bbe8a213ca
                  • Instruction ID: e59e252bb20cbfc4b8c97810a5b2a4ef3ccaeec908ac4b18dea108206bcbcf29
                  • Opcode Fuzzy Hash: 3115e1a5ecaa0a4e9e8446679fd713d826e955e04bba112792d209bbe8a213ca
                  • Instruction Fuzzy Hash: CF219075610200AFE761CF59CC85FA6B7ECEF05614F08845AEE45DB652D370E948CAB2
                  Function 018516D2 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: FileView
                  • String ID:
                  • API String ID: 3314676101-0
                  • Opcode ID: d599fdeafd0bc96ccf696f574aa64a8a7174a89fab0430835d7519d7edccc331
                  • Instruction ID: 3911b0fc97da32b75b08bb6463fdbbfbec21c3171e562bb13fafae3789c12263
                  • Opcode Fuzzy Hash: d599fdeafd0bc96ccf696f574aa64a8a7174a89fab0430835d7519d7edccc331
                  • Instruction Fuzzy Hash: 4621AE71500204AFE721CF59CD89FA6FBE8EF09328F048459E9498B751D375E648CBB2
                  Function 018510F6 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                  Download Yara Rule
                  APIs
                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 01851162
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: Socket
                  • String ID:
                  • API String ID: 38366605-0
                  • Opcode ID: b26d835fa6717350d4a9c760524a4a64ad2498ee67745571c8dae890935238ee
                  • Instruction ID: 8623bbc2bedd70056deaa79f27b70d1fc0729c0029510cf5f3b9b72991f70455
                  • Opcode Fuzzy Hash: b26d835fa6717350d4a9c760524a4a64ad2498ee67745571c8dae890935238ee
                  • Instruction Fuzzy Hash: E821CF71500600AFEB21CF55CD85BA6FBE8EF09324F04889AED458A652D375E508CB72
                  Function 01851F52 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                  Download Yara Rule
                  APIs
                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 01851FCE
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: Connect
                  • String ID:
                  • API String ID: 3144859779-0
                  • Opcode ID: 87ef48f3c016aaace8a53dcc45ad7c5e63867019eaef596b913e81724a6ad666
                  • Instruction ID: d01e0bac6b1f0a6a59c75d431ca663a35d1f99097a1f0606421dc65618f4f29c
                  • Opcode Fuzzy Hash: 87ef48f3c016aaace8a53dcc45ad7c5e63867019eaef596b913e81724a6ad666
                  • Instruction Fuzzy Hash: E8218E71509380AFDB228F55DC44B62FFF8EF06310F08849AED858B663D235A918DB62
                  Function 0185220E Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNELBASE(?,00000E24), ref: 01852297
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 4e2f9086ca218d927acab1b82bed696f46e42b6b69d5f9479642de6974b13613
                  • Instruction ID: 2dd957097745f7dc4ac17fd65b45e428b8d2c2ea82ee8460020df603428ae275
                  • Opcode Fuzzy Hash: 4e2f9086ca218d927acab1b82bed696f46e42b6b69d5f9479642de6974b13613
                  • Instruction Fuzzy Hash: E5110671504340AFE721CB15CC85FA6FFB8DF45320F08809AFD489B292D364A948CB72
                  Function 0125B4F6 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageTimeoutA.USER32(?,00000E24), ref: 0125B571
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: MessageSendTimeout
                  • String ID:
                  • API String ID: 1599653421-0
                  • Opcode ID: 12fd751844c31e80c34ebd823ca47d88f810d08bfae0dc0624bab8bef68df302
                  • Instruction ID: b058e81adb443d6262e1463f9733448fbde4fc71f4a303cbd7833494019f5a1e
                  • Opcode Fuzzy Hash: 12fd751844c31e80c34ebd823ca47d88f810d08bfae0dc0624bab8bef68df302
                  • Instruction Fuzzy Hash: DC21E172600200AFEB318F54DC81FA6FBB8EF04714F18845AEE459A691D375E508CBB2
                  Function 01851436 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 018514A8
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: 7e9286550103b50b5057bc73d0aa9d8cc4d58af8f5e4938661a0cf650adddd05
                  • Instruction ID: 9b96e6b7cdad46d08467991a7c8cbc33398ac6dafc8e73a0c4fd56369220974e
                  • Opcode Fuzzy Hash: 7e9286550103b50b5057bc73d0aa9d8cc4d58af8f5e4938661a0cf650adddd05
                  • Instruction Fuzzy Hash: D311D271600204AFEB61CE15CC84FA6BBECEF05714F08805AED45CA651D370E548CAB1
                  Function 0125B40E Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegSetValueExW.KERNELBASE(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 0125B480
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: Value
                  • String ID:
                  • API String ID: 3702945584-0
                  • Opcode ID: a61782b86cedac8e26e13a14f9ec0bed601ddce8d725fa2e86c3917f9cd0ab63
                  • Instruction ID: 5ba6b8e81841a2af1d3bae4c78ef6838bdf8fa4b381911d229b4580d42614b11
                  • Opcode Fuzzy Hash: a61782b86cedac8e26e13a14f9ec0bed601ddce8d725fa2e86c3917f9cd0ab63
                  • Instruction Fuzzy Hash: 9B11D376610600AFEB718E15CC81FA7FBECEF05614F08845AEE45CA752D370E508CAB2
                  Function 01851C3E Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessTimes.KERNELBASE(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 01851C9D
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: ProcessTimes
                  • String ID:
                  • API String ID: 1995159646-0
                  • Opcode ID: 5dfffd66061856724d2b3f2afa666c7736544ad836068dd5db4c302ddea6a325
                  • Instruction ID: 97d6332755d947f745b11c488805c3ca5c4d6954bb139cbdfa6fb806245bc1bf
                  • Opcode Fuzzy Hash: 5dfffd66061856724d2b3f2afa666c7736544ad836068dd5db4c302ddea6a325
                  • Instruction Fuzzy Hash: 0111E671600204AFEB218F55DC45BA6FBECEF05314F08845AED45CB651D375EA48CBB2
                  Function 0125BBE2 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                  Download Yara Rule
                  APIs
                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0125BC4A
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: LookupPrivilegeValue
                  • String ID:
                  • API String ID: 3899507212-0
                  • Opcode ID: 6456a05e2e7370ea1b31fa88c4f7ad0c5122450ab536fabe66f31c04c295f964
                  • Instruction ID: f7baab1a19b7d3497b365cd6b4d69bb653944835e3e23748f9d5d66d3b827c30
                  • Opcode Fuzzy Hash: 6456a05e2e7370ea1b31fa88c4f7ad0c5122450ab536fabe66f31c04c295f964
                  • Instruction Fuzzy Hash: 6E1193B16053419FDB61CF29DC84B63FFE8EF46620F0884AAED45DB652D275E804CB61
                  Function 01852E86 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  • GetProcessWorkingSetSize.KERNEL32(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 01852EDF
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: ProcessSizeWorking
                  • String ID:
                  • API String ID: 3584180929-0
                  • Opcode ID: 83306f35e542b92a03d97d70c4788b19ef3ad91b98eb39d4c1be818497e28cdf
                  • Instruction ID: ab3dfa404ee8543e0560196b2a9d2b1cc74e6071d13b5a46f96d6feea97e61a6
                  • Opcode Fuzzy Hash: 83306f35e542b92a03d97d70c4788b19ef3ad91b98eb39d4c1be818497e28cdf
                  • Instruction Fuzzy Hash: 0A11C171600204AFEB61CF15DC85BA6B7E8EF45324F08846AED49CB642D774E6488AB6
                  Function 01852F47 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  • SetProcessWorkingSetSize.KERNEL32(00000000,?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 01852FC3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: ProcessSizeWorking
                  • String ID:
                  • API String ID: 3584180929-0
                  • Opcode ID: 795063f7fac0e40ae2d8838c43dfdca3aa0ff3f15e45e5f9ca525f569d8340f4
                  • Instruction ID: b2c7a0e8f6d4fb339cacf82dcd43134469b7e9482b987c8dd96057a03f633961
                  • Opcode Fuzzy Hash: 795063f7fac0e40ae2d8838c43dfdca3aa0ff3f15e45e5f9ca525f569d8340f4
                  • Instruction Fuzzy Hash: F71181715097806FE722CB25CC94F96BFBCEF46314F08849AF984DB192C364A948CB71
                  Function 01852DAA Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                  • GetExitCodeProcess.KERNELBASE(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 01852E00
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: CodeExitProcess
                  • String ID:
                  • API String ID: 3861947596-0
                  • Opcode ID: e69d2c61616d79788e3ec85559d5ac347a351f89803175733695060c7ad6a5f3
                  • Instruction ID: 8a4e83e644ed55b1d74e75e2963a7294563073c55ca6dba3c992c1679890fc6e
                  • Opcode Fuzzy Hash: e69d2c61616d79788e3ec85559d5ac347a351f89803175733695060c7ad6a5f3
                  • Instruction Fuzzy Hash: 2D110675600204AFEB51CF15DC85BA6B7ECDF05324F08846AED05CB752D774EA488AB6
                  Function 01850B6A Relevance: 1.6, APIs: 1, Instructions: 61registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegSetValueExW.KERNELBASE(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 01850BD4
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: Value
                  • String ID:
                  • API String ID: 3702945584-0
                  • Opcode ID: 094982f245d1f7a165224edac26a4f7eddd9c11894a38f064ad4165d16739d02
                  • Instruction ID: ae37f419e4de2802d622f2754cf0bb6b3ce571a9a887790d39fafb09d5eec770
                  • Opcode Fuzzy Hash: 094982f245d1f7a165224edac26a4f7eddd9c11894a38f064ad4165d16739d02
                  • Instruction Fuzzy Hash: 24119D72600704AFEB618E15CC84BA6FBA8EF15714F08845AFE45CA652D371E648CAB2
                  Function 0125A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0125A5DE
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: 66e696e044ffe646f0e9816cabf28a0f3316bd0f3dbd703d0d60eedcc8785c06
                  • Instruction ID: 38071a07396028e311021a985af9e656bfdd6d6f010972ed4846fa905544d3c4
                  • Opcode Fuzzy Hash: 66e696e044ffe646f0e9816cabf28a0f3316bd0f3dbd703d0d60eedcc8785c06
                  • Instruction Fuzzy Hash: 2011A271409380AFDB228F54DC44A62FFF4EF4A210F08889AEE858B563C235A518DB72
                  Function 0125AEAE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                  Download Yara Rule
                  APIs
                  • WriteFile.KERNELBASE(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 0125AF0D
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: FileWrite
                  • String ID:
                  • API String ID: 3934441357-0
                  • Opcode ID: 8788e728789459d280ed1e6f3151c97de259d0e8c6f2386c29b3782cd86b5484
                  • Instruction ID: 98619defd8ad1509ec63917ebb228e5bd6fe7605434f07f85cdfaa5416389299
                  • Opcode Fuzzy Hash: 8788e728789459d280ed1e6f3151c97de259d0e8c6f2386c29b3782cd86b5484
                  • Instruction Fuzzy Hash: 4D1104B1600200AFEB21CF55DC85FA6FBE8EF04314F08845AEE498B651C375E5088BB2
                  Function 0125B885 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteFileW.KERNELBASE(?), ref: 0125B8E4
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: DeleteFile
                  • String ID:
                  • API String ID: 4033686569-0
                  • Opcode ID: ad39aa4d554e386fd965005f6f3315ebf185fc271a5c9fb3257e3f050844b888
                  • Instruction ID: e5605fdc38605aec7b209fa7cacf5f03929edb4b5188460798e8bd9c93debfd1
                  • Opcode Fuzzy Hash: ad39aa4d554e386fd965005f6f3315ebf185fc271a5c9fb3257e3f050844b888
                  • Instruction Fuzzy Hash: 2F11B6B19053809FD711CF25DC85756BFF8EF46220F0884AADD85CB253D234E908CB61
                  Function 01852BFA Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                  Download Yara Rule
                  APIs
                  • ioctlsocket.WS2_32(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 01852C53
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: ioctlsocket
                  • String ID:
                  • API String ID: 3577187118-0
                  • Opcode ID: 9dc312c0a14405623067f3a4bd1d08e07897c4897a6cd7394852504eae4dbf59
                  • Instruction ID: 0834a171423c0ca13dcb937847b26bbc525d777acdae1deaf4d220da8e9bbc6a
                  • Opcode Fuzzy Hash: 9dc312c0a14405623067f3a4bd1d08e07897c4897a6cd7394852504eae4dbf59
                  • Instruction Fuzzy Hash: D2110671600204EFE721CF55CC84BA6F7E8EF05324F08845AED48CB646C774AA088BB6
                  Function 01851976 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                  Download Yara Rule
                  APIs
                  • shutdown.WS2_32(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 018519CC
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: shutdown
                  • String ID:
                  • API String ID: 2510479042-0
                  • Opcode ID: e17ae73b896881ec4dda613fc70802781802f170e3eaa9eb5f3709d9dfd5f9c0
                  • Instruction ID: b71d642666b17ea658c992948901d426c6dca8d7f259a5d65e088cd5b9895cbc
                  • Opcode Fuzzy Hash: e17ae73b896881ec4dda613fc70802781802f170e3eaa9eb5f3709d9dfd5f9c0
                  • Instruction Fuzzy Hash: 90112571600244AFEB11CF15DC84BA6FBECDF45728F088496ED48CB741D374A608CAB2
                  Function 0185222E Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNELBASE(?,00000E24), ref: 01852297
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: ffb918e5a710872feebf91e263bc6658260c68e7b21a5f43fdfad22c9739717a
                  • Instruction ID: a46a02b4fda66f644b7024f3d3fbf1065aabb540457543a3a247a5104abef457
                  • Opcode Fuzzy Hash: ffb918e5a710872feebf91e263bc6658260c68e7b21a5f43fdfad22c9739717a
                  • Instruction Fuzzy Hash: DA110875600204AEE720CB15DD81FF6FBA8DF05724F148099ED489A782D7B4E64CCAB6
                  Function 01852CD6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: select
                  • String ID:
                  • API String ID: 1274211008-0
                  • Opcode ID: d5db37b046cb1108ff25f64a34ffc303023f5b5be0b9956ff5ecca648efa9cd1
                  • Instruction ID: dc27afccf27088d8a53fac11f0e1a79844a882729d80ab67389af932b11f7458
                  • Opcode Fuzzy Hash: d5db37b046cb1108ff25f64a34ffc303023f5b5be0b9956ff5ecca648efa9cd1
                  • Instruction Fuzzy Hash: 9A115475600208DFEB60CF19D884B92FBE8EF15710F08846ADD49CB666D775E644CBB1
                  Function 0125BC02 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                  Download Yara Rule
                  APIs
                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0125BC4A
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: LookupPrivilegeValue
                  • String ID:
                  • API String ID: 3899507212-0
                  • Opcode ID: c6ae86c5b1e09e57b3dd606a44c392c9de688ae379cce55652234b212e145222
                  • Instruction ID: 7eede3c5c38e2b41258258e90e2f517ab118da7738eef44598f5e46669c7c6e2
                  • Opcode Fuzzy Hash: c6ae86c5b1e09e57b3dd606a44c392c9de688ae379cce55652234b212e145222
                  • Instruction Fuzzy Hash: FA11E5B16102018FEB50CF29C8C1B62FBE8EF15221F08846ADD45CB742D670D504CB66
                  Function 0125B7E2 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                  Download Yara Rule
                  APIs
                  • CopyFileW.KERNELBASE(?,?,?), ref: 0125B82A
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: CopyFile
                  • String ID:
                  • API String ID: 1304948518-0
                  • Opcode ID: c6ae86c5b1e09e57b3dd606a44c392c9de688ae379cce55652234b212e145222
                  • Instruction ID: f09c2b9912e58d8bc86a5d0726a2a70dc80eb9f28cf810ccd7a08681fb15eec8
                  • Opcode Fuzzy Hash: c6ae86c5b1e09e57b3dd606a44c392c9de688ae379cce55652234b212e145222
                  • Instruction Fuzzy Hash: E911C8B1A102018FEB50CF29D8C5766FBE8EF15610F08C46ADE45CB752D274D404CA72
                  Function 0125AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                  Download Yara Rule
                  APIs
                  • GetFileType.KERNELBASE(?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 0125ACBD
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: FileType
                  • String ID:
                  • API String ID: 3081899298-0
                  • Opcode ID: 912742645165cdd422e65e2a37a4ffab70cc66c3da19bf397025804248126641
                  • Instruction ID: 96b20a396bc8781343c8811acbb7a329778ab30fb1cb121c6f5b00fbda7d0487
                  • Opcode Fuzzy Hash: 912742645165cdd422e65e2a37a4ffab70cc66c3da19bf397025804248126641
                  • Instruction Fuzzy Hash: 72012271600200AFE720CB05DC86BA6F7ECDF05624F08C096EE088B742C374E5488BB6
                  Function 0125B9D0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: CloseFind
                  • String ID:
                  • API String ID: 1863332320-0
                  • Opcode ID: c53636f6e4c5f9fa77a8853894dae6e8bb4e201ea8f5059f841f39c3f111408c
                  • Instruction ID: b978193c0ba8c448597625b5b364ec32d7360d7d03dd8580b1b6a63beb4a1d1b
                  • Opcode Fuzzy Hash: c53636f6e4c5f9fa77a8853894dae6e8bb4e201ea8f5059f841f39c3f111408c
                  • Instruction Fuzzy Hash: 3D11A1755093C09FDB128F25DC95B52FFB4EF47220F0880DAED858B6A3D275A908CB62
                  Function 01851F82 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                  Download Yara Rule
                  APIs
                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 01851FCE
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: Connect
                  • String ID:
                  • API String ID: 3144859779-0
                  • Opcode ID: 77f7bd74c81345a0cfaccb18b474603e3d9563251ff1261132c3d3ea57e1ccb3
                  • Instruction ID: 2dcbefb0626633eda2488512f0978b1024e6bc1d74d028230b61b54be321e420
                  • Opcode Fuzzy Hash: 77f7bd74c81345a0cfaccb18b474603e3d9563251ff1261132c3d3ea57e1ccb3
                  • Instruction Fuzzy Hash: 0111CE71600604DFEB60CF55D884B62FBE5EF18320F0884AADE458B622D335E518DFB2
                  Function 0125BAB6 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                  Download Yara Rule
                  APIs
                  • SetFileAttributesW.KERNELBASE(?,?), ref: 0125BAF3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: 884b9dc62c28bdb5b7e2318bbf30a512ca2fa7a23c8e51bebc2e63565907ab46
                  • Instruction ID: 35f8671479d6213e19ba2c24c6255408736452ea157d5df73ab85458d2f8752d
                  • Opcode Fuzzy Hash: 884b9dc62c28bdb5b7e2318bbf30a512ca2fa7a23c8e51bebc2e63565907ab46
                  • Instruction Fuzzy Hash: 44012875A102018FEB60CF29D8C5766FBE8EF05220F08C4AADD45CB746E2B4E504CF62
                  Function 01852F6A Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • SetProcessWorkingSetSize.KERNEL32(00000000,?,00000E24,2E65B919,00000000,00000000,00000000,00000000), ref: 01852FC3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: ProcessSizeWorking
                  • String ID:
                  • API String ID: 3584180929-0
                  • Opcode ID: a2d25e206bde795cfc1211d5a29d9a957af6f7bdd0a5fd2bfbd12de6a0624aa9
                  • Instruction ID: 1302c0549d6cdf46847506e2673975f83c3740a8ec125a06f466db4dd74df98f
                  • Opcode Fuzzy Hash: a2d25e206bde795cfc1211d5a29d9a957af6f7bdd0a5fd2bfbd12de6a0624aa9
                  • Instruction Fuzzy Hash: BA019270200700AFEB21CF15CD84FA6BBECEF05714F188459F944DB692D374A9448B70
                  Function 0125B8AA Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteFileW.KERNELBASE(?), ref: 0125B8E4
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: DeleteFile
                  • String ID:
                  • API String ID: 4033686569-0
                  • Opcode ID: d863c223c19793335f8f297f589ccb2a32c3622542a0858dab59eb167f8caa86
                  • Instruction ID: 32b5c4ddc852c65e30d6db32acb220f1610a1d70e8f6800499c7c32e4d43e9fb
                  • Opcode Fuzzy Hash: d863c223c19793335f8f297f589ccb2a32c3622542a0858dab59eb167f8caa86
                  • Instruction Fuzzy Hash: 6801B171A102059FEB50CF29D885766FBE8EF05220F08C4AADE49CB746D274E504CF62
                  Function 0125A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0125A5DE
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: e9e67332737dde34c51eace4b1dcac17788db1bc91aafedfb79e3571bbc39cf3
                  • Instruction ID: e7fb7b88f60f25dc9439d617e4dad750831766f059b409cea2e6bf4b67aa5f79
                  • Opcode Fuzzy Hash: e9e67332737dde34c51eace4b1dcac17788db1bc91aafedfb79e3571bbc39cf3
                  • Instruction Fuzzy Hash: 6201AD729106009FDB618F55D885B62FFE4EF48320F08899ADE494B612C376E518DF62
                  Function 0185105A Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 018510AA
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138388587.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1850000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID:
                  • API String ID: 3660427363-0
                  • Opcode ID: 051f61f86f17ac4016ab38e26fea1f974d9174b24d59cf7e8d12a02febafac8c
                  • Instruction ID: 2cdf99684767ec995fe52167a627721cc0f2bbc5ad9af5e181f183d900e8948a
                  • Opcode Fuzzy Hash: 051f61f86f17ac4016ab38e26fea1f974d9174b24d59cf7e8d12a02febafac8c
                  • Instruction Fuzzy Hash: 5401D671600200ABD310DF16CD86B66FBE8FB88B20F14811AEC089BB42D771F955CBE5
                  Function 0125A72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                  Download Yara Rule
                  APIs
                  • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0125A77E
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: Clipboard
                  • String ID:
                  • API String ID: 220874293-0
                  • Opcode ID: d1fe49e87da3a3b504b9b2a9f448b70d5819bd41274a4ad2ade564cd510c2bad
                  • Instruction ID: 68c0943dd7b6b228e769ff60015ffe97cfba515c81eb7bb0b237e3e9822cbab7
                  • Opcode Fuzzy Hash: d1fe49e87da3a3b504b9b2a9f448b70d5819bd41274a4ad2ade564cd510c2bad
                  • Instruction Fuzzy Hash: 9501D671600200ABD310DF16CD86B66FBE8FB88A20F148159EC089BB41D731F955CBE5
                  Function 0125A186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: send
                  • String ID:
                  • API String ID: 2809346765-0
                  • Opcode ID: 274d994b014054d85b81f0857921508bc9aab74798eac5e79d7cbdbf312b0150
                  • Instruction ID: 7633a9a4992bba88983999dd9219c46f496d9ec67e785fd78bd4b80241cd2f9c
                  • Opcode Fuzzy Hash: 274d994b014054d85b81f0857921508bc9aab74798eac5e79d7cbdbf312b0150
                  • Instruction Fuzzy Hash: 46019E719142409FDB60CF59D885B62FBE4EF15320F08C59ADE498B616C275E518CBB2
                  Function 0125B9F2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: CloseFind
                  • String ID:
                  • API String ID: 1863332320-0
                  • Opcode ID: 829f4ca1ffff7263265f56c711b9645776ee3c12f0afc3711999ff9f51257a54
                  • Instruction ID: dde3dd95873034a6a2e27514fe7f59b8ea80e1c9ebb8c7dfd5f6ca42ee0587c7
                  • Opcode Fuzzy Hash: 829f4ca1ffff7263265f56c711b9645776ee3c12f0afc3711999ff9f51257a54
                  • Instruction Fuzzy Hash: C6012875610241DFDB508F19D8C5762FBE4EF05221F08C0AADD098B792D375E908CFA2
                  Function 0125AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                  Download Yara Rule
                  APIs
                  • SetErrorMode.KERNELBASE(?), ref: 0125AA44
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: ErrorMode
                  • String ID:
                  • API String ID: 2340568224-0
                  • Opcode ID: 95e40881efd3d38ee5444ea58c1c7c1d7d0be3e2267d72a2e75f2fb8132b4a20
                  • Instruction ID: 3ac92d1120248c87ea95e2bde675ab80fc6838d2e77bbdb67bd904f9e85f05b3
                  • Opcode Fuzzy Hash: 95e40881efd3d38ee5444ea58c1c7c1d7d0be3e2267d72a2e75f2fb8132b4a20
                  • Instruction Fuzzy Hash: 5EF0AF759202409FDB608F09D986761FBE4EF15624F08C19ADE494B752D2B9E908CEA2
                  Function 015094C0 Relevance: 1.5, Strings: 1, Instructions: 267COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: :@k
                  • API String ID: 0-2277858631
                  • Opcode ID: fbc39219cb6ef62e44f45f1c9f282d1c7157fc1ba76f28da608e65af7d1c7eda
                  • Instruction ID: 37741ab051fcd89c2badb5c9c06eaf0a2a9a8e2fc29a62b001e21685f26dd76c
                  • Opcode Fuzzy Hash: fbc39219cb6ef62e44f45f1c9f282d1c7157fc1ba76f28da608e65af7d1c7eda
                  • Instruction Fuzzy Hash: 41A15E35A00215EFCB09DFB5E851AAD7BB2FF88348B108569E405973A9DF399C95CF80
                  Function 015095D5 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: :@k
                  • API String ID: 0-2277858631
                  • Opcode ID: 1e6062de651cb4315ef203783a899b1b8102b946229950c8e6630d37380653f4
                  • Instruction ID: 0258634d16f4611902f3523cdbf7915858689cbff7d16b574a781bf5e8502cbe
                  • Opcode Fuzzy Hash: 1e6062de651cb4315ef203783a899b1b8102b946229950c8e6630d37380653f4
                  • Instruction Fuzzy Hash: CD916F35B00215EFCB099FB5E851A9D7BB2FF88348B108529D405973A9DF399C95CF80
                  Function 01509633 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: :@k
                  • API String ID: 0-2277858631
                  • Opcode ID: fc4d0cde451e3e30d77dbe0e58373fedfce4dec2357491403444c19de5cca1ae
                  • Instruction ID: 4ad868308fa943cdf6eeadb8896d5309d0925a41b643fd593f1299d773802515
                  • Opcode Fuzzy Hash: fc4d0cde451e3e30d77dbe0e58373fedfce4dec2357491403444c19de5cca1ae
                  • Instruction Fuzzy Hash: 0B916E35B00215EFCB099FB5E851AAD7BB2FF88348B108529E405973A9DF399C95CF80
                  Function 01509683 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: :@k
                  • API String ID: 0-2277858631
                  • Opcode ID: 9043f157a5a8b2bce4db41e410893dc7936baa0361fd7ccf4bc40be7844b621c
                  • Instruction ID: 9857d95ef5cd9bab1d4b0fa2004f0301da4a07790c62963fda763a4e7fd3de42
                  • Opcode Fuzzy Hash: 9043f157a5a8b2bce4db41e410893dc7936baa0361fd7ccf4bc40be7844b621c
                  • Instruction Fuzzy Hash: 37815E35B00215EFCB099FB5E851AAD7BB2FF88348B108569E405973A9DF399C95CF80
                  Function 01509705 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: :@k
                  • API String ID: 0-2277858631
                  • Opcode ID: 31da953fa8940a854da27270acb7b5655d8e7fc90fe84309bcd879a8ffda8d39
                  • Instruction ID: 6c773a486549d375d1b0a515d1ec109564697befbf5221e5287f1f6a06a01173
                  • Opcode Fuzzy Hash: 31da953fa8940a854da27270acb7b5655d8e7fc90fe84309bcd879a8ffda8d39
                  • Instruction Fuzzy Hash: C7717D35B00215EFCB199FB5E85166D7BB2FF88348B10852AD805973A9CF399C95CF81
                  Function 015039BF Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: 2l
                  • API String ID: 0-2574689970
                  • Opcode ID: 97e0b6d4d98549563f9f1786aca6dd3832fb14e6c9cab3ee8f2bd6d63a573e95
                  • Instruction ID: a2bfe6c44d94a3ce7fcd9ea8fa67c26d5a38368a837dd1d4305c035779e0fb39
                  • Opcode Fuzzy Hash: 97e0b6d4d98549563f9f1786aca6dd3832fb14e6c9cab3ee8f2bd6d63a573e95
                  • Instruction Fuzzy Hash: 78812830A00258CFDB14DBB5D855BEDBBB2FF89308F0045AAD509AB2A4DB799D84CF51
                  Function 015097F5 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: :@k
                  • API String ID: 0-2277858631
                  • Opcode ID: 961daaf76e3f9e9c5d983d91990889d6703538301dba867ceb59ce24dd924bcd
                  • Instruction ID: 0abc18527e8002492cc9ac020308c7c8b1df3704a66b4fb5aa69a4bed9c3e27e
                  • Opcode Fuzzy Hash: 961daaf76e3f9e9c5d983d91990889d6703538301dba867ceb59ce24dd924bcd
                  • Instruction Fuzzy Hash: DE519D31B00215EFDB099BB5E85166E77A2FF88248F14852AD8169B3A9CF38DC51CB91
                  Function 0150717B Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: \Ol
                  • API String ID: 0-1319056321
                  • Opcode ID: b193d1818b3258cd04b76f224ce41c8f6b18847be3d1191d47e0c3f62d069180
                  • Instruction ID: b0fdd2dd6814b2af461505ed65321d786aaeb9e7212f35de6a3a35647b58c71d
                  • Opcode Fuzzy Hash: b193d1818b3258cd04b76f224ce41c8f6b18847be3d1191d47e0c3f62d069180
                  • Instruction Fuzzy Hash: 1F41C031700251CFCB46DBB8C855AAE7BF2BFC9214B1881AAC405DB3A5DB399C45CBD1
                  Function 01503B18 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: 2l
                  • API String ID: 0-2574689970
                  • Opcode ID: c48cf8e4f14552bee2663d1b461cc26f3af9366557cbf0cd44336fc89d4a0496
                  • Instruction ID: a11845610a1c6adc730a45e5be1b32bec54253e1f8ea37ceb7264bdb3112982a
                  • Opcode Fuzzy Hash: c48cf8e4f14552bee2663d1b461cc26f3af9366557cbf0cd44336fc89d4a0496
                  • Instruction Fuzzy Hash: EC414A30A00258CFDB14DFB5D855BECB7B2BF59308F0041AAD409AB295DB798E88CF52
                  Function 01500958 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID: :@k
                  • API String ID: 0-2277858631
                  • Opcode ID: 53e45c965dadfe8b7212babffde6ed70e8421863ad1954d8ce7fa9a17b8c8072
                  • Instruction ID: 34c3bdcf5ea952f14aff74ea4e4dbd56be3da4407c8fae80a9821c8d5eccaf07
                  • Opcode Fuzzy Hash: 53e45c965dadfe8b7212babffde6ed70e8421863ad1954d8ce7fa9a17b8c8072
                  • Instruction Fuzzy Hash: DB31C331B002129FDB05AB75D8127BE37AAEB98248F51802AD405D77E5DF3C8D5ACB92
                  Function 0125AB7C Relevance: 1.3, APIs: 1, Instructions: 69COMMON
                  Download Yara Rule
                  APIs
                  • CloseHandle.KERNELBASE(?), ref: 0125ABF0
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: CloseHandle
                  • String ID:
                  • API String ID: 2962429428-0
                  • Opcode ID: e0147c984b13b5f844b7c1c1daf3927966cee31b232508a63443fa57a0cdaabc
                  • Instruction ID: 6ff4cf3b084f52435a8d8e7443cce51561e70a7f5499c716ea6cca07685fb042
                  • Opcode Fuzzy Hash: e0147c984b13b5f844b7c1c1daf3927966cee31b232508a63443fa57a0cdaabc
                  • Instruction Fuzzy Hash: BE21D1B55097809FDB128B25DC95752BFA8EF07220F0984DAED848B6A3D2749909CB62
                  Function 0125BE18 Relevance: 1.3, APIs: 1, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                  • CloseHandle.KERNELBASE(?), ref: 0125BE84
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: CloseHandle
                  • String ID:
                  • API String ID: 2962429428-0
                  • Opcode ID: 44aa5f07148d196b6c51816f2a2a6bbaf062785872eda45968602261201e2449
                  • Instruction ID: 1cd6729aa635e91c201259143de67611baecd6b9ce1bb9b5b9c285c7fd3abe2e
                  • Opcode Fuzzy Hash: 44aa5f07148d196b6c51816f2a2a6bbaf062785872eda45968602261201e2449
                  • Instruction Fuzzy Hash: AD21A1B15093C05FDB028B25DC94692BFB4AF47324F0D84DAED858F663D2749908DB62
                  Function 0125A61E Relevance: 1.3, APIs: 1, Instructions: 63COMMON
                  Download Yara Rule
                  APIs
                  • CloseHandle.KERNELBASE(?), ref: 0125A690
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: CloseHandle
                  • String ID:
                  • API String ID: 2962429428-0
                  • Opcode ID: c690f882c14333fc07bb57cb3b6d934d83e6e5480dc394ab337ad6bd270f023d
                  • Instruction ID: 89435668a528cd0f96f04e4c28c8c613ad88de7c84b740a15b6cc43a50446048
                  • Opcode Fuzzy Hash: c690f882c14333fc07bb57cb3b6d934d83e6e5480dc394ab337ad6bd270f023d
                  • Instruction Fuzzy Hash: 47218C715093C09FDB528B25DC95792BFB4EF47220F0984DBDD849F2A3D2659908CBB2
                  Function 0125ABBE Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  • CloseHandle.KERNELBASE(?), ref: 0125ABF0
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: CloseHandle
                  • String ID:
                  • API String ID: 2962429428-0
                  • Opcode ID: 8bb8f1346bc6ea9e274cdfb3aad9954f074bddc48352ebe0a02486b55035ffed
                  • Instruction ID: 2b1e36eea2b3cad002e04735182d3eb397b431722d8132c69fd2192d6863a186
                  • Opcode Fuzzy Hash: 8bb8f1346bc6ea9e274cdfb3aad9954f074bddc48352ebe0a02486b55035ffed
                  • Instruction Fuzzy Hash: D901F271A142008FDB50CF19E886766FBE8EF05221F08C4ABDD498F756D275E508CFA2
                  Function 0125BE52 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  • CloseHandle.KERNELBASE(?), ref: 0125BE84
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: CloseHandle
                  • String ID:
                  • API String ID: 2962429428-0
                  • Opcode ID: b6a07f0f9568c5073f7759ecd1a7ba1acd1356569a8feb15dfcc7713f6a29c00
                  • Instruction ID: 186579a68909487f5e94fff6f84db63cbf8a8357947bc85e761f9c1d229e8192
                  • Opcode Fuzzy Hash: b6a07f0f9568c5073f7759ecd1a7ba1acd1356569a8feb15dfcc7713f6a29c00
                  • Instruction Fuzzy Hash: 8C01DF716102408FDB50CF19D885762FBE8EF15220F08C0AADE498B756C275E508DBA2
                  Function 0125A65E Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                  Download Yara Rule
                  APIs
                  • CloseHandle.KERNELBASE(?), ref: 0125A690
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137760899.000000000125A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_125a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID: CloseHandle
                  • String ID:
                  • API String ID: 2962429428-0
                  • Opcode ID: c050b1952dafa1d32ff694de1ef4c3e57a821920b9b13028681919f10cc043af
                  • Instruction ID: 69c0fbebf91a74e34068de9ba779f798914bd1b65733915cec40e40c658bd281
                  • Opcode Fuzzy Hash: c050b1952dafa1d32ff694de1ef4c3e57a821920b9b13028681919f10cc043af
                  • Instruction Fuzzy Hash: 06012171A10200CFDB50CF05D886762FBE4EF45220F08C4AACD088F316C279E508CEB2
                  Function 01507E4E Relevance: .1, Instructions: 137COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 38703d645b2a1149f913d0edc8ef7587d7215782e3a67a180e3796a101c3d650
                  • Instruction ID: 25916d8a82ca3956f7136a2b5d2a0f5ae5b8a89b1b7039c31b2eb1fe2cfe807e
                  • Opcode Fuzzy Hash: 38703d645b2a1149f913d0edc8ef7587d7215782e3a67a180e3796a101c3d650
                  • Instruction Fuzzy Hash: 2841D130601601DFE716DBBADC053AC3AE2BB49314F188565D681DB2D1EB38ED85CB20
                  Function 01509DD0 Relevance: .1, Instructions: 107COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 02ff94f6219a01673369d2b02c88e42db5a8b89c90b1f46e7c19614f2e1512c2
                  • Instruction ID: 09150e14af2e7b92243fc60d4bf2b3eacec10a86b101895987bf1018876419a1
                  • Opcode Fuzzy Hash: 02ff94f6219a01673369d2b02c88e42db5a8b89c90b1f46e7c19614f2e1512c2
                  • Instruction Fuzzy Hash: 2231A031B002059FDB15CBB9D854BAEBBE6BF88208F148029E509EB3E5DF709C04CB81
                  Function 05452194 Relevance: .1, Instructions: 60COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138626087.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_5450000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4e510020e5a467c6b7100e11d3b13aa92326518eb844213910639827011bdaa4
                  • Instruction ID: 43523e99dcb971a084a534167aae7175fcba8e03247b59ffe9d184857f26ad35
                  • Opcode Fuzzy Hash: 4e510020e5a467c6b7100e11d3b13aa92326518eb844213910639827011bdaa4
                  • Instruction Fuzzy Hash: 1C11BAB5A08341AFD340CF19D880A5BFBE4FB98664F04895EF998D7311D231E9148FA2
                  Function 018607E4 Relevance: .1, Instructions: 59COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138404024.0000000001860000.00000040.00000020.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1860000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a0cf2609d08f1c3750d9c86dbf155e39fd8058288a26418db3b3d4de1792d022
                  • Instruction ID: ef1d3ee3eb893e3fa73952cd5f222a29c1f3ba58af3e89a6b45be0a04689c64e
                  • Opcode Fuzzy Hash: a0cf2609d08f1c3750d9c86dbf155e39fd8058288a26418db3b3d4de1792d022
                  • Instruction Fuzzy Hash: AA11B430644284DFD715CB14D980F25BBA9AB89708F24C9ACF9498BB53C77BD903CA96
                  Function 01507351 Relevance: .1, Instructions: 58COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: de25f975359c2ffaf7a612179ee0f16d8d50b7bd23a88b54dc4d300a49a5cebd
                  • Instruction ID: 637a00b174bec309592670afbd7b5d0895c4582471111181dcee846cb0d2976a
                  • Opcode Fuzzy Hash: de25f975359c2ffaf7a612179ee0f16d8d50b7bd23a88b54dc4d300a49a5cebd
                  • Instruction Fuzzy Hash: 5201F7343143418FC3562B74AC650A93BB6EF8621670645FAD481DB392EB7E8C4AC7A6
                  Function 01509AF0 Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ebfe30e741a6b38501a0ef5b46aea20165b87802271e900e9145c571cdc95919
                  • Instruction ID: 4f75cc7e17e3b2ba71d4e5ef6ad1873b556ed277a2b13f861e366ace99eeebd9
                  • Opcode Fuzzy Hash: ebfe30e741a6b38501a0ef5b46aea20165b87802271e900e9145c571cdc95919
                  • Instruction Fuzzy Hash: 0C119A71E10205DFCB94DB78DD054EEBBFAEB89218B2080BAC409E7354EB358D45CB90
                  Function 01500006 Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b1cc5a1fd0e887668d5c2d500b2559f65dbb6ab7822519aacb87b3de33422e77
                  • Instruction ID: d15fe2331c1fc379f913214c8731e6059b5dc49b1f0eb727607fafbff38d5741
                  • Opcode Fuzzy Hash: b1cc5a1fd0e887668d5c2d500b2559f65dbb6ab7822519aacb87b3de33422e77
                  • Instruction Fuzzy Hash: EA115B7148E3C19FC3438B619C695943FB4AE93224B4E81DBC484CF5A7D6AC4D5ACB62
                  Function 018607B4 Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138404024.0000000001860000.00000040.00000020.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1860000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5a4032bc572a3e14b1858743624ac2b6083b097bc4cfba5dcf743f2008ef33ff
                  • Instruction ID: 3ea576021036964a18bb477b41422e82fb5c9c96d44094df422c7dfca40a43ee
                  • Opcode Fuzzy Hash: 5a4032bc572a3e14b1858743624ac2b6083b097bc4cfba5dcf743f2008ef33ff
                  • Instruction Fuzzy Hash: 05117F355093809FC703CB64D840B65BFA1EF4B318F298ADEE4848B663C7369917DB51
                  Function 05452038 Relevance: .1, Instructions: 52COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138626087.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_5450000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fe649a92869c640fa87ef4f4c08cd486fab83127429d34746695451181d60868
                  • Instruction ID: ffa5a06188e8bca5d9c95788c12f7c259167d93bad86b1daf6f900d228a2a7f4
                  • Opcode Fuzzy Hash: fe649a92869c640fa87ef4f4c08cd486fab83127429d34746695451181d60868
                  • Instruction Fuzzy Hash: 7611BAB5A08301AFD750CF09DC81E5BFBE8EB98660F04895EF95997311D271E9088FA2
                  Function 0126B2F8 Relevance: .1, Instructions: 52COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137806085.000000000126A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_126a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fe23387eb4eadbf743754de19a805fcf0641f0e4b71f56c9fe0a11b0e23a2672
                  • Instruction ID: 2145ba21b865364c663564a9c667acadba31e8fd2a4b6e0f88fd3be3a63bc682
                  • Opcode Fuzzy Hash: fe23387eb4eadbf743754de19a805fcf0641f0e4b71f56c9fe0a11b0e23a2672
                  • Instruction Fuzzy Hash: EC11BAB5A08301AFD350CF09DC81E5BFBE8EB98660F04895EF95997311D271E9088FA2
                  Function 018605CF Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138404024.0000000001860000.00000040.00000020.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1860000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ec5a14e6fdf77c3cde040c31ba662ca036e6f5b3683e7ee763b8033e93917790
                  • Instruction ID: 5b0d8e5919ab9cbfa253cd286d6634c55b93c491db1fde5ebd754fd7f9fbdf3f
                  • Opcode Fuzzy Hash: ec5a14e6fdf77c3cde040c31ba662ca036e6f5b3683e7ee763b8033e93917790
                  • Instruction Fuzzy Hash: D901A7B55497806FC7128B26AC51896BFF8DF87260709C4DBE889CB713C125B919CBB2
                  Function 018605DF Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138404024.0000000001860000.00000040.00000020.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1860000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 92b0234c9412de286d82ccf579039f143f4377fc220b5ace613851828dadb14f
                  • Instruction ID: 685bf1a24c70a4ab7658605a232eaedb26d70b21c1ab5d504e10253c2d47f4ab
                  • Opcode Fuzzy Hash: 92b0234c9412de286d82ccf579039f143f4377fc220b5ace613851828dadb14f
                  • Instruction Fuzzy Hash: 9B01D6B65493805FC7128B15AC408A2FFACEE86620709C49BEC498B712D225A908CBB2
                  Function 018607D8 Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138404024.0000000001860000.00000040.00000020.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1860000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 80a981c0aafe7c1fd5a260cf49f7c4ddee1d5fb219370c55699b30cbf10cd1ee
                  • Instruction ID: 440ba66d934d2de8802ba7313bee36a00c99cb396abfaa236115f20ba19c76c2
                  • Opcode Fuzzy Hash: 80a981c0aafe7c1fd5a260cf49f7c4ddee1d5fb219370c55699b30cbf10cd1ee
                  • Instruction Fuzzy Hash: A71182345087C0CFC713CB14D940B15BBB5EB8A714F28C6EEE8884B653C33A9912CB81
                  Function 01500878 Relevance: .0, Instructions: 41COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f9ddc8be475a30c2dd0529326dcd585a0610c8a9a27c5598f5058433d059997b
                  • Instruction ID: 6c1059d8c9857f184218ec89a6d2b3ebee0a0abf01bdf435a4071567ec5b7bb5
                  • Opcode Fuzzy Hash: f9ddc8be475a30c2dd0529326dcd585a0610c8a9a27c5598f5058433d059997b
                  • Instruction Fuzzy Hash: 49011B3461A386DFCB41EB74D95855D7BE1EFA5248B04882CE485CB3A5EF7988488F83
                  Function 015000A8 Relevance: .0, Instructions: 40COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6a7418d4ad95405fec5c3b47ec5d82393b3342a87afde81f5daf63e49de77716
                  • Instruction ID: b46cb7cd64baf0b4d71e4bbb62f86df8f37eef02df7849014f10af741e28304d
                  • Opcode Fuzzy Hash: 6a7418d4ad95405fec5c3b47ec5d82393b3342a87afde81f5daf63e49de77716
                  • Instruction Fuzzy Hash: 61F0C232A10304AFEB189FB0CC42BAF7BA6EF82764F14856E9581DB2D1DA3148818780
                  Function 01860794 Relevance: .0, Instructions: 38COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138404024.0000000001860000.00000040.00000020.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1860000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6dc4326b67231364798729e908b600a200bc049dd3777e5434ae37fbb665f6be
                  • Instruction ID: c6203cbc7cef9a53013ad7b39a302f8fd020afeecc6b675fbcc32597ab072a05
                  • Opcode Fuzzy Hash: 6dc4326b67231364798729e908b600a200bc049dd3777e5434ae37fbb665f6be
                  • Instruction Fuzzy Hash: F701563510C3C49FC303CB14D950B55BFB5FB86318F1986EAE9858B653C33A9916DB91
                  Function 018608A0 Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138404024.0000000001860000.00000040.00000020.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1860000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e6850d79e688ef7387407e307c00caab001beb49244c143f541758b1d055de9a
                  • Instruction ID: 9342cb7a1c2d330eb117cbdcc9262aae1ec108d09d3a8c43ca2acca01cd13a26
                  • Opcode Fuzzy Hash: e6850d79e688ef7387407e307c00caab001beb49244c143f541758b1d055de9a
                  • Instruction Fuzzy Hash: 8FF06935148684DFC302CF04D980B15FBA6EB88718F24CAADE9480BB62C737E913DB81
                  Function 01860606 Relevance: .0, Instructions: 27COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138404024.0000000001860000.00000040.00000020.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1860000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b236e6a4eac0cf22c58f439f3ff16a3edd3426664fc414984071cb6eef282117
                  • Instruction ID: dd112337a88657c5cf9e6aca311853efff44121db848d040f6aa4de538ee3496
                  • Opcode Fuzzy Hash: b236e6a4eac0cf22c58f439f3ff16a3edd3426664fc414984071cb6eef282117
                  • Instruction Fuzzy Hash: 1FE092B66006008BD750CF0AEC81452F7D8EB84630B08C07FDC0D8B711D235F909CAA5
                  Function 054521FF Relevance: .0, Instructions: 26COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138626087.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_5450000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 02a5d20105429acccc3a036fc50feb9bed427a4fe3935e581d44b339ba4845bb
                  • Instruction ID: e425975b284bd5a5b4548f6fdc1d5a8c7830e3290f145dd7445b65413fb8848c
                  • Opcode Fuzzy Hash: 02a5d20105429acccc3a036fc50feb9bed427a4fe3935e581d44b339ba4845bb
                  • Instruction Fuzzy Hash: DFE0D8F264020067D3108E069C45F52FB9CDB54A30F08C467ED081B742D172B51489E6
                  Function 05452087 Relevance: .0, Instructions: 26COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138626087.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_5450000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0a3977daebda8e045addda3ce4adb96e0b9ecf1397299279b1220b029d687bdd
                  • Instruction ID: f8cfa20728a53a68f9d9220135757ad29d70a2a3e6686bb3eb76492a66c60b1c
                  • Opcode Fuzzy Hash: 0a3977daebda8e045addda3ce4adb96e0b9ecf1397299279b1220b029d687bdd
                  • Instruction Fuzzy Hash: ABE0D8F660020467D2509E069C85F53FB9CDB50A30F08C457ED081B712D172B90489F6
                  Function 05451AAB Relevance: .0, Instructions: 26COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138626087.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_5450000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4f2e28f1cb55c5a509818b1bcedc392f9241a2ae7f4e97a4a70662df1b9ed81c
                  • Instruction ID: f2649fac1624cd1295706f5fab40433c350267d842545235f18fef873eaef8f0
                  • Opcode Fuzzy Hash: 4f2e28f1cb55c5a509818b1bcedc392f9241a2ae7f4e97a4a70662df1b9ed81c
                  • Instruction Fuzzy Hash: 57E0D8F660020067D2109E069C45F53FB9CDB51A30F08C457ED081B702D172B514C9E6
                  Function 0126B347 Relevance: .0, Instructions: 26COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137806085.000000000126A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_126a000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4481267e48e3b4fbed486bb430745b8d0613ce66814e2c2b657fa00f0d9e745a
                  • Instruction ID: c9af9d085729ae876fc1a8bed6c90161514535d1b1bf6789fd9976203f493b6b
                  • Opcode Fuzzy Hash: 4481267e48e3b4fbed486bb430745b8d0613ce66814e2c2b657fa00f0d9e745a
                  • Instruction Fuzzy Hash: D5E0D8F264020467D2108E069C45F52F79CDB50A30F08C557ED085B712D172B50489F6
                  Function 01504200 Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 67788cef064eee3f6b8ebd948c508e334efcd3a9d4c386f3c4a8baa796c65026
                  • Instruction ID: 7156b4fc14d936ef8c7dfbfc835dba08e4a9275e8460a4dba3545c21528042f0
                  • Opcode Fuzzy Hash: 67788cef064eee3f6b8ebd948c508e334efcd3a9d4c386f3c4a8baa796c65026
                  • Instruction Fuzzy Hash: FBE04F309693849FC795CF6498514E97BB4EB46214B1041BAD849C3261E6350E04CF42
                  Function 01509D90 Relevance: .0, Instructions: 18COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1ac10244765d692fc3203d11e7215d996fdbc0119fb841a8d5b6881aeb061e69
                  • Instruction ID: 31f8b2caa6ef1a536415f0e7030e1aaf0576e0bd62779cbce003e4b84c48dc15
                  • Opcode Fuzzy Hash: 1ac10244765d692fc3203d11e7215d996fdbc0119fb841a8d5b6881aeb061e69
                  • Instruction Fuzzy Hash: E2E01230D653459FC7A69BB0E9594ED7BF4FB4232071040EAC445D7272EA790D158B41
                  Function 015036A8 Relevance: .0, Instructions: 18COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 651022adc9e9a35f82f4bee8b4c029685d8f8d1a89b5e31a946608d870411095
                  • Instruction ID: 9eafcc588d2250dd5442fbd65a8b9abb00365a00117ac8128d2c5e8d2505ccfe
                  • Opcode Fuzzy Hash: 651022adc9e9a35f82f4bee8b4c029685d8f8d1a89b5e31a946608d870411095
                  • Instruction Fuzzy Hash: 12E0EC301A6390CFC75A5B70A4294983BB1AB8721935044BEC4468A669DA7E8C86CB00
                  Function 012523F4 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137746242.0000000001252000.00000040.00000800.00020000.00000000.sdmp, Offset: 01252000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1252000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2c9f11e00020a173308e3d8bcc8a3b7c2a2214d679b64eeecca94f80147cae8a
                  • Instruction ID: e42152de11be95b85cc35c01f788aec594b21b94c36c49dd90f500c2366c3840
                  • Opcode Fuzzy Hash: 2c9f11e00020a173308e3d8bcc8a3b7c2a2214d679b64eeecca94f80147cae8a
                  • Instruction Fuzzy Hash: 1DD05E792157D2CFE3169A1CC1A4B953FE8AB61714F4A44F9AD008B7A3C768D581D600
                  Function 01504210 Relevance: .0, Instructions: 14COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2a1452aa497608f949ec717a5a6889504c758c247609b57d7e4fa47ca376e7b5
                  • Instruction ID: 8a8d5bc884b99ce9107e594e2a4a870c09456f8f7dd3efadef0a702ac96539be
                  • Opcode Fuzzy Hash: 2a1452aa497608f949ec717a5a6889504c758c247609b57d7e4fa47ca376e7b5
                  • Instruction Fuzzy Hash: 29D0C971A15208EF8744EFA9E94589DB7F9EB49215B1041AAE809D3760EE315E04DB81
                  Function 012523BC Relevance: .0, Instructions: 14COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4137746242.0000000001252000.00000040.00000800.00020000.00000000.sdmp, Offset: 01252000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1252000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 31676220a0df2d7c34e93fe5159e51a8895f2892ad621f71b1297581f470911e
                  • Instruction ID: 2a16fcf690dc0ae23244f19bb751b6f6ac495c4948eb1c776e7d27c474f24c11
                  • Opcode Fuzzy Hash: 31676220a0df2d7c34e93fe5159e51a8895f2892ad621f71b1297581f470911e
                  • Instruction Fuzzy Hash: BED05E34200282CBD715DB0CC6D4F593BD8AB50B14F1A44E8BD108B7A2C7B4D8C1CA00

                  Non-executed Functions

                  Function 015073FE Relevance: .3, Instructions: 349COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4138228264.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1500000_7UpMyeV5pj.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4ed4980cb7369ddd60285c42ca705d697f1c1c322dffc6b94c9964b72da48fa6
                  • Instruction ID: 4b00f64f7103db11bad6674c34bff9a3a44469d094b2883518326eb752c7fdfa
                  • Opcode Fuzzy Hash: 4ed4980cb7369ddd60285c42ca705d697f1c1c322dffc6b94c9964b72da48fa6
                  • Instruction Fuzzy Hash: 20B1B5365092719BE7338AB6E9510797AE1BB8425130A41B6F4D1CF1D5EF2CEDC1C7A0

                  Execution Graph

                  Execution Coverage:12.5%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:52
                  Total number of Limit Nodes:4
                  execution_graph 1812 115aa75 1814 115aaa6 CreateFileW 1812->1814 1815 115ab2d 1814->1815 1796 115ac37 1797 115ac6a GetFileType 1796->1797 1799 115accc 1797->1799 1816 115af76 1818 115afaa CreateMutexW 1816->1818 1819 115b025 1818->1819 1820 115a573 1821 115a59a DuplicateHandle 1820->1821 1823 115a5e6 1821->1823 1757 115aa12 1758 115aa3e SetErrorMode 1757->1758 1759 115aa67 1757->1759 1760 115aa53 1758->1760 1759->1758 1824 115ab7c 1825 115abbe CloseHandle 1824->1825 1827 115abf8 1825->1827 1800 115a9bf 1801 115a9c9 SetErrorMode 1800->1801 1803 115aa53 1801->1803 1761 115abbe 1762 115ac29 1761->1762 1763 115abea CloseHandle 1761->1763 1762->1763 1764 115abf8 1763->1764 1765 115a65e 1766 115a6c0 1765->1766 1767 115a68a OleInitialize 1765->1767 1766->1767 1768 115a698 1767->1768 1792 115a61e 1793 115a65e OleInitialize 1792->1793 1795 115a698 1793->1795 1769 115a59a 1770 115a610 1769->1770 1771 115a5d8 DuplicateHandle 1769->1771 1770->1771 1772 115a5e6 1771->1772 1773 115aaa6 1774 115aade CreateFileW 1773->1774 1776 115ab2d 1774->1776 1780 115adee 1783 115ae23 WriteFile 1780->1783 1782 115ae55 1783->1782 1804 115a6ce 1805 115a72e OleGetClipboard 1804->1805 1807 115a78c 1805->1807 1808 115adce 1811 115adee WriteFile 1808->1811 1810 115ae55 1811->1810 1784 115afaa 1785 115afe2 CreateMutexW 1784->1785 1787 115b025 1785->1787

                  Callgraph

                  • Executed
                  • Not Executed
                  • Opacity -> Relevance
                  • Disassembly available
                  callgraph 0 Function_00E205E0 1 Function_05050006 2 Function_01152310 3 Function_0115AA12 4 Function_0115A61E 5 Function_05054208 6 Function_0115A005 7 Function_01152006 8 Function_05053B10 9 Function_05053010 9->0 93 Function_00E20606 9->93 10 Function_0115A20C 11 Function_05050118 11->0 11->8 74 Function_050539B7 11->74 11->93 104 Function_050537FA 11->104 12 Function_0115A50A 13 Function_00E205C0 14 Function_0115AC37 15 Function_0115A836 16 Function_01152430 17 Function_0115213C 18 Function_0115A23A 19 Function_00E205D0 20 Function_05054230 21 Function_0115A02E 22 Function_0115A72E 23 Function_05053047 24 Function_05054147 25 Function_05053140 26 Function_0115AD52 27 Function_0115A65E 28 Function_05050449 29 Function_01152458 30 Function_01152044 31 Function_0115A140 32 Function_0505265D 33 Function_05053C5E 34 Function_05053058 35 Function_0115A44A 36 Function_0115AA75 37 Function_0115B074 38 Function_0115AF76 39 Function_05053160 40 Function_0115A573 41 Function_0115A472 42 Function_0115247C 43 Function_0115AB7C 44 Function_0115A078 45 Function_0115A865 46 Function_01152264 47 Function_01152364 48 Function_00E2009B 49 Function_05054278 49->34 50 Function_0115AC6A 51 Function_01152194 52 Function_0115AE97 53 Function_00E2066A 54 Function_01152098 55 Function_0115A59A 56 Function_00E2026D 57 Function_0115A384 58 Function_0115A186 59 Function_00E20074 60 Function_0115268D 61 Function_00E2067F 62 Function_011522B4 63 Function_00E20740 64 Function_0115A2B0 65 Function_0115A7B0 66 Function_0115B0B2 67 Function_050502A2 68 Function_011523BC 69 Function_00E20648 69->53 70 Function_0115A9BF 71 Function_0115ABBE 72 Function_0115A0BE 73 Function_050500A8 73->0 73->8 73->10 73->18 73->74 73->93 73->104 75 Function_0115AAA6 76 Function_050502B1 77 Function_050500B8 76->77 77->0 77->8 77->10 77->18 77->74 77->93 77->104 78 Function_0115A3A8 79 Function_0115AFAA 80 Function_05053DC4 81 Function_0115A7D1 82 Function_05053FC0 83 Function_050502C0 83->77 84 Function_011520D0 85 Function_0115AED2 86 Function_0115A2D2 87 Function_0115A4D8 88 Function_0115A6CE 89 Function_0115ADCE 90 Function_0115A3CA 91 Function_011523F4 92 Function_00E20000 94 Function_050501E1 94->0 94->93 95 Function_011521F0 96 Function_0115A2FE 97 Function_0115ACF8 98 Function_00E2000C 99 Function_011525FB 100 Function_00E20710 101 Function_0115ADEE 102 Function_05053CF9 103 Function_050541F8

                  Executed Functions

                  Function 050537FA Relevance: 3.0, Strings: 2, Instructions: 499COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 50537fa-5053909 17 505390f-5053911 0->17 18 505390b 0->18 21 5053918-505391f 17->21 19 5053913 18->19 20 505390d 18->20 19->21 20->17 22 50539b5-5053ad7 21->22 23 5053925-50539aa 21->23 47 5053b53-5053ba6 22->47 48 5053ad9-5053b49 22->48 23->22 56 5053bad-5053bc7 47->56 57 5053ba8 47->57 48->47 59 5053bfe-5053cb3 56->59 60 5053bc9-5053bf3 56->60 57->56 71 5053cb9-5053cf7 59->71 72 5053d3b 59->72 60->59 71->72 73 50541d5-50541e0 72->73 74 50541e6-50541ed 73->74 75 5053d40-5053d5e 73->75 79 5053d60-5053d66 75->79 80 5053d69-5053d74 75->80 79->80 83 505418b-50541d3 80->83 84 5053d7a-5053d8e 80->84 83->73 86 5053e06-5053e17 84->86 87 5053d90-5053dc2 84->87 89 5053e67-5053e75 86->89 90 5053e19-5053e43 86->90 87->86 91 5054189 89->91 92 5053e7b-5053f2e 89->92 90->89 100 5053e45-5053e5f 90->100 91->73 113 5053f34-5053fb7 92->113 114 5053fbe-50540b5 92->114 100->89 113->114 129 5054145 114->129 130 50540bb-505413e 114->130 129->91 130->129
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1851043432.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_5050000_Explower.jbxd
                  Similarity
                  • API ID:
                  • String ID: \Ol$2l
                  • API String ID: 0-1312013075
                  • Opcode ID: 88caeb7ed95e11d6e5513ac9d5d8c8767dd344e6750c03cbd7c442be4b6ebe5f
                  • Instruction ID: 6f65f0bd72be5c6e0d569abd0a223d917bbbb99117c7788b31ce47029f657a74
                  • Opcode Fuzzy Hash: 88caeb7ed95e11d6e5513ac9d5d8c8767dd344e6750c03cbd7c442be4b6ebe5f
                  • Instruction Fuzzy Hash: A8323930A00228CFDB59EF75D855BEEB7B2AF49304F1046A9D509AB3A8DB359D81CF40
                  Function 050500B8 Relevance: 2.6, Strings: 2, Instructions: 98COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 136 50500b8-50500cd 158 50500d0 call e205e0 136->158 159 50500d0 call e20606 136->159 160 50500d0 call 115a20c 136->160 161 50500d0 call 115a23a 136->161 138 50500d5-50500f7 141 50500f9-505010a 138->141 142 505010b-50501d5 138->142 162 50501d5 call e205e0 142->162 163 50501d5 call 50539b7 142->163 164 50501d5 call e20606 142->164 165 50501d5 call 5053b10 142->165 166 50501d5 call 50537fa 142->166 157 50501db-50501de 158->138 159->138 160->138 161->138 162->157 163->157 164->157 165->157 166->157
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1851043432.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_5050000_Explower.jbxd
                  Similarity
                  • API ID:
                  • String ID: 2l$2l
                  • API String ID: 0-1080021723
                  • Opcode ID: e3ffd4d5bf07ef3e5b8b51eb08ccfad5ab4ce70186c8fc0ef6de89bcbbde5938
                  • Instruction ID: 206da7aa7852774350edf64b6780b49b64488a6bc743b72a96d0a6918896740a
                  • Opcode Fuzzy Hash: e3ffd4d5bf07ef3e5b8b51eb08ccfad5ab4ce70186c8fc0ef6de89bcbbde5938
                  • Instruction Fuzzy Hash: 663125317083509FC719EB7598117EE3BABAFD2258F0489BAC005DB392CF769C098792
                  Function 05050118 Relevance: 2.6, Strings: 2, Instructions: 61COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 167 5050118-5050169 172 5050174-505017a 167->172 173 5050181-50501bd 172->173 178 50501c8-50501d5 173->178 181 50501d5 call e205e0 178->181 182 50501d5 call 50539b7 178->182 183 50501d5 call e20606 178->183 184 50501d5 call 5053b10 178->184 185 50501d5 call 50537fa 178->185 180 50501db-50501de 181->180 182->180 183->180 184->180 185->180
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1851043432.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_5050000_Explower.jbxd
                  Similarity
                  • API ID:
                  • String ID: 2l$2l
                  • API String ID: 0-1080021723
                  • Opcode ID: 66f826abfd07f15920f5096ce18b4e18f9bc780f9d1517b4586d10a9ffadc378
                  • Instruction ID: 3b74883b858fcbde7c97602c632cc87b96b1a57a1ea3a5310b7cac024979c617
                  • Opcode Fuzzy Hash: 66f826abfd07f15920f5096ce18b4e18f9bc780f9d1517b4586d10a9ffadc378
                  • Instruction Fuzzy Hash: 7911E9357042518FC35AA775A4117EA27DBABE2248304596FC009DB756CF77DC098793
                  Function 0115AA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 186 115aa75-115aafe 190 115ab00 186->190 191 115ab03-115ab0f 186->191 190->191 192 115ab14-115ab1d 191->192 193 115ab11 191->193 194 115ab1f-115ab43 CreateFileW 192->194 195 115ab6e-115ab73 192->195 193->192 198 115ab75-115ab7a 194->198 199 115ab45-115ab6b 194->199 195->194 198->199
                  APIs
                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0115AB25
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849829586.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_115a000_Explower.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: c2e8a27fb5ec4c3cf57521c45eeeaa57cfafcdfd2b1e11a9cb453e31a4488818
                  • Instruction ID: 57fc03fcef3d38451365db7479ad5a43c3cf09ab76b87c2ebf92bd4e44a385b1
                  • Opcode Fuzzy Hash: c2e8a27fb5ec4c3cf57521c45eeeaa57cfafcdfd2b1e11a9cb453e31a4488818
                  • Instruction Fuzzy Hash: 5231A071505380AFE722CF65DC84F92BFF8EF05210F08899AE9898B652D375E808CB61
                  Function 0115AF76 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 202 115af76-115aff9 206 115affe-115b007 202->206 207 115affb 202->207 208 115b00c-115b015 206->208 209 115b009 206->209 207->206 210 115b017-115b03b CreateMutexW 208->210 211 115b066-115b06b 208->211 209->208 214 115b06d-115b072 210->214 215 115b03d-115b063 210->215 211->210 214->215
                  APIs
                  • CreateMutexW.KERNELBASE(?,?), ref: 0115B01D
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849829586.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_115a000_Explower.jbxd
                  Similarity
                  • API ID: CreateMutex
                  • String ID:
                  • API String ID: 1964310414-0
                  • Opcode ID: d664b45934139c6eccb89e0db9c117e0bc8bdddf7a362f48522ac47257befc2e
                  • Instruction ID: e7b03112ca72587a21b48953d4547b9e91be5c472631f20a6b09851e5c2f099f
                  • Opcode Fuzzy Hash: d664b45934139c6eccb89e0db9c117e0bc8bdddf7a362f48522ac47257befc2e
                  • Instruction Fuzzy Hash: D43195715093809FE711CB65DD95B96BFF8EF06210F08849AE944CB293D375E909C772
                  Function 0115A6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 218 115a6ce-115a72b 219 115a72e-115a786 OleGetClipboard 218->219 221 115a78c-115a7a2 219->221
                  APIs
                  • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0115A77E
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849829586.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_115a000_Explower.jbxd
                  Similarity
                  • API ID: Clipboard
                  • String ID:
                  • API String ID: 220874293-0
                  • Opcode ID: 2a6a51eaa3f1f435978164839485813098b70863ffd358d61714ef93bf2b9889
                  • Instruction ID: 1900aedbf60f27e546e1f6f0294068ed9107e0d0ce82ab6aed6a138bccae813c
                  • Opcode Fuzzy Hash: 2a6a51eaa3f1f435978164839485813098b70863ffd358d61714ef93bf2b9889
                  • Instruction Fuzzy Hash: 5F31717544D3C06FD3138B259C61BA1BFB4EF87614F0A40CBE884CB6A3D2296919D772
                  Function 0115AAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 222 115aaa6-115aafe 225 115ab00 222->225 226 115ab03-115ab0f 222->226 225->226 227 115ab14-115ab1d 226->227 228 115ab11 226->228 229 115ab1f-115ab27 CreateFileW 227->229 230 115ab6e-115ab73 227->230 228->227 231 115ab2d-115ab43 229->231 230->229 233 115ab75-115ab7a 231->233 234 115ab45-115ab6b 231->234 233->234
                  APIs
                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0115AB25
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849829586.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_115a000_Explower.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 9d8bcf331459ef1a7745966075c824ee0af2c601778c98d2cacf116fd2eb0fbf
                  • Instruction ID: 3b8397dc3a1331be496cdc9ebb52f2f2d00eb1e43b1be9e8af427eed51d56820
                  • Opcode Fuzzy Hash: 9d8bcf331459ef1a7745966075c824ee0af2c601778c98d2cacf116fd2eb0fbf
                  • Instruction Fuzzy Hash: 81218171600200AFE761CF65DD45FA6FBE8EF08614F048969EE498B652D375E508CBB2
                  Function 0115AC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 248 115ac37-115acb5 252 115acb7-115acca GetFileType 248->252 253 115acea-115acef 248->253 254 115acf1-115acf6 252->254 255 115accc-115ace9 252->255 253->252 254->255
                  APIs
                  • GetFileType.KERNELBASE(?,00000E24,8EB2BDE9,00000000,00000000,00000000,00000000), ref: 0115ACBD
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849829586.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_115a000_Explower.jbxd
                  Similarity
                  • API ID: FileType
                  • String ID:
                  • API String ID: 3081899298-0
                  • Opcode ID: 28386ccc005927c69ffbd6d8869e6c8998ba1edf31e2ebd9c263c2e890564d9c
                  • Instruction ID: 18f788690c5b0094b7cc18c3c832379f9f952b6018cdf0da5601c0a5665f2417
                  • Opcode Fuzzy Hash: 28386ccc005927c69ffbd6d8869e6c8998ba1edf31e2ebd9c263c2e890564d9c
                  • Instruction Fuzzy Hash: 9221D8B55093806FE7128B15DC50BE2BFB8DF47314F0880D6E984CB253D364A909C771
                  Function 0115A9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 237 115a9bf-115aa3c 242 115aa67-115aa6c 237->242 243 115aa3e-115aa51 SetErrorMode 237->243 242->243 244 115aa53-115aa66 243->244 245 115aa6e-115aa73 243->245 245->244
                  APIs
                  • SetErrorMode.KERNELBASE(?), ref: 0115AA44
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849829586.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_115a000_Explower.jbxd
                  Similarity
                  • API ID: ErrorMode
                  • String ID:
                  • API String ID: 2340568224-0
                  • Opcode ID: 70ee4469f1be73f27fa3cd72668bdadbb7a55a947a2de2012e63bbdf61b312d0
                  • Instruction ID: 8a8acc75b48e13b4528c3401b0c5fcdf6338bb46336803e30e700e6a01e91c73
                  • Opcode Fuzzy Hash: 70ee4469f1be73f27fa3cd72668bdadbb7a55a947a2de2012e63bbdf61b312d0
                  • Instruction Fuzzy Hash: D421596544E3C09FD7138B259C64A51BFB4EF53624F0E81DBD984CF6A3D2689809CB72
                  Function 0115AFAA Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 259 115afaa-115aff9 262 115affe-115b007 259->262 263 115affb 259->263 264 115b00c-115b015 262->264 265 115b009 262->265 263->262 266 115b017-115b01f CreateMutexW 264->266 267 115b066-115b06b 264->267 265->264 268 115b025-115b03b 266->268 267->266 270 115b06d-115b072 268->270 271 115b03d-115b063 268->271 270->271
                  APIs
                  • CreateMutexW.KERNELBASE(?,?), ref: 0115B01D
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849829586.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_115a000_Explower.jbxd
                  Similarity
                  • API ID: CreateMutex
                  • String ID:
                  • API String ID: 1964310414-0
                  • Opcode ID: 04e191ca41fa691011f9d325661504e5756b92da3081b8bb2ba2ba58bb2be751
                  • Instruction ID: 1498bf7cd7d49577f7c4d044934e0f7273e7bab44236dd2591f150ddece9a484
                  • Opcode Fuzzy Hash: 04e191ca41fa691011f9d325661504e5756b92da3081b8bb2ba2ba58bb2be751
                  • Instruction Fuzzy Hash: 8521C2716042009FE724CF69DD85BA6FBE8EF04220F04846AED58CB742D375E508CB76
                  Function 0115ADCE Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 274 115adce-115ae45 278 115ae47-115ae67 WriteFile 274->278 279 115ae89-115ae8e 274->279 282 115ae90-115ae95 278->282 283 115ae69-115ae86 278->283 279->278 282->283
                  APIs
                  • WriteFile.KERNELBASE(?,00000E24,8EB2BDE9,00000000,00000000,00000000,00000000), ref: 0115AE4D
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849829586.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_115a000_Explower.jbxd
                  Similarity
                  • API ID: FileWrite
                  • String ID:
                  • API String ID: 3934441357-0
                  • Opcode ID: 013b4652c4ac4a8941333dc17b0904165e2e3177e0fe6c507c811e3bdac253c0
                  • Instruction ID: eebcfc4e989d10c2a842477cf039b26d412d76d63874a34748eab36e78bc7bd9
                  • Opcode Fuzzy Hash: 013b4652c4ac4a8941333dc17b0904165e2e3177e0fe6c507c811e3bdac253c0
                  • Instruction Fuzzy Hash: 6C21A471505340AFD722CF55DC44F97BFB8EF45210F08849AE9489B552C335A508CBB2
                  Function 0115A61E Relevance: 1.6, APIs: 1, Instructions: 65comCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 286 115a61e-115a688 288 115a6c0-115a6c5 286->288 289 115a68a-115a692 OleInitialize 286->289 288->289 291 115a698-115a6aa 289->291 292 115a6c7-115a6cc 291->292 293 115a6ac-115a6bf 291->293 292->293
                  APIs
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849829586.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_115a000_Explower.jbxd
                  Similarity
                  • API ID: Initialize
                  • String ID:
                  • API String ID: 2538663250-0
                  • Opcode ID: eddc3678744628bb415d62d6233b52ba88af32d87c09e66e502c390df91d65ae
                  • Instruction ID: ce555ae2e93b6566d948a705f3336037ce47f89ffffd267c688d84dca7dc11da
                  • Opcode Fuzzy Hash: eddc3678744628bb415d62d6233b52ba88af32d87c09e66e502c390df91d65ae
                  • Instruction Fuzzy Hash: FB21497190E3C09FDB538B25DC94692BFB49F47220F0984DBDD848F1A3D2699908CBB2
                  Function 0115A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 295 115a573-115a5d6 297 115a610-115a615 295->297 298 115a5d8-115a5e0 DuplicateHandle 295->298 297->298 299 115a5e6-115a5f8 298->299 301 115a617-115a61c 299->301 302 115a5fa-115a60d 299->302 301->302
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0115A5DE
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849829586.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_115a000_Explower.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: 4a4101ad25302eb9b9f1fe729412eb607b793ae3e140d3896f067ff853b9c285
                  • Instruction ID: 72345c912dd1354e17b26f988f0ceb0e7e8db16db53b72f97d5a2699c9027bac
                  • Opcode Fuzzy Hash: 4a4101ad25302eb9b9f1fe729412eb607b793ae3e140d3896f067ff853b9c285
                  • Instruction Fuzzy Hash: 2411AF71449380AFDB228F54DC44A62FFF4EF4A210F08889AEE858B562C235A418DB72
                  Function 0115ADEE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 304 115adee-115ae45 307 115ae47-115ae4f WriteFile 304->307 308 115ae89-115ae8e 304->308 309 115ae55-115ae67 307->309 308->307 311 115ae90-115ae95 309->311 312 115ae69-115ae86 309->312 311->312
                  APIs
                  • WriteFile.KERNELBASE(?,00000E24,8EB2BDE9,00000000,00000000,00000000,00000000), ref: 0115AE4D
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849829586.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_115a000_Explower.jbxd
                  Similarity
                  • API ID: FileWrite
                  • String ID:
                  • API String ID: 3934441357-0
                  • Opcode ID: d74d66a7b32594d2f76c4819ac8b661bc0c686a4fd386ed421bccb97c0853a58
                  • Instruction ID: ae7164e3e904eb4bf57ccc3691f89dcf0b362375300125b2ebe3106ea57e2956
                  • Opcode Fuzzy Hash: d74d66a7b32594d2f76c4819ac8b661bc0c686a4fd386ed421bccb97c0853a58
                  • Instruction Fuzzy Hash: 6011C172900200EFEB21CF55EC44FA6FBE8EF04724F08855AEE499B651C375A548CBB6
                  Function 0115AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 315 115ac6a-115acb5 318 115acb7-115acca GetFileType 315->318 319 115acea-115acef 315->319 320 115acf1-115acf6 318->320 321 115accc-115ace9 318->321 319->318 320->321
                  APIs
                  • GetFileType.KERNELBASE(?,00000E24,8EB2BDE9,00000000,00000000,00000000,00000000), ref: 0115ACBD
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849829586.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_115a000_Explower.jbxd
                  Similarity
                  • API ID: FileType
                  • String ID:
                  • API String ID: 3081899298-0
                  • Opcode ID: b1a67571230e6b4bce494c1b44eaa36483b82cb1847f3e047c44adf6b1b5429a
                  • Instruction ID: 77a7eb8802841006825bdac12a4eb971a2471c00e9f3d87e9ba3bb7fe2e6c8a4
                  • Opcode Fuzzy Hash: b1a67571230e6b4bce494c1b44eaa36483b82cb1847f3e047c44adf6b1b5429a
                  • Instruction Fuzzy Hash: 96012271600200AFE720CB05EC84BE6FBECDF05624F08C096EE088B741C374E548CAB6
                  Function 0115A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0115A5DE
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849829586.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_115a000_Explower.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: ac556ac4cb1962a8d47c6a4ed3a1e646c7f533d44dc26d2c4ea5325d45111e94
                  • Instruction ID: c544093d1abe965deaaf50c6d92e865cd354d8b49c710aeb7a6b7230eceb66cb
                  • Opcode Fuzzy Hash: ac556ac4cb1962a8d47c6a4ed3a1e646c7f533d44dc26d2c4ea5325d45111e94
                  • Instruction Fuzzy Hash: 61016D72900600DFDB618F55E844B62FFE4EF48720F08899ADE494B652C376E518DFA2
                  Function 0115A72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                  Download Yara Rule
                  APIs
                  • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0115A77E
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849829586.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_115a000_Explower.jbxd
                  Similarity
                  • API ID: Clipboard
                  • String ID:
                  • API String ID: 220874293-0
                  • Opcode ID: d56c4a86356af1f9b95e46a3e1dd63ae2c21ac671e721b7d38c34a23bddb8eb1
                  • Instruction ID: 43c5082cee8c9046ac178fc86147521f0c5fe78aa5dff1e0c61ab3bdfff8d4ce
                  • Opcode Fuzzy Hash: d56c4a86356af1f9b95e46a3e1dd63ae2c21ac671e721b7d38c34a23bddb8eb1
                  • Instruction Fuzzy Hash: E701A271900200ABD210DF16CD86B66FBE8FB88A20F148159ED089BB41D735F955CBE5
                  Function 0115A65E Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849829586.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_115a000_Explower.jbxd
                  Similarity
                  • API ID: Initialize
                  • String ID:
                  • API String ID: 2538663250-0
                  • Opcode ID: 24c216efbf25e07750d0fb2b9f5cc7cdf49532e6515bbdf1d1afe50cea4832fd
                  • Instruction ID: b578f94e9b12169a48f67a1c6ccbded2aff39de7edd2ceec7a8d4b01d4f56c87
                  • Opcode Fuzzy Hash: 24c216efbf25e07750d0fb2b9f5cc7cdf49532e6515bbdf1d1afe50cea4832fd
                  • Instruction Fuzzy Hash: 54018B75900240DFDB50CF15E8847A6FBE4EF45220F08C4AADD488B656D379A508CEB2
                  Function 0115AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                  Download Yara Rule
                  APIs
                  • SetErrorMode.KERNELBASE(?), ref: 0115AA44
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849829586.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_115a000_Explower.jbxd
                  Similarity
                  • API ID: ErrorMode
                  • String ID:
                  • API String ID: 2340568224-0
                  • Opcode ID: 61ec7f683856e4580cdd9ee76bf57e149810b6e2d3c86c8d4ae48cd86a16db96
                  • Instruction ID: f8daffbbc7be3c052c9ab835e376ebc3e24dcc443cbaffd32e7620927c98c43a
                  • Opcode Fuzzy Hash: 61ec7f683856e4580cdd9ee76bf57e149810b6e2d3c86c8d4ae48cd86a16db96
                  • Instruction Fuzzy Hash: 2CF0A935940240DFDB608F19E985BA1FBE4EF45624F08C1AADE494B752D3B9E508CEA3
                  Function 050539B7 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1851043432.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_5050000_Explower.jbxd
                  Similarity
                  • API ID:
                  • String ID: 2l
                  • API String ID: 0-2574689970
                  • Opcode ID: 95fb4914d8bb053500355e8aaa6ffa6791f0836bd63d8b5841560a61a6dccf15
                  • Instruction ID: d3411a0bd9a8710f01e7f1b12bc9308e671474d31ab5cf07db0a24e59af21a35
                  • Opcode Fuzzy Hash: 95fb4914d8bb053500355e8aaa6ffa6791f0836bd63d8b5841560a61a6dccf15
                  • Instruction Fuzzy Hash: A4814D30A00268CFDB18EFB5D851BEDB7B2BF45308F0045A9D509AB2A8DB759D84CF51
                  Function 05053B10 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1851043432.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_5050000_Explower.jbxd
                  Similarity
                  • API ID:
                  • String ID: 2l
                  • API String ID: 0-2574689970
                  • Opcode ID: a774e9918e492621bcfde9155a2cd1f83e1c34496759a69c3d1061e1b1fbc7a8
                  • Instruction ID: b8c4e0805e1549840fbd689abe9717c55cec79415bc41f5d76f201d201c06ef0
                  • Opcode Fuzzy Hash: a774e9918e492621bcfde9155a2cd1f83e1c34496759a69c3d1061e1b1fbc7a8
                  • Instruction Fuzzy Hash: CD414C30A00258CFDB18EFB5D855BEDB7B2BF45308F0045AAD409AB295DB759D44CF52
                  Function 050502C0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1851043432.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_5050000_Explower.jbxd
                  Similarity
                  • API ID:
                  • String ID: :@k
                  • API String ID: 0-2277858631
                  • Opcode ID: a5b4c5263cfa841ef849b3c79acd3630e7ac96c18fa91a79ca0dd32d4036f096
                  • Instruction ID: 275d7b97127cb5145a9aa972e4b8071fcd2d76af922861421dc25af96d8295c3
                  • Opcode Fuzzy Hash: a5b4c5263cfa841ef849b3c79acd3630e7ac96c18fa91a79ca0dd32d4036f096
                  • Instruction Fuzzy Hash: 7231B230B002219FDB45BB75D8157BF33ABAB98258F108429D905D77A8EF39DD05C792
                  Function 0115AB7C Relevance: 1.3, APIs: 1, Instructions: 71COMMON
                  Download Yara Rule
                  APIs
                  • CloseHandle.KERNELBASE(?), ref: 0115ABF0
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849829586.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_115a000_Explower.jbxd
                  Similarity
                  • API ID: CloseHandle
                  • String ID:
                  • API String ID: 2962429428-0
                  • Opcode ID: a74155aebc5bcd5ffcf4788f991fa9b552622d50cee0c6a65a8bba8d82fad7d3
                  • Instruction ID: 1a114c244a655016372c884b9286784c3aa3092b4f92463a2d01a5387b66681e
                  • Opcode Fuzzy Hash: a74155aebc5bcd5ffcf4788f991fa9b552622d50cee0c6a65a8bba8d82fad7d3
                  • Instruction Fuzzy Hash: 3921047550A3C09FDB038B25DC95692BFB8EF07220F0984DBDD848F6A3D2649908C762
                  Function 0115ABBE Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  • CloseHandle.KERNELBASE(?), ref: 0115ABF0
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849829586.000000000115A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_115a000_Explower.jbxd
                  Similarity
                  • API ID: CloseHandle
                  • String ID:
                  • API String ID: 2962429428-0
                  • Opcode ID: 4c24edc83fe496cbfabf30f2ef2aa9c0f8be9cf07b138e7937d3228b73548000
                  • Instruction ID: 3e4b5d77ca6401db0177ee846c653463034c78d7b0f7666e65c98c21396cd2df
                  • Opcode Fuzzy Hash: 4c24edc83fe496cbfabf30f2ef2aa9c0f8be9cf07b138e7937d3228b73548000
                  • Instruction Fuzzy Hash: FC018F75A04240DFDB548F19E8857A6FBE4EF05220F08C4ABDD498F756D379E508CAA2
                  Function 05050006 Relevance: .0, Instructions: 47COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.1851043432.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_5050000_Explower.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 92d8d4feaa589e55bffef41f46496ae456bb571cafd545cdc2b76a00930e53cd
                  • Instruction ID: c68cb44c5ffb2cef151d4223e890b6336994520859f1851548e4a0de9f6e2cca
                  • Opcode Fuzzy Hash: 92d8d4feaa589e55bffef41f46496ae456bb571cafd545cdc2b76a00930e53cd
                  • Instruction Fuzzy Hash: 0C01046140F7C19FC3039360AC627823F746B53244F4F41D7D090CA2A7DA6C8819C763
                  Function 050501E1 Relevance: .0, Instructions: 47COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.1851043432.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_5050000_Explower.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d3ed7b6f929d10ff2767bdde4bacb99c8a0d06eab65601de1cafc2b7b18f0634
                  • Instruction ID: d0bd163464fba24c75f0ae2a4179419ba72ff51f7f1a2c277b69ad0eef1ea778
                  • Opcode Fuzzy Hash: d3ed7b6f929d10ff2767bdde4bacb99c8a0d06eab65601de1cafc2b7b18f0634
                  • Instruction Fuzzy Hash: 0111A130206342CFCB45EB35D55849D7BE2EF95248B00896CE4558B728DF32D8588B83
                  Function 00E205E0 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849620837.0000000000E20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_e20000_Explower.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 370d4d66043212d34bccbd0bb2c1d27eb24c065804590d1adc35c8ee62f13376
                  • Instruction ID: 55213fb4a58ccdce6da3c4a669a10098e44ae93dec8efcca7e87f1241715ed0d
                  • Opcode Fuzzy Hash: 370d4d66043212d34bccbd0bb2c1d27eb24c065804590d1adc35c8ee62f13376
                  • Instruction Fuzzy Hash: 13F0A9B65497805FD711CF15AC448A3FFE8EF96620709C4AFED49CB612D125B908C772
                  Function 050500A8 Relevance: .0, Instructions: 40COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.1851043432.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_5050000_Explower.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4eb5e54b618558e8a49b96173ddf305b74f51543285307481ab635aa5bee0290
                  • Instruction ID: f14792e30b7cb854ab35c0563e95572c2e245634d58d41b1a0d0e1dcdbfe3f42
                  • Opcode Fuzzy Hash: 4eb5e54b618558e8a49b96173ddf305b74f51543285307481ab635aa5bee0290
                  • Instruction Fuzzy Hash: E2F0C835A00304AFDB089B7088127EE7BA6DF92724F10856ED5819B1D1DA364841C780
                  Function 00E20606 Relevance: .0, Instructions: 27COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849620837.0000000000E20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_e20000_Explower.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: eef73adc6fca7114adedeb8a9a6bba255a1551207606649dd0a4cffb746e54e2
                  • Instruction ID: ef9ebffd0a888043fb86ff828ab5f65167a3adb941614528c7b400efa1256f1d
                  • Opcode Fuzzy Hash: eef73adc6fca7114adedeb8a9a6bba255a1551207606649dd0a4cffb746e54e2
                  • Instruction Fuzzy Hash: 75E092BAA006008BD750CF0AEC81492F7D8EB84630B08C07FDD0D8B701D639F509CAA5
                  Function 05053010 Relevance: .0, Instructions: 17COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.1851043432.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_5050000_Explower.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: de7410c0cc7a962978840fa9548c1b32b2b67c46470315a594d1780711cb2689
                  • Instruction ID: 8de1454fad697e52ec16a18e445aef4f9832b210e879722602331c6ba5160d8d
                  • Opcode Fuzzy Hash: de7410c0cc7a962978840fa9548c1b32b2b67c46470315a594d1780711cb2689
                  • Instruction Fuzzy Hash: 35E0EC301693D0CFDB2A5B3890284A93B716F8621D35454FEC4968A67ADA7A8981CB40
                  Function 011523F4 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849814988.0000000001152000.00000040.00000800.00020000.00000000.sdmp, Offset: 01152000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_1152000_Explower.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 72c75970405f2a11ea074910aac8a11816666528ddc83dbe48ebdff167f4b01e
                  • Instruction ID: 7ede77a91246fb27e0043c07bad06eeaaa39c6586f62d8db2a247e69f94faa08
                  • Opcode Fuzzy Hash: 72c75970405f2a11ea074910aac8a11816666528ddc83dbe48ebdff167f4b01e
                  • Instruction Fuzzy Hash: 58D05E7A3057C1CFE31A9A1CC1A4B953FE8AB61714F5A44F9AC008B763C768D581D600
                  Function 011523BC Relevance: .0, Instructions: 14COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.1849814988.0000000001152000.00000040.00000800.00020000.00000000.sdmp, Offset: 01152000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_1152000_Explower.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 41644404bcc5dfdc75070252c64e91916dfabd1df98a63a5f06100285f1268d1
                  • Instruction ID: 78a405246f0211a67fcb61326bd646972ee4a63cb4020d445c1d6b3d7097cee3
                  • Opcode Fuzzy Hash: 41644404bcc5dfdc75070252c64e91916dfabd1df98a63a5f06100285f1268d1
                  • Instruction Fuzzy Hash: 8AD05E35204281CFD759DA0CC6D4F593BD8AB54B14F1A44E8AC208B762C7B4D8C1CA00